Cloudera Docs

Rotating database certificates

AWS requires the rotation of the SSL/TLS certificates used for secure communication between CDP Public Cloud Data Lakes and certain Data Hubs and the external AWS RDS database instances that they rely on. CDP Public Cloud provides multiple options to perform the required RDS certificate rotation.

Cloudera Data Platform (CDP) Public Cloud Data Lakes and certain Data Hubs rely on Amazon Web Services (AWS) Relational Database Service (RDS) database instances that are provisioned by CDP during the creation of the respective resources. Similarly to other compute resources, these database instances are created in the cloud accounts of customers. The deployed CDP resources use a secure connection to communicate with the database using the SSL/TLS certificates issued by AWS.

SSL/TLS certificates used by Amazon RDS instances created before December 2022 are potentially using certificates that will expire in 2024. Amazon RDS instances with an expiring certificate require that a certification rotation is performed. This will replace the soon expiring certificate with a newer one. If the RDS certification rotation is not performed by 22nd August, 2024, Amazon will perform the rotation for each RDS instance and as a result, the affected CDP clusters will not be able to connect to the external database instances.

The actions you need to take depend on whether you have SSL enforcement enabled or disabled on the Data Lake or Data Hub cluster as shown in the Database tab of the Data Lake or Data Hub details page. This setting controls whether the database server mandates the use of an encrypted connection. It is recommended to check SSL enforcement setting on the Data Lake of your environment and separately for each Data Hub cluster.

Cloudera strongly recommends that, when SSL enforcement is enabled, you do not perform the RDS certificate rotation directly using AWS tools, as this can lead to a service degradation or an outage of CDP services using the respective database. Instead, follow the instructions below so that the new certificates can be properly installed by CDP before changing them on the database instances. Once you have performed the required steps in CDP, there are no additional actions needed in the AWS console. During the database certificate rotation, CDP will automatically make the changes required and rotate the certificate of the attached AWS RDS database.

To determine whether you have SSL enforcement enabled on your Data Lake, perform the following steps:
  1. Sign in to the CDP web interface.
  2. Navigate to Management Console > Environments.
  3. Select the environment by clicking the environment name.
  4. Click the Data Lake tab.
  5. Scroll to the bottom of the page and select Database.
Similarly, perform the following steps on each Data Hub cluster to determine whether you have SSL enforcement enabled:
  1. Sign in to the CDP web interface.
  2. Navigate to Management Console > Environments.
  3. Select the environment by clicking the environment name.
  4. Click the Data Hubs tab.
  5. Select a Data Hub.
  6. Scroll to the bottom of the Data Hub details page and select Database.

If the value for SSL is Enabled, it means SSL enforcement is enabled on your Data Lake or Data Hub cluster, and you must perform certificate rotation as described in Rotating database certificates when SSL enforcement is enabled. If the value is Disabled, no action is required on that particular Data Lake or Data Hub cluster. For further information, see Rotating database certificates when SSL enforcement is disabled.