Level 2: Enabling Cloudera Manager Agent Hosts to Authenticate the Server's Certificate

Required Role: Cluster Administrator or Full Administrator

Level 2 TLS ensures that all Cloudera Manager Agent host systems check the validity of the certificate presented by Cloudera Manager Server during the TLS handshake. If the certificate is missing or expired, or if its authenticity cannot be verified through the associated CA chain, the agent aborts the connection, thus ensuring that Cloudera Manager Agent hosts are not spoofed by a bogus server.

Prerequisites

The steps below assume that Level 1 TLS configuration has been completed, specifically:

Step 1: Modifying the Cloudera Manager Agent Configuration File

Each Cloudera Manager Agent host system in the cluster needs to have the location of the Cloudera Manager Server certificate set for the verify_cert_file property.

Use a text editor to open the configuration file, located in this path:
```
/etc/cloudera-scm-agent/config.ini
```

In the [Security] section, find this text:

[Security]
...
# verify_cert_file=/opt/cloudera/security/pki/rootca.cert.pem

Apply this change to each Cloudera Manager Agent host's configuration file. You can do this in one of two ways:
- Modify each host's configuration file;
- Modify one host's configuration file and then copy that file to all other hosts in the cluster. Take this approach only if none of the hosts has customizations already in the configuration file, such as changes from the default listening_hostname or listening_ip address. By default, config.ini has no host-specific details.

Step 2: Restart the Cloudera Manager Server

On the Cloudera Manager Server host:

Launch a terminal session and use the command line to restart the server and activate the TLS configuration, as shown below:

$ sudo service cloudera-scm-server restart

Step 3: Restart the Cloudera Manager Agents

On each Cloudera Manager Agent host:

Restart the Cloudera Manager Agent daemon as shown below:

$ sudo service cloudera-scm-agent restart

Step 4: Check Cloudera Manager Server-Agent Communications

You can observe the start-up processes as they occur throughout the cluster, using the Cloudera Manager Admin Console, and you can check the status of the cluster's heartbeat to confirm successful communications.

Open the Cloudera Manager Admin Console.
Select Hosts > All Hosts.
Open the Last Heartbeat filter to see its status. This status should be Good, meaning that the server and agent hosts are communicating successfully.

If the Last Heartbeat appears to have failed, you can check for error messages in the Cloudera Manager Agent log, located by default in this path:

/var/log/cloudera-scm-agent/cloudera-scm-agent.log

To access the log file in this path:

$ sudo su
# cd /var/log/cloudera-scm-agent

The log is accessible from the Cloudera Manager Admin Console as follows:

Select Diagnostics > Logs.
Open the Select Sources drop-down selector, and deselect all sources except for Cloudera Manager > Agent.

Level 1: Enabling Encryption for the Cluster

Level 3: Configuring the Cluster to Authenticate Agent Certificates