Level 1: Enabling Encryption for the Cluster

Required Role: Cluster Administrator or Full Administrator

Level 1 TLS ensures that the cluster encrypts network traffic between client and server processes within the cluster, specifically between Cloudera Manager Agent hosts and the Cloudera Manager Server. This level is encryption only: Certificates are neither presented nor verified as a result of this process.

Prerequisites

The steps below assume that basic TLS configuration has been completed, specifically:

Step 1: Enable TLS Encryption for the Cloudera Manager Agents

In this step, you enable TLS properties for Cloudera Manager Agents and their connections to the Cloudera Manager Server.

  1. Log into the Cloudera Manager Admin Console.
  2. Select Administration > Settings.
  3. Click the Security category.
  4. Configure the following TLS settings in the Cloudera Manager Server:
    Property Description
    Use TLS Encryption for Agents Check the box to encrypt communications between Cloudera Manager Server and Cloudera Manager Agent hosts.
  5. Click Save Changes.

Step 2: Modify the Cloudera Manager Agent Configuration File

Each Cloudera Manager Agent host system in the cluster needs to have the use_tls property in its configuration file set to 1, to enable TLS (the default is 0).

  1. Use a text editor to open the configuration file, located in this path on a Cloudera Manager Agent host:
    /etc/cloudera-scm-agent/config.ini
  2. Find the [Security] section in the file and change the value of use_tls to 1, as shown below:
    [Security]
    # Use TLS and certificate validation when connecting to the CM server.
    use_tls=1
    
  3. Apply this change to each Cloudera Manager Agent host's configuration file. You can do this in one of two ways:
    • Modify each host's configuration file, as above;
    • Modify one host's configuration file and then copy that file to all other hosts in the cluster. Take this approach only if none of the hosts has customizations, such as changes from the default listening_hostname or listening_ip address, in the configuration file. By default, config.ini has no host-specific details.

Step 3: Restart the Cloudera Manager Server

On the Cloudera Manager Server host:

Launch a terminal session and use the command line to restart the server and activate the TLS configuration, as shown below:

$ sudo service cloudera-scm-server restart 

Step 4: Restart the Cloudera Manager Agents

On each Cloudera Manager Agent host:

Restart the Cloudera Manager Agent daemon as shown below:

$ sudo service cloudera-scm-agent restart

Step 5: Check Cloudera Manager Server-Agent Communications

You can observe the start-up processes as they occur throughout the cluster, using the Cloudera Manager Admin Console, and you can check the status of the cluster's heartbeat to confirm successful communications.
  1. Open the Cloudera Manager Admin Console.
  2. Select Hosts > All Hosts.
  3. Open the Last Heartbeat filter to see its status. This status should be Good, meaning that the server and agent hosts are communicating successfully.

If the Last Heartbeat appears to have failed, you can check for error messages in the Cloudera Manager Agent log. See TLS Level 2, Step 4 for details about accessing the log.

Step 6: Integrate Kerberos (Optional)

As discussed in TLS/SSL Configuration and Kerberos Integration, if you plan to use Kerberos (MIT Kerberos, Microsoft Active Directory) for user and service authentication for the cluster, this is the point at which to integrate your organization's Kerberos service. See Enabling Kerberos Authentication Using the Wizard for details.

Although Kerberos integration is optional (and not a requirement for configuring TLS/SSL), Cloudera recommends integrating the cluster with an organization's Kerberos instance (MIT Kerberos, Active Directory).