Configuring Cloudera Manager Clusters for TLS/SSL

As discussed in TLS/SSL Overview, TLS/SSL is a security protocol designed to prevent eavesdropping, tampering, and message forgery by encrypting network communications. It also supports authentication of host certificates prior to encryption, to prevent spoofing.

Cloudera recommends that clusters deployed in a production environment, whether on-premises or in the cloud, be configured for TLS Level 3, the most secure form of TLS because it authenticates not only the Cloudera Manager Server host but also Cloudera Manager Agent host system certificates before encrypting the communications.

When TLS is enabled for any of the services running on the cluster, it must be enabled for all services. For example, if the cluster supports HDFS, MapReduce, and YARN and TLS/SSL has been enabled for the HDFS service, MapReduce and YARN must also have TLS/SSL enabled.

Cloudera Levels for TLS/SSL Support

The three increasingly secure TLS levels are shown in the table below.

Level Description and configuration process
Level 1 (Minimal) Encrypted communications between a Web browser and Cloudera Manager, and between Agents and Cloudera Manager. This level encrypts connections between a Web browser running the Cloudera Manager Admin Console and the Cloudera Manager Server.
Level 2 (Better) Encrypted communications (as with Level 1) plus Agents verify authenticity of Cloudera Manager Server's TLS certificate.
Level 3 (Best) Encrypted communications (as with Level 1) and Cloudera Manager Server certificate presentation (as with Level 2), plus each Agent presents a certificate to Cloudera Manager Server to verify identity and prevent spoofing by untrusted Agents running on hosts. For a start-to-finish configuration guide for Level 3 TLS, see How to Configure TLS Encryption for Cloudera Manager.

As shown in the table, TLS levels are cumulative—Level 1 must be configured before Level 2, and Level 2 must be configured Level 3. To configure your cluster for Level 3, follow the fast-path instructions in How to Configure TLS Encryption for Cloudera Manager.

TLS/SSL Configuration and Kerberos Integration

To configure a Cloudera Manager cluster for TLS/SSL and to integrate that cluster with Kerberos, Cloudera recommends that you configure TLS Level 1 for the cluster before integrating Kerberos, to ensure that keytabs, for example, are sent over encrypted connections. With encryption configured, if any keytabs are intercepted they will not be readable. The recommended sequence is as follows:
  1. Configure TLS/SSL for encryption (through Level 1):
  2. Integrate the cluster with your organization's Kerberos deployment:
  3. Continue configuring TLS/SSL for certificate authentication (Level 2, Level 3):

Plan ahead for the Kerberos integration as part of the TLS/SSL configuration if that is your goal for the cluster. To integrate the cluster with your Kerberos or Active Directory, you must have admin privileges on those systems or help from your organization's Kerberos or Active Directory administrator for that part of the process.

Consider setting up a complete Cloudera Manager cluster without TLS/SSL, unless you have experience with both clusters and TLS/SSL.