Level 0: Basic TLS/SSL Configuration

Configuring a Cloudera Manager cluster to use TLS for encrypted network and intra-cluster communications is a multi-step process involving a variety of tasks and tools, including using Linux shell commands on the Cloudera Manager Server host system, configuring the Cloudera Manager Agent host's configuration files, and using the Cloudera Manager Admin Console to enable TLS/SSL capabilities. Completing these tasks requires that you have:
  • Privileges as user root (able to sudo) on the hosts that comprise the cluster;
  • Cloudera Manager Admin Console role of Cluster Administrator or Full Administrator.

Cloudera Management Service and TLS/SSL

Configuring TLS/SSL on any server affects how clients interact with that server. For browsers, which communicate over HTTP, TLS/SSL configured on a server host redirects traffic from the HTTP port (7180) to the secure HTTP port, HTTPS (7183). When TLS Level 0 configuration is complete, the Cloudera Management Service roles are enabled for TLS encryption.

Cloudera Management Service Roles and HTTPS Communications

Cloudera Management Service is transparently installed during the Cloudera Management Server installation. It is a service available from the Cloudera Manager Admin Console that can be enabled or disabled. The service comprises several distinct roles for monitoring and reporting, as shown in the table. Cloudera Management Service roles connect to the Cloudera Manager Server and to access the truststore to validate the Cloudera Manager Server's certificate, to complete the TLS/SSL connection when the system starts.
HTTPS Client Web servers (HTTPS Service)
Role Cloudera Manager Server Name Node Job Tracker Oozie Impala YARN
Activity Monitor ~ ~ ~
Host Monitor ~ ~ ~ ~ ~
Service Monitor ~
Event Server ~ ~ ~ ~ ~
Reports Manager ~ ~ ~ ~

Level 0 is comprises the preliminary tasks that will be used in subsequent levels. The tasks include: