Level 3: Configuring TLS Authentication of Agents to the Cloudera Manager Server
Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
This is the highest level of TLS security supported for Cloudera Manager Server-Agent communications, and requires you to create private keys and Certificate Signing Requests (CSR) for each cluster node. A Certificate Authority (CA) can then sign the CSR, thus providing a server certificate for each host. Agents will then need to authenticate themselves to Cloudera Manager using this server certificate.
- Approach A - Use OpenSSL to create private keys and request CA-signed certificates for every Agent on your cluster. Approach A is faster if you only need to enabling TLS for Cloudera Manager Server-Agent communication.
- Approach B - Create a Java truststore file that contains the Agent and CA certificates, and authenticate Agents against this truststore file. If you plan to enable TLS communication for all CDH services cluster-wide, including Java-based components, consider using Approach B.
Step 1: Configure TLS encryption
If you have not already done so, you must configure TLS encryption to use this third level of security. For instructions, see Configuring TLS Encryption Only for Cloudera Manager and Configuring TLS Encryption for Cloudera Manager.
Step 2: Configure TLS Verification of Server Trust by Agents
If you have not already done so, you must configure TLS Verification of Server Trust by Agents. For instructions, see Configuring TLS Authentication of Server to Agents.
Approach A: Using OpenSSL to Create Private Keys and Request Agent Certificates
If the Cloudera Manager Server is running Management Services or CDH components (and therefore, has a Cloudera Manager Agent installed), you do not need to re-create a private key for the Server host. You can follow the steps indicated in Private Key and Certificate Reuse Across Java Keystores and OpenSSL to reuse the host certificate. Follow steps 3-5 for all remaining cluster hosts.
Approach A - Step 3. Generate the private key and certificate signing request for the Agent using OpenSSL.
$ openssl req -subj '/CN=hostname.sec.cloudera.com/OU=Support/O=Cloudera/L=Denver/ST=Colorado/C=US' \ -out /opt/cloudera/security/x509/hostname.csr -new -newkey rsa:2048 \ -keyout /opt/cloudera/security/x509/hostname.key -passout pass:passwordpassword in the command above, provides a password to protect the private key file. Note the password in a safe place since you will be required to provide a key password file to the Agent to complete configuration.
Approach A - Step 4: Submit the certificate signing request to your CA and distribute the issued certificates.
$ openssl req -text -noout -verify -in /opt/cloudera/security/x509/hostname.csrThe issued certificate file can be examined with the following command.
$ openssl x509 -in /opt/cloudera/security/x509/hostname.pem -text -noout
Approach A - (Optional) Step 5: Import the OpenSSL private key and certificate into the per-host Java keystore.
You can follow the steps indicated in the reference section, Private Key and Certificate Reuse Across Java Keystores and OpenSSL for this step.
Approach B: Creating a Java Keystore and Importing Signed Agent Certificates into it
If the Cloudera Manager Server is running Management Services or CDH components (and therefore, has a Cloudera Manager Agent installed), you do not need to re-create a private key for the Server host. You can follow the steps indicated in Private Key and Certificate Reuse Across Java Keystores and OpenSSL to reuse the host certificate. Follow steps 3-5 for all remaining cluster hosts.
Approach B - Step 3: Create a Java Keystore and private key for a host
$ keytool -genkey -alias hostname -keyalg RSA -keystore \ /opt/cloudera/security/jks/hostname-keystore.jks -keysize 2048 -dname \ "CN=cmhost.sec.cloudera.com,OU=Support,O=Cloudera,L=Denver,ST=Colorado,C=US" \ -storepass password -keypass passwordpassword in the command above, provides a password to protect the private key file. Note the password in a safe place since you will be required to provide a key password file to the Agent to complete configuration.
Approach B - Step 4: Generate a certificate signing request and install the issued certificate into the Java Keystore
- Generate a Certificate Signing Request (CSR) and submit it to your CA for a signed certificate.
$ keytool -certreq -alias hostname \ -keystore /opt/cloudera/security/jks/hostname-keystore.jks \ -file /opt/cloudera/security/x509/hostname.csr \ -storepass password -keypass password
- If you are using a Private CA, make sure you first import the root CA certificate followed by the intermediary/subordinate CA certificates into the Java keystore created above.
$ keytool -import -trustcacerts -alias RootCA -keystore \ /opt/cloudera/security/jks/hostname-keystore.jks -file \ /opt/cloudera/security/CAcerts/RootCA.cer -storepass password
Repeat the following for as many subordinate/intermediary CA certificates that are presented.
$ keytool -import -trustcacerts -alias SubordinateCA -keystore \ /opt/cloudera/security/jks/hostname-keystore.jks -file \ /opt/cloudera/security/CAcerts/SubordinateCA.cer -storepass password
- Copy the issued signed certificate file provided by your CA to the location from where it will be imported by the Cloudera Manager Agent and possibly Hue.
$ cp certificate-file.cer /opt/cloudera/security/x509/hostname.pem
- Import that issued certificate file into the previously created Java keystore (.jks) with the following keytool command
$ keytool -import -trustcacerts -alias <hostname> \ -keystore /opt/cloudera/security/jks/<hostname>-keystore.jks \ -file /opt/cloudera/security/x509/<hostname>.pem -storepass password
Approach B - Step 5: Export private key from Java keystore and convert with OpenSSL for reuse by Agent.
You can follow the steps indicated in the reference section, Private Key and Certificate Reuse Across Java Keystores and OpenSSL for this step.
Step 6: Create a File that Contains the Password for the Key
The Agent reads the password from a text file, and not from command line. The password file allows you to use file permissions to protect the password. For our example the password file was created at, /etc/cloudera-scm-agent/agentkey.pw.
Step 7: Configure the Agent with its Private Key and Certificate
- On the Agent host, open the /etc/cloudera-scm-agent/config.ini configuration file:
- Edit the following properties in the /etc/cloudera-scm-agent/config.ini configuration file.
Property Description client_key_file Name of the client key file. client_keypw_file Name of the client key password file, agentkey.pw client_cert_file Name of the client certificate file - Repeat these steps on every Agent host.
Step 8: Verify that steps 3-7 Were Completed for every Agent Host in Your Cluster
Step 9: Create a Truststore by Importing CA and Agent Certificates
Perform this step on the Cloudera Manager server, where the new truststore will be used to authenticate Agents.
- Create a trusted keystore using the keytool command and import the root CA certificate to this truststore.
$ keytool -import -noprompt -keystore /opt/cloudera/security/jks/truststore.jks \ -alias root_CA -file root.crt -storepass password
- Import any remaining intermediary/subordinate CA certificates into the truststore.
$ keytool -import -noprompt -keystore /opt/cloudera/security/jks/truststore.jks -alias int_CA -file intermediate-CA.pem -storepass password
- Finally, gather all the hostname.pem certificate files from all the cluster hosts to a location that can be accessed by the Cloudera Manager Server. You
can now import all the host certificates (hostname.pem), into the new truststore.
$ keytool -keystore /opt/cloudera/security/jks/truststore.jks \ -import -alias hostname -file hostname.pem -storepass password
Consider creating a for loop on a list of hostnames to speed up this process.$ for HOST in 'cat hostlist.txt'; do keytool -keystore /opt/cloudera/security/jks/truststore.jks \ -import -alias $HOST -file $HOST.pem -storepass password
Step 10: Enable Agent Authentication and Configure the Cloudera Manager Server to Use the New Truststore
- Log into the Cloudera Manager Admin Console.
- Select .
- Click the Security category.
- Configure the following TLS settings:
Setting Description Use TLS Authentication of Agents to Server Select this option to enable TLS Authentication of Agents to the Server. Path to Truststore Specify the full filesystem path to the truststore located on the Cloudera Manager Server host. For our example, /opt/cloudera/security/jks/truststore.jks Truststore Password Specify the password for the truststore. - Click Save Changes to save the settings.
Step 12: Restart the Cloudera Manager Server
$ sudo service cloudera-scm-server restart
Step 13: Restart the Cloudera Manager Agents
On every Agent host, restart the Agent:
$ sudo service cloudera-scm-agent restart
Step 14: Verify that the Server and Agents Are Communicating
In Cloudera Manager Admin Console, open the Hosts page. If the Agents heartbeat successfully, the Server and Agents are communicating. If they are not, you may get an error in the Server, such as a null CA chain error. This implies either the truststore doesn't contain the Agent certificate or the Agent isn't presenting the certificate. Double check all of your settings. Check the Server's log to verify whether TLS and Agent validation have been enabled correctly.