Level 1: Configuring TLS Encryption for Cloudera Manager Agents

Minimum Required Role: Cluster Administrator (also provided by Full Administrator)

Prerequisite:

This section assumes you have already completed the steps described at Configuring TLS Encryption Only for Cloudera Manager.

Step 1: Enable Agent Connections to Cloudera Manager to use TLS

In this step you will enable TLS properties relative to the Cloudera Manager Agents and their connections to the Cloudera Manager Server. To configure agents to connect to CM over TLS, Log into the Cloudera Manager Admin Console.

  1. Log into the Cloudera Manager Admin Console.
  2. Select Administration > Settings.
  3. Click the Security category.
  4. Configure the following TLS settings in the Cloudera Manager Server:
    Property Description
    Use TLS Encryption for Agents Enable TLS encryption for Agents connecting to the Server. The Agents will still connect to the defined agent listener port for Cloudera Manager (default: 7182). This property will negotiate TLS connections to the service at this point.
  5. Click Save Changes.

Step 2: Enable and Configure TLS on the Agent Hosts

To enable and configure TLS, you must specify values for the TLS properties in the /etc/cloudera-scm-agent/config.ini configuration file on all Agent hosts.
  1. On the Agent host, open the /etc/cloudera-scm-agent/config.ini configuration file:
  2. Edit the following property in the /etc/cloudera-scm-agent/config.ini configuration file.
    Property Description
    use_tls Specify 1 to enable TLS on the Agent, or 0 (zero) to disable TLS.
  3. Repeat these steps on every Agent host. You may copy the Agent’s config.ini file across all hosts as the file by default does not have host specific information within it. If you modify properties such as listening_hostname or listening_ip address in config.ini, then per-host configuration of the file will be necessary.

Step 3: Restart the Cloudera Manager Server

Restart the Cloudera Manager Server with the following command to activate the TLS configuration settings.

$ sudo service cloudera-scm-server restart 

Step 4: Restart the Cloudera Manager Agents

On every Agent host, restart the Agent:

$ sudo service cloudera-scm-agent restart

Step 5: Verify that the Server and Agents are Communicating

In the Cloudera Manager Admin Console, open the Hosts page. If the Agents heartbeat successfully, TLS encryption is working properly.