Level 1: Configuring TLS Encryption for Cloudera Manager Agents
Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
Prerequisite:
You must have completed the steps described at Configuring TLS Encryption Only for Cloudera Manager.
Step 1: Enable Agent Connections to Cloudera Manager to use TLS
In this step, you enable TLS properties for Cloudera Manager Agents and their connections to the Cloudera Manager Server. To configure agents to connect to Cloudera Manager over TLS, log into the Cloudera Manager Admin Console.
- Log into the Cloudera Manager Admin Console.
- Select .
- Click the Security category.
- Configure the following TLS settings in the Cloudera Manager Server:
Property Description Use TLS Encryption for Agents Enable TLS encryption for Agents connecting to the Server. The Agents will still connect to the defined agent listener port for Cloudera Manager (default: 7182). This property negotiates TLS connections to the service at this point. - Click Save Changes.
Step 2: Enable and Configure TLS on the Agent Hosts
To enable and configure TLS, you must specify values for the TLS properties in the /etc/cloudera-scm-agent/config.ini configuration file on all Agent
hosts.
- On the Agent host, open the /etc/cloudera-scm-agent/config.ini configuration file and edit the following property:
Property Description use_tls Specify 1 to enable TLS on the Agent, or 0 (zero) to disable TLS. - Repeat this step on every Agent host. You can copy the Agent’s config.ini file across all hosts since this file by default does not have host specific information within it. If you modify properties such as listening_hostname or listening_ip address in config.ini, you must configure the file individually for each host.
Step 3: Restart the Cloudera Manager Server
Restart the Cloudera Manager Server with the following command to activate the TLS configuration settings.
$ sudo service cloudera-scm-server restart
Step 4: Restart the Cloudera Manager Agents
On every Agent host, restart the Agent:
$ sudo service cloudera-scm-agent restart
Step 5: Verify that the Server and Agents are Communicating
In the Cloudera Manager Admin Console, open the Hosts page. If the Agents heartbeat successfully, TLS encryption is working properly.