Using Self-Signed Certificates for TLS

Self-signed certificates should not be used for production deployments. However, for testing and other non-production purposes, self-signed certificates let you quickly obtain the certificates needed for Step 1: Create the Cloudera Manager Server Keystore, Generate a Certificate Request, and Install the Certificate.

Replace paths, file names, aliases, and other examples in the commands below for your system.

Create a directory to store the self-signed certificate-key pair that you will create.
```
$ mkdir -p /opt/cloudera/security/x509/ /opt/cloudera/security/jks/
$ cd /opt/cloudera/security/jks
```
Use chmod/chown to change ownership of the /opt/cloudera/security/jks directory to give Cloudera Manager access to the directory.
Generate the key pair and self-signed certificate, and store these in the keystore (example.keystore). Set -keypass and -storepass to the same value: Cloudera Manager does not support different keypass and storepass values.
Note: For CN, use the FQDN of the Cloudera Manager Server host to avoid a java.io.IOException: HTTPS hostname wrong exception.
```
$ keytool -genkeypair -keystore example.keystore -keyalg RSA -alias cmhost \
-dname "CN=cmhost.sec.example.com,OU=Security,O=Example,L=Denver,ST=Colorado,C=US" -storepass password -keypass password
```
Copy the default Java truststore (cacerts) to the alternate system truststore (jssecacerts). Self-signed certificates are appended to jssecacerts without modifying the default cacerts file.
```
$ sudo cp $JAVA_HOME/jre/lib/security/cacerts $JAVA_HOME/jre/lib/security/jssecacerts
```

Export the certificate from the keystore (example.keystore).

$ keytool -export -alias cmhost -keystore example.keystore -rfc -file selfsigned.cer

Copy the self-signed certificate (selfsigned.cer) to the /opt/cloudera/security/x509/ directory.
```
$ cp selfsigned.cer /opt/cloudera/security/x509/cmhost.pem
```
Import the public key into the alternate system truststore (jssecacerts), so that any process that runs with Java on this machine will trust the key. The default password for the Java truststore is changeit. Do not use the password created for the keystore in Step 2.
```
$ keytool -import -alias cmhost -file /opt/cloudera/security/jks/selfsigned.cer \
-keystore $JAVA_HOME/jre/lib/security/jssecacerts -storepass changeit
```
Important: Repeat this process on each machine in the cluster.
Rename the keystore, such as from example.keystore to cmhost-keystore.jks:
```
$ mv /opt/cloudera/security/jks/example.keystore /opt/cloudera/security/jks/cmhost-keystore.jks
```
You can also delete the certificate: it has been added to the keystore at /opt/cloudera/security/x509/cmhost.pem.
```
$ rm /opt/cloudera/security/selfsigned.cer
```

The self-signed certificate set up is complete. You can continue configuring TLS Level 1 as detailed in Step 2: Enable HTTPS for the Cloudera Manager Admin Console and Specify Server Keystore Properties.

Categories: SSL | Security | TLS | All Categories