Level 3: Configuring TLS Authentication of Agents to the Cloudera Manager Server
Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
This is the highest level of TLS security supported for Cloudera Manager Server-Agent communications, and requires you to create private keys and Certificate Signing Requests (CSR) for each cluster node. A Certificate Authority (CA) can then sign the CSR, thus providing a server certificate for each host. Agents will then need to authenticate themselves to Cloudera Manager using this server certificate.
- Approach A - Use OpenSSL to create private keys and request CA-signed certificates for every Agent on your cluster. Approach A is faster if you only need to enable TLS for Cloudera Manager Server-Agent communication.
- Approach B - Create a Java truststore file that contains the Agent and CA certificates, and authenticate Agents against this truststore file. If you plan to enable TLS communication for all CDH services cluster-wide, including Java-based components, consider using Approach B.
Steps for creating self-signed certificates are not included. Self-signed certificates are not recommended for production environments.
Step 1: Configure TLS encryption
If you have not already done so, you must configure TLS encryption to use this third level of security. For instructions, see Configuring TLS (Encryption Only) for Cloudera Manager and Configuring TLS Encryption for Cloudera Manager.
Step 2: Configure TLS Verification of Server Trust by Agents
If you have not already done so, you must configure TLS Verification of Server Trust by Agents. For instructions, see Configuring TLS Authentication of Server to Agents.
Approach A: Using OpenSSL to Create Private Keys and Request Agent Certificates
If the Cloudera Manager Server is running Management Services or CDH components (and therefore, has a Cloudera Manager Agent installed), you do not need to re-create a private key for the Server host. Follow the steps in Private Key and Certificate Reuse Across Java Keystores and OpenSSL to reuse the host certificate. Follow steps 3-5 for all remaining cluster hosts.
Approach A - Step 3: Generate the private key and certificate signing request for the Agent using OpenSSL.
Agents will authenticate themselves to the Cloudera Manager Server using the certificate issued in this step. However, it's possible that the issued certificate only has the TLS Web Server Authentication flag set, and not the TLS Web Client Authentication flag. Such certificates cannot be used by Cloudera Manager Agents to identify themselves as clients to the Cloudera Manager Server. To make sure Agents can use the issued certificates, you must request explicitly make this request when you generate the CSR as follows:
- Create a local copy of the default openssl.cnf file, usually found at /etc/pki/tls/openssl.cnf (this may change according
to your OS).
cp /etc/pki/tls/openssl.cnf ./myopenssl.cnf
- Add the following section to the end of the file:
cat >> ./myopenssl.cnf <<EOF [ cloudera_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth EOF
- Run the following command on the Agent, replacing hostname with your actual hostname. The -subj command line option allows
you to provide the certificate subject as a single line. If you do not specify the certificate subject (-subj) as an argument, you will be prompted for the values of
the certificate subject information. In that case, use the host FQDN that Agents will use to connect from in the subject First and Last name (CN) question prompt.
Country (C) requires a 2 letter country code. The "/" is replaced with "," in the actual CSR and private key file.
$ openssl req -subj '/CN=hostname.sec.cloudera.com/OU=Support/O=Cloudera/L=Denver/ST=Colorado/C=US' \ -config ./myopenssl.cnf -reqexts cloudera_req \ -out /opt/cloudera/security/x509/hostname.csr -new -newkey rsa:2048 \ -keyout /opt/cloudera/security/x509/hostname.key -passout pass:password
password provides a password to protect the private key file. Keep the password in a safe place; you must provide a key password file to the Agent to complete configuration.
Approach A - Step 4: Submit the certificate signing request to your CA and distribute the issued certificates.
$ openssl req -text -noout -verify -in /opt/cloudera/security/x509/hostname.csrExamine the issued certificate to make sure the requested attributes are present under the X509v3 Extended Key Usage field.
$ openssl x509 -in /opt/cloudera/security/x509/hostname.pem -text -noout ... X509v3 Extended Key Usage: TLS Web Server Authentication TLS Web Client Authentication ...If the certificate does not have both TLS Web Server Authentication and TLS Web Client Authentication flags set, you will need to explicitly add the Agent's certificate to the Cloudera Manager Server truststore. This can be done when you create the Cloudera Manager Server truststore in Step 9.
Approach A - Step 5 (Optional): Import the OpenSSL private key and certificate into the per-host Java keystore.
Follow the steps in Private Key and Certificate Reuse Across Java Keystores and OpenSSL for this step.
Approach B: Creating a Java Keystore and Importing Signed Agent Certificates into it
If the Cloudera Manager Server is running Management Services or CDH components (and therefore, has a Cloudera Manager Agent installed), you do not need to re-create a private key for the Server host. Follow the steps in Private Key and Certificate Reuse Across Java Keystores and OpenSSL to reuse the host certificate. Follow steps 3-5 for all remaining cluster hosts.
Approach B - Step 3: Create a Java Keystore and private key for a host
$ keytool -genkeypair -alias hostname -keyalg RSA -keystore \ /opt/cloudera/security/jks/hostname-keystore.jks -keysize 2048 -dname \ "CN=cmhost.sec.cloudera.com,OU=Support,O=Cloudera,L=Denver,ST=Colorado,C=US" \ -storepass password -keypass passwordpassword provides a password to protect the private key file. Set -keypass to the same value as -storepass. Cloudera Manager assumes that the same password is used to access both the key and the keystore, and therefore, does not support separate values for -keypass and -storepass.
Note the password in a safe place; you must provide a key password file to the Agent to complete configuration.
Approach B - Step 4: Generate a certificate signing request and install the issued certificate into the Java Keystore
- Generate a certificate signing request (CSR) and submit it to your CA for a signed certificate. Use keytool's extended attributes to request both
serverAuth and clientAuth.
$ keytool -certreq -alias hostname \ -keystore /opt/cloudera/security/jks/hostname-keystore.jks \ -file /opt/cloudera/security/x509/hostname.csr \ -ext EKU=serverAuth,clientAuth \ -storepass password -keypass password
- Examine the keystore to make sure the requested options are present under the ExtendedKeyUsages section.
$ keytool -list -v -keystore hostname-keystore.jks ... ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ...
If the keystore still does not have both serverAuth and clientAuth attributes set, you will need to explicitly add the Agent's certificate to the Cloudera Manager Server truststore. This can be done when you create the Cloudera Manager Server truststore in Step 9. - If you are using a Private CA, first import the root CA certificate followed by the intermediary/subordinate CA certificates into the Java keystore created previously.
$ keytool -importcert -trustcacerts -alias RootCA -keystore \ /opt/cloudera/security/jks/hostname-keystore.jks -file \ /opt/cloudera/security/CAcerts/RootCA.cer -storepass password
Repeat the following for all subordinate/intermediary CA certificates presented.
$ keytool -importcert -trustcacerts -alias SubordinateCA -keystore \ /opt/cloudera/security/jks/hostname-keystore.jks -file \ /opt/cloudera/security/CAcerts/SubordinateCA.cer -storepass password
- Copy the issued signed certificate file provided by your CA to the location from where it will be imported by the Cloudera Manager Agent and possibly Hue.
$ cp certificate-file.cer /opt/cloudera/security/x509/hostname.pem
- Import the issued certificate file into the previously created Java keystore (.jks) with the following command:
$ keytool -import -trustcacerts -alias <hostname> \ -keystore /opt/cloudera/security/jks/<hostname>-keystore.jks \ -file /opt/cloudera/security/x509/<hostname>.pem -storepass password
Approach B - Step 5: Export the private key from the Java keystore and convert it with OpenSSL for reuse by Agent
Follow the steps in Private Key and Certificate Reuse Across Java Keystores and OpenSSL.
Step 6: Create a File that Contains the Password for the Key
The Agent reads the password from a text file, not from the command line. The password file allows you to use file permissions to protect the password. For our example the password file was created at, /etc/cloudera-scm-agent/agentkey.pw.
Step 7: Configure the Agent with its Private Key and Certificate
- On the Agent host, open the /etc/cloudera-scm-agent/config.ini configuration file and edit the following properties:
Property Description client_key_file Name of the client key file. client_keypw_file Name of the client key password file, agentkey.pw. client_cert_file Name of the client certificate file. - Repeat these steps on every Agent host.
Step 8: Verify that steps 3-7 were Completed for every Agent Host in Your Cluster
Make sure each Agent's private key and certificate that you import into the Cloudera Manager Server's truststore is unique.
Step 9: Create a Truststore by Importing CA and Agent Certificates
Perform this step on the Cloudera Manager Server, where the new truststore is used to authenticate Agents.
Create a new truststore file (/opt/cloudera/security/jks/truststore.jks) and import the CA root and intermediary/subordinate certificates to this truststore. The new truststore functions like a keystore, containing only certificates and no private key.
- Create a trusted keystore using the keytool command and import the root CA certificate to this truststore.
$ keytool -importcert -noprompt -keystore /opt/cloudera/security/jks/truststore.jks \ -alias root_CA -file root.crt -storepass password
- Import any remaining intermediary/subordinate CA certificates into the truststore.
$ keytool -importcert -noprompt -keystore /opt/cloudera/security/jks/truststore.jks -alias int_CA -file intermediate-CA.pem -storepass password
-
Save the hostname.pem certificate files from all cluster hosts in a single location. Import these host certificates (hostname.pem) into
the new Cloudera Manager Server truststore.
$ keytool -keystore /opt/cloudera/security/jks/truststore.jks \ -importcert -alias hostname -file hostname.pem -storepass password
Consider creating a for loop on a list of hostnames to speed up this process.$ for HOST in 'cat hostlist.txt'; do keytool -keystore /opt/cloudera/security/jks/truststore.jks \ -importcert -alias $HOST -file $HOST.pem -storepass password
Step 10: Enable Agent Authentication and Configure the Cloudera Manager Server to Use the New Truststore
- Log into the Cloudera Manager Admin Console.
- Select .
- Click the Security category.
- Configure the following TLS settings:
Setting Description Use TLS Authentication of Agents to Server Select this option to enable TLS authentication of Agents to the Server. Path to Truststore Specify the full filesystem path to the truststore located on the Cloudera Manager Server host; in the example, /opt/cloudera/security/jks/truststore.jks Truststore Password Specify the password for the truststore. - Click Save Changes to save the settings.
Step 11: Restart the Cloudera Manager Server
$ sudo service cloudera-scm-server restart
Step 12: Restart the Cloudera Manager Agents
On every Agent host, restart the Agent:
$ sudo service cloudera-scm-agent restart
Step 13: Verify that the Server and Agents Are Communicating
In Cloudera Manager Admin Console, open the Hosts page. If the Agents heartbeat successfully, the Server and Agents are communicating. If they are not, you may see an error in the Server, such as a null CA chain error. This implies that either the truststore does not contain the Agent certificate, or the Agent is not presenting the certificate. Check all of your settings, and check the Server log to verify that TLS and Agent validation have been enabled correctly.