Manually Configuring TLS Encryption on the Agent Listening Port

The agent listening port (TCP Port 9000) of a Cloudera Manager Agent can be secured with TLS. This port is used for retrieving diagnostic and log information.

The requirements for a Cloudera Manager Agent to enable the agent listening port are as follows:
  • The following properties must be defined in the config.ini file of the Cloudera Manager Agent: use_tls=1, verify_cert_file, client_cert_file, client_key_file, and client_keypw_file. For details, see Agent Configuration File.
  • An encryption key must be configured.
  • A certificate must be configured.

The main requirement for the Cloudera Manager Server to connect with TLS to the agent listening port is as follows:

The Cloudera Manager TLS/SSL Client Trust Store File property must be configured to specify the CA certificate using which all the agent certificates are signed.
To verify whether the agent listening port is secured with TLS, run the following command:
openssl s_client -connect <hostname>:9000
If the output of this command includes a server certificate in PEM format, then the port is secured with TLS.