Configuring TLS/SSL for Navigator Audit Server
Cloudera Navigator supports TLS/SSL encryption for network communications between the Navigator Audit Server and clients, such as the Cloudera Manager. Configuring TLS/SSL encryption for Navigator Audit Server includes three parts:
- Configure a dedicated truststore in Cloudera Manager.
If you haven't already done this, see Step 4: Enable Agent Certificate Authentication in the Cloudera Manager TLS setup instructions.
This step is important because Cloudera Manager won't use the JDK alternate truststore for connecting to Navigator Audit Server. An explicit truststore needs to be set in the Cloudera Manager configuration, including the root CA certificate signing the Navigator Audit Server server certificate. If this configuration isn't in place, you'll see a "Server error" message when accessing the Audits tab in the Cloudera Navigator console.
- Make sure the server key and certificate are on the Navigator Audit Server host.
Typically, when TLS is enabled for Cloudera Manager Service, it is likely that the server key and certificate already exist on the specific host running the Navigator Audit Server role. If Navigator Audit Server is deployed on a separate host and the key and certificate are not present, then a keystore and truststore need to be created using the instructions in How To Obtain and Deploy Keys and Certificates for TLS/SSL.
- Use Cloudera Manager to configure Navigator Audit Server TLS settings, including pointing to the server key and certificate you identified in the previous step.
- Log in to the Cloudera Manager Admin Console.
- Select Clusters > Cloudera Management Service.
- Click the Configuration tab.
- Select Scope > Navigator Audit Server.
- Select Category > Security.
- Edit the following properties according to your cluster configuration.
Property Description Enable TLS/SSL for Navigator Audit Server Encrypt network communications between clients and Navigator Audit Server using TLS/SSL. TLS/SSL Keystore File Location The path to the keystore file containing the server private key and certificate. The keystore must be in JKS format. TLS/SSL Keystore File Password The password for the Navigator Audit Server JKS keystore file. TLS/SSL Keystore Key Password The password for the private key contained in the JKS keystore. Navigator TLS/SSL Certificate Trust Store File The path to the trust store. The trust store is used when Navigator is the client in a TLS/SSL connection. This trust store must contain the certificate(s) used to sign the service(s) connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead. Navigator TLS/SSL Certificate Trust Store Password The password for the Navigator TLS/SSL Certificate Trust Store File. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file.
- Click Save Changes.
- Restart the Navigator Audit Server role.