This is the documentation for Cloudera Manager 5.1.x. Documentation for other versions is available at Cloudera Documentation.

Configuring TLS Encryption only for Cloudera Manager

Required Role:

Use the keytool to manage the public keys and certificates for the Cloudera Manager Server. Before configuring TLS security for Cloudera Manager, create a keystore, as described in the documentation at the preceding link. For example, you might use a command similar to the following:

keytool -genkey -alias jetty -keystore truststore

Step 1: Create a Cloudera Manager Server certificate.

  Warning: You must use an Oracle JDK keytool.
  1. Use keytool to generate a certificate for the Cloudera Manager Server. For example:
    $ keytool -validity 180 -keystore <path-to-keystore> -alias jetty -genkeypair -keyalg RSA
    • The -validity option specifies the certificate lifetime in number of days. If no validity value is specified, the default value is used. The default varies, but is often 90 days.
    • The <path-to-keystore> must be a path to where you want to save the keystore file, and where the Cloudera Manager Server host can access.
  2. When prompted by keytool, create a password for the keystore. Save the password in a safe place.
  3. When prompted by keytool, fill in the answers accurately to the questions to describe you and your company. The most important answer is the CN value for the question "What is your first and last name?" The CN must match the fully-qualified domain name (FQDN) or IP address of the host where the Server is running. For example, cmf.company.com or 192.168.123.101.
  Important: For the CN value, be sure to use a FQDN if possible, or a static IP address that will not change. Do not specify an IP address that will change periodically. When Agents connect to the server using TLS, they check whether the key uses the same name as the one they are using to connect to the server. If the names do not match, Agents do not heartbeat.

Step 2: Enable TLS encryption and specify Server keystore properties.

  1. Log into the Cloudera Manager Admin Console.
  2. Select Administration > Settings.
  3. Click the Security category.
  4. Configure the following TLS settings:
    Setting Description
    Use TLS Encryption for Agents Enable TLS encryption between the Server and Agents.
    Path to TLS Keystore File The full filesystem path to the keystore file. Enable TLS encryption between the Server and Agents.
    Keystore Password The password for keystore.
  5. Click Save Changes to save the settings.

Step 3: Enable and configure TLS on the Agent hosts.

To enable and configure TLS, you must specify values for the TLS properties in the /etc/cloudera-scm-agent/config.ini configuration file on all Agent hosts.
  1. On the Agent host, open the /etc/cloudera-scm-agent/config.ini configuration file:
  2. Edit the following property in the /etc/cloudera-scm-agent/config.ini configuration file.
    Property Description
    use_tls Specify 1 to enable TLS on the Agent, or 0 (zero) to disable TLS.
  3. Repeat these steps on every Agent host.

Step 4: Restart the Cloudera Manager Server.

  Note: Perform this step only if you are using a self-signed server certificate.

Restart the Cloudera Manager Server with the following command to activate the TLS configuration settings.

$ sudo service cloudera-scm-server restart 

Step 5: Restart the Cloudera Manager Agents.

On every Agent host, restart the Agent:

$ sudo service cloudera-scm-agent restart

Step 6: Verify that the Server and Agents are communicating.

In the Cloudera Manager Admin Console, open the Hosts page. If the Agents heartbeat successfully, TLS encryption is working properly.

Page generated September 3, 2015.