When configuring custom TLS certificates on a Cloudera on premises deployment with
Ranger RAZ enabled, administrators must manually upload the Ranger RAZ CA
certificate
By design, a Virtual Warehouse within Cloudera Data Warehouse fetches its trusted certificates from the Cloudera Management Console during provisioning.
The Ranger RAZ CA certificate is not included by default due to strict service isolation
boundaries that prevent automated certificate propagation. Leaving this unconfigured
will cause secure handshakes to fail, blocking data operations like
INSERT queries against external tables stored at S3.To ensure
proper cross-service communication, use the steps below to fetch the Ranger RAZ root
certificate and import it as a miscellaneous certificate type.
-
Run the following general
openssl command from a terminal that
has network access to the Ranger RAZ host to extract its certificate:
echo | openssl s_client -showcerts -connect <RAZ_HOST>:<RAZ_PORT> 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <PATH_TO_SAVED_CA_CERT>
echo | openssl s_client -showcerts -connect kg-rzmtr-1.kg-rzmtr.root.hwx.site:6082 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/ranger_raz_ca.crt
-
Add the certificate to the Cloudera Management Console:
-
In the Cloudera Management Console, navigate to .
-
Click Add/Import.
-
Select the CA Certificate Type as
Miscellaneous.
-
Click Choose file to upload the fetched
certificate.
-
Click Add certificate.
The Ranger RAZ certificate is displayed in the CA
Certificates tab.
