Configuring SSL/TLS certificate exchange between two Cloudera Manager instances

The Replication Manager configures replication peers between two clusters before running the replication job. You can manually set up an SSL/TLS certificate exchange between two Cloudera Manager instances that manage source and target cluster respectively. Replication Manager uses this information to set up the peers for secure data replication.

Go to the truststore location in source Cloudera Manager, and perform the following steps:
1. List the contents of the keystore file and password using the [***keytool path***] -list -keystore [***truststore JKS file location ***] -storepass [***truststore password***] command.
  For example, /usr/lib/jvm/java-openjdk-11/bin/keytool - list -keystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -storepass [***truststore password***]
  tip
  The keytool path can be located in various locations including the keytool itself. For example, it can be located in /usr/lib/jvm/java-openjdk-11/bin/keytool or /usr/java/default/bin/keytool.
  
  You can locate the truststore password using the cat /etc/hadoop/conf/ssl-client.xml command. You can enter the SSL password for the /etc/hadoop/conf/ssl-client.xml file when prompted.
  
  Alternatively, you can also run the following commands instead of the command in Step a:
  export JAVA_HOME=[***keytool location***] export TRUSTSTORE_JKS=[***truststore JKS file location***] export TRUSTSTORE_PASSWORD=[***password in the ssl-client.xml file***] $JAVA_HOME/keytool -list -keystore $TRUSTSTORE_JKS -storepass $TRUSTSTORE_PASSWORD
2. Export the certificate contents in the host to a file using the [***keytool***] -exportcert -keystore[***truststore JKS file location ***] -alias [***cm_alias_on_src_cm***] -file ./[***TXT file, for example: source-cert.txt***] -storepass [***truststore_password***] command.
  
  For example, /usr/java/default/bin/keytool -exportcert -keystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -alias cmrootca-0 -file ./source-cert.txt -storepass [***truststore_password***]
3. Copy the text file to all the hosts of the target cluster Cloudera Manager securely using the scp -i [***PEM file***] [***TXT file - source-cert.txt***] root@[***host_ip***]:/home/ command.
4. Import the certificate into the keystore file on all the hosts of the target cluster Cloudera Manager using the [***keytool***] -importcert -noprompt -v -trustcacerts -keystore [***truststore JKS file location ***] -alias [***cm_alias_on_dest_cm***] -file ./[***TXT file - source-cert.txt***] --storepass [***truststore_password***] command.
  
  For example, /usr/java/default/bin/keytool -importcert -noprompt -v -trustcacerts -keystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -alias cmrootca-1 -file ./source-cert.txt --storepass [***truststore_password***]
Go to the truststore location in target Cloudera Manager, and perform the following steps:
1. List the contents of the keystore file and password using the [***keytool path***] -list -keystore [***truststore JKS file location ***] -storepass [***truststore password***] command.
2. Export the certificate contents in the host to a file using the [***keytool***] -exportcert -keystore [***truststore JKS file location ***] -alias [***cm_alias_on_dest_cm***] -file ./[***TXT file, for example: dest-cert.txt***] -storepass [***truststore_password***] command.
3. Copy the text file to all the hosts of the source cluster Cloudera Manager securely using the scp -i [***PEM file***] [***TXT file - dest-cert.txt***] root@[***host_ip***]:/home/ command.
4. Import the certificate into the keystore file on all the hosts of the source Cloudera Manager using the [***keytool***] -importcert -noprompt -v -trustcacerts -keystore [***truststore JKS file location ***] -alias [***cm_alias_on_src_cm***] -file ./[***TXT file - dest-cert.txt***] --storepass [***truststore_password***] command.