Configuring TLS Authentication of Server to Agents and Users

This is the second highest level of TLS security and requires that you provide a server certificate for the Server that is signed through a chain to a trusted root CA. You must also provide the certificate of the CA (Certificate Authority) that signed the Server's server certificate. If you are not working in a production environment, you can also use a self-signed server certificate.

  Note:

If the Server's server certificate or the associated CA certificate is missing or expired, the Agents do not allow communications with the Server.

Step 1: Configure TLS encryption.

If you have not already done so, you must configure TLS encryption to use this second level of security. For instructions, see Configuring TLS Encryption for Cloudera Manager.

Step 2: Provide the Server's server certificate and CA certificate.

  1. If you already have the Server's server certificate, and the certificate of the CA (Certificate Authority) that signed the Server's server certificate, you can skip down to Copy the Server's server certificate to the Agents below. Alternatively, if you want to generate your own self-signed server certificate, you can use keytool to generate a public certificate for the Server by typing the following command on the Server host:
    $ keytool -validity 180 -keystore <path-to-keystore> -alias jetty -genkeypair -keyalg RSA
  2. When prompted by keytool, create a password for the keystore. Save the password in a safe place.
  3. When prompted by keytool, fill in the answers accurately to the questions to describe you and your company. The most important answer is the CN value for the question "What is your first and last name?" The CN must match the fully-qualified domain name (FQDN) or IP address of the host machine where the Server is running. For example, cmf.company.com or 192.168.123.101.
      Important:

    For the CN value, be sure to use a FQDN if possible, or a static IP address that will not change. Do not specify an IP address that will change periodically. When agents connect to the server using TLS, they check whether the key uses the same name as the one they are using to connect to the server. If the names do not match, agents do not heartbeat.

  4. On the Server machine, run the following command to export the server certificate from your keystore in the binary DER format:
    $ keytool -exportcert -keystore <path-to-keystore> -alias jetty -file server.der
  5. Convert the binary DER format to a .pem file that can be used on the Agents by using openssl (available for download here.)
    $ openssl x509 -out server.pem -in server.der -inform der

Step 3: Copy the Server's server .pem file to the Agents.

  1. Copy the Server's server .pem file (for example, server.pem) to the Agent machine in any directory. For example, copy the .pem file to /etc/cmf.
  2. On the Agent Host machine, open the /etc/cloudera-scm-agent/config.ini configuration file:
  3. Edit the following property in the /etc/cloudera-scm-agent/config.ini configuration file.

    Property

    Description

    verify_cert_file

    Enter the path to the Server's server .pem file. For example, /etc/cmf/server.pem.

  4. Repeat these steps on every Agent Machine.

Step 4: Restart the Cloudera Manager Server.

Restart the Cloudera Manager Server with the following command to activate the TLS configuration settings.

$ sudo service cloudera-scm-server restart
  Important:

To enable TLS security, you must restart the Server.

Step 5: Restart the Cloudera Manager Agents.

On every Agent Host machine, restart the Agent:

$ sudo service cloudera-scm-agent restart

Step 6: Verify that the Server and Agents are communicating.

In the Cloudera Manager Admin Console, open the Hosts page. If the Agents heartbeat successfully, the Server and Agents are communicating. If not, check the Agent log /var/log/cloudera-scm-agent/cloudera-scm-agent.log which shows errors if the connection fails.

(Optional) Step 7: Enable Authentication from Server to Users

This is an optional step in which you can enable TLS authentication from the Server to Cloudera Manager users.

  Warning:

Do not enable the Use TLS Encryption for Admin Console option as described in the following instructions in this step until after you have completed the previous steps in this procedure. If you enable the Use TLS Encryption for Admin Console option before performing the previous steps, you will lose the ability to connect to the Cloudera Manager Server from the Admin Console.

  1. Log into the Cloudera Manager Admin Console.
  2. Click the gear icon images/image1.jpeg and then select the Use TLS Encryption for Admin Console option to enable TLS Authentication between the Cloudera Manager Server and the instance of Cloudera Manager that runs in your browser.
  3. Click Save Changes to save the settings.
  4. Restart the Server.
    $ sudo  service cloudera-scm-server restart
  5. Log out and then log in into Cloudera Manager to test the certificate. You may see an warning message to accept the certificate if the root certificate is not installed in your browser.
  6. Restart the Cloudera Management Services by clicking the Services link and choosing Restart on the Actions menu for the Cloudera Management Services. Click Restart that appears in the next screen to confirm. When you see a Finished status, the service has restarted.