Configuring TLS Authentication of Server to Agents
This is the second highest level of TLS security and requires that you provide a server certificate for the Server that is signed through a chain to a trusted root CA. You must also provide the certificate of the CA (Certificate Authority) that signed the Server's server certificate. If you are not working in a production environment, you can also use a self-signed server certificate.
If the Server's server certificate or the associated CA certificate is missing or expired, the Agents do not allow communications with the Server.
Step 1: Configure TLS encryption.
If you have not already done so, you must configure TLS encryption to use this second level of security. For instructions, see Configuring TLS Encryption for Cloudera Manager.
Step 2: Provide the Server's server certificate and CA certificate.
- If you already have the Server's server certificate, and the certificate of the CA
(Certificate Authority) that signed the Server's server certificate, you can skip down to
Copy the Server's server
certificate to the Agents below. Alternatively, if you want to generate your own
self-signed server certificate, you can use keytool to generate a public certificate for the
Server by typing the following command on the Server host:
$ keytool -validity 180 -keystore <path-to-keystore> -alias jetty -genkeypair -keyalg RSA
- When prompted by keytool, create a password for the keystore. Save the password in a safe place.
- When prompted by keytool, fill in the answers accurately to the questions to describe you
and your company. The most important answer is the CN value for the question "What is your
first and last name?" The CN must match the fully-qualified domain name (FQDN) or IP address
of the host machine where the Server is running. For example,
cmf.company.com or 192.168.123.101.
For the CN value, be sure to use a FQDN if possible, or a static IP address that will not change. Do not specify an IP address that will change periodically. When agents connect to the server using TLS, they check whether the key uses the same name as the one they are using to connect to the server. If the names do not match, agents do not heartbeat.
- On the Server machine, run the following command to export the server certificate from
your keystore in the binary DER format:
$ keytool -exportcert -keystore <path-to-keystore> -alias jetty -file server.der
- Convert the binary DER format to a .pem file that can be used on the Agents by using
openssl (available for download here.)
$ openssl x509 -out server.pem -in server.der -inform der
Step 3: Copy the Server's server .pem file to the Agents.
- Copy the Server's server .pem file (for example, server.pem) to the Agent machine in any directory. For example, copy the .pem file to /etc/cmf.
- On the Agent Host machine, open the /etc/cloudera-scm-agent/config.ini configuration file:
- Edit the following property in the /etc/cloudera-scm-agent/config.ini
Enter the path to the Server's server .pem file. For example, /etc/cmf/server.pem.
- Repeat these steps on every Agent Machine.
Step 4: Restart the Cloudera Manager Agents.
On every Agent Host machine, restart the Agent:
$ sudo service cloudera-scm-agent restart
Step 5: Verify that the Server and Agents are communicating.
In the Cloudera Manager Admin Console, open the Hosts page. If the Agents heartbeat successfully, the Server and Agents are communicating. If not, check the Agent log /var/log/cloudera-scm-agent/cloudera-scm-agent.log which shows errors if the connection fails.