This is the documentation for Cloudera Manager 4.8.3.
Documentation for other versions is available at Cloudera Documentation.

Configuring TLS Authentication of Server to Agents

This is the second highest level of TLS security and requires that you provide a server certificate for the Server that is signed through a chain to a trusted root CA. You must also provide the certificate of the CA (Certificate Authority) that signed the Server's server certificate. If you are not working in a production environment, you can also use a self-signed server certificate.


If the Server's server certificate or the associated CA certificate is missing or expired, the Agents do not allow communications with the Server.

Step 1: Configure TLS encryption.

If you have not already done so, you must configure TLS encryption to use this second level of security. For instructions, see Configuring TLS Encryption for Cloudera Manager.

Step 2: Provide the Server's server certificate and CA certificate.

  1. If you already have the Server's server certificate, and the certificate of the CA (Certificate Authority) that signed the Server's server certificate, you can skip down to Copy the Server's server certificate to the Agents below. Alternatively, if you want to generate your own self-signed server certificate, you can use keytool to generate a public certificate for the Server by typing the following command on the Server host:
    $ keytool -validity 180 -keystore <path-to-keystore> -alias jetty -genkeypair -keyalg RSA
  2. When prompted by keytool, create a password for the keystore. Save the password in a safe place.
  3. When prompted by keytool, fill in the answers accurately to the questions to describe you and your company. The most important answer is the CN value for the question "What is your first and last name?" The CN must match the fully-qualified domain name (FQDN) or IP address of the host machine where the Server is running. For example, or

    For the CN value, be sure to use a FQDN if possible, or a static IP address that will not change. Do not specify an IP address that will change periodically. When agents connect to the server using TLS, they check whether the key uses the same name as the one they are using to connect to the server. If the names do not match, agents do not heartbeat.

  4. On the Server machine, run the following command to export the server certificate from your keystore in the binary DER format:
    $ keytool -exportcert -keystore <path-to-keystore> -alias jetty -file server.der
  5. Convert the binary DER format to a .pem file that can be used on the Agents by using openssl (available for download here.)
    $ openssl x509 -out server.pem -in server.der -inform der

Step 3: Copy the Server's server .pem file to the Agents.

  1. Copy the Server's server .pem file (for example, server.pem) to the Agent machine in any directory. For example, copy the .pem file to /etc/cmf.
  2. On the Agent Host machine, open the /etc/cloudera-scm-agent/config.ini configuration file:
  3. Edit the following property in the /etc/cloudera-scm-agent/config.ini configuration file.




    Enter the path to the Server's server .pem file. For example, /etc/cmf/server.pem.

  4. Repeat these steps on every Agent Machine.

Step 4: Restart the Cloudera Manager Agents.

On every Agent Host machine, restart the Agent:

$ sudo service cloudera-scm-agent restart

Step 5: Verify that the Server and Agents are communicating.

In the Cloudera Manager Admin Console, open the Hosts page. If the Agents heartbeat successfully, the Server and Agents are communicating. If not, check the Agent log /var/log/cloudera-scm-agent/cloudera-scm-agent.log which shows errors if the connection fails.