Cloudera Enterprise 6.0.x | Other versions

Configuring TLS Encryption for Cloudera Manager and CDH Using Auto-TLS

Auto-TLS, first introduced in Cloudera Manager 5.13 on Cloudera Director 2.6, is now available for on-premises clusters in Cloudera Enterprise 6.

Auto-TLS greatly simplifies the process of enabling and managing TLS encryption on your cluster. It automates the creation of an internal certificate authority (CA) and deployment of certificates across all cluster hosts. It can also automate the distribution of existing certificates, such as those signed by a public CA. Adding new cluster hosts or services to a cluster with auto-TLS enabled automatically creates and deploys the required certificates.

To configure TLS encryption manually, see Configuring TLS Encryption for Cloudera Manager.

Continue reading:

Auto-TLS Requirements and Limitations
The certmanager Utility
Enabling Auto-TLS to Automatically Create Certificates
Enabling Auto-TLS with Existing Certificates

Auto-TLS Requirements and Limitations

Auto-TLS must be enabled as part of a new installation. You cannot enable auto-TLS on an existing cluster. To enable TLS on an existing cluster, see Configuring TLS Encryption for Cloudera Manager.

You can enable auto-TLS using certificates created and managed by a Cloudera Manager certificate authority (CA), or certificates signed by a trusted public CA or your own internal CA. If you want to use a trusted public CA or your own internal CA, you must obtain all of the host certificates before enabling auto-TLS. For instructions on obtaining certificates from a CA, see Generate TLS Certificates.

The `certmanager` Utility

Auto-TLS is managed using the certmanager utility, which is included in the Cloudera Manager Agent software. The certmanager syntax is as follows:

/opt/cloudera/cm-agent/bin/certmanager [OPTIONS] COMMAND [ARGS]...

Options:
- --location <certmanager-dir-root>
  The directory where certmanager will store all its files.
- --help
  Displays the help message.
Commands:
- ```
add_custom_cert
```
  Adds a custom certificate and key for a host. Use this command only if you have configured a custom certificate directory (using the setup_custom_certdir command). You must run this command before adding a host in Cloudera Manager.
- ```
export_ca_cert
```
  Displays the Cloudera Manager internal CA certificate. You can export the certificate to a file using a redirect operator (> or >>).
- ```
setup
```
  Initializes the certificate manager and the internal CA, and configures Cloudera Manager Server to enable auto-TLS.
  - ```
  --configure-services
```
  Configures Cloudera Manager Server to enable autoconfiguration of TLS for CDH services, such as HDFS, YARN, and so on. If you omit this option, auto-TLS will only be configured for Cloudera Manager agent/server communication.
- ```
setup_custom_certdir
```
  Initializes the certificate manager using a custom certificate directory. Use this command if you are using existing certificates signed by a trusted public CA or your own internal CA.
- ```
setup_custom_certdir
```

Enabling Auto-TLS to Automatically Create Certificates

After installing Cloudera Manager Agent on the Cloudera Manager Server host, and before starting Cloudera Manager, enable auto-TLS as follows. If Cloudera Manager Server is running, restart it after completing this procedure.

On the Cloudera Manager Server host, initialize the certificate manager and configure Cloudera Manager Server to enable auto-TLS by running the following command:

sudo JAVA_HOME=/usr/java/jdk1.8.0_141 /opt/cloudera/cm-agent/bin/certmanager setup --configure-services

Replace the JDK version with the correct path for your environment. If you want to store the files in a directory other than the default (/var/lib/cloudera-scm-server/certmanager), add the --location option as follows:

sudo JAVA_HOME=/usr/java/jdk1.8.0_141 /opt/cloudera/cm-agent/bin/certmanager --location /path/to/alternate/directory setup --configure-services

Check the /var/log/cloudera-scm-agent/certmanager.log log file to confirm that the /var/lib/cloudera-scm-server/certmanager/* directories were created.

Continue with the installation.

Enabling Auto-TLS with Existing Certificates

Before enabling auto-TLS, make sure that you have host certificates for all cluster hosts. For instructions on obtaining certificates from a certificate authority (CA), see Generate TLS Certificates.

After installing Cloudera Manager Agent on the Cloudera Manager Server host, and before starting Cloudera Manager, enable auto-TLS as follows:

Initialize the certificate manager and configure Cloudera Manager Server to enable auto-TLS, using a custom certificate directory:

sudo JAVA_HOME=/usr/java/jdk1.8.0_141 /opt/cloudera/cm-agent/bin/certmanager --location /opt/cloudera/CMCA setup_custom_certdir --host-cert /path/to/hostcert.pem --host-key /path/to/hostkey.pem --ca-cert /path/to/cacert.pem --keystore-pw-file /path/to/keystore_pw_file --truststore-pw-file /path/to/truststore_pw_file

Replace the JDK version with the correct path for your environment.

Check the /var/log/cloudera-scm-agent/certmanager.log log file to confirm that the /opt/cloudera/CMCA/* directories were created.

For each cluster host (with unique certificates and keys), run the following command:

sudo JAVA_HOME=/usr/java/jdk1.8.0_141 /opt/cloudera/cm-agent/bin/certmanager --location /opt/cloudera/CMCA add_custom_cert --host-cert <host_cert> --host-key <host_key> <hostname>