Reply
Explorer
Posts: 69
Registered: ‎01-24-2017

How to make Cloudera Manager use https?

Hi All,

What needs to be done to make Cloudera Manger use https?

By default it is using http.

Thank you,

Igor

 

Posts: 642
Topics: 3
Kudos: 105
Solutions: 67
Registered: ‎08-16-2016

Re: How to make Cloudera Manager use https?

You need to create or request a SSL certificate. The install the Java keystore (contains the cert and key) and CA cert chain on the CM host. Then tell CM were the keystore is and its password and flip the switch.

See here for the details.

https://www.cloudera.com/documentation/enterprise/5-2-x/topics/cm_sg_tls_browser.html
Explorer
Posts: 69
Registered: ‎01-24-2017

Re: How to make Cloudera Manager use https?

If Hadoop hosts communicate on the internal network (and data nodes are not known to DNS on external network) but Hue/CM host is a gateway and faces both networks, do I need different certificates on the internal and external networks (considering that IP addresses and hostnames are different)? One certificate for external web clients connecting to external interface of Hue/CM server (which is known to DNS and for which I can request CA-signed certificate) and the other certificate for communication on the internal network (not known to DNS and for which I probably cannot request CA-signed certificate but have to generate my own) with various Hadoop services? Would Kerberos work if I only use TLS to secure communication between a web browser on the external network and CM (Level 1 TLS) or do I have to go all the way to Level 3 TLS before enabling Kerberos?

Highlighted
Posts: 642
Topics: 3
Kudos: 105
Solutions: 67
Registered: ‎08-16-2016

Re: How to make Cloudera Manager use https?

I'll start with the last question as it may help filter out the rest. Enabling SSL/TLS for HUE and CM are not a requirement for setting up Kerberos. It will just encrypt the traffic between the browser and the server to primarily protect usernames and password.

I'll take a step back, if you want to use the CM wizard to enable Kerberos you will need at least level 2 for CM TLS. This just sets up the CA cert on all agent hosts and instructs them to use TLS. This allows for CM to push the keytabs to the host in a secure fashion.

Now to the other questions...

If you are just enabling SSL for the browser communication of HUE and CM, then you just need a cert issued by the CA for those public facing addresses. This will only work for that function.

If you are trying to encryption all traffic between clients and service and between the services themselves (still in a client server fashion) then you need a certificate that covers both addresses. CM configuration only allows for JKS, certificate, CA, name and password. So what you will need to do is create the certificates with a Subject Alternative Name (SAN). This can be a bit painful. Below are a couple of resources that should help.

https://geekflare.com/san-ssl-certificate/
http://wiki.cacert.org/FAQ/subjectAltName
Announcements