10-06-2016 03:38 PM
I set up my kerberized cluster with LDAP a long time ago. I am now trying to add services after upgrading to CM 5.8.2 which require more kerberos accounts on AD, and it looks like it only supports LDAPS. Is this correct?
I can add LDAPS to my AD server, but where do I put the certificate on CM?
10-06-2016 07:34 PM
The AD certificate goes in the JVM keystore on CM:
1. On the domain controller, export the certificate in the "Base-64 encoded X.509 (.CER) format.
2. Copy the file to the Cloudera Manager host using an SCP/SSH tool such as WinSCP.
3. Import the certificate into your JVM keystore:
keytool -import -alias <alias-for-cert> -file <path-to-cert> -keystore <path-to-keystore> -storepass <keystore password>
Note: The truststore is usually located at: $JAVA_HOME/jre/lib/security/cacerts.