Enabling TLS for Cloudera Manager admin console

chhaya_vishwaka — Thu, 30 Jan 2020 13:47:32 GMT

Hi All,

I'm trying to enable TLS for Cloudera Manager admin console , below are the commands I followed.

1. Received signed host certificate from IT team ( <hostname>.pem ) , also rootca (root.pem)

2. Copy the JDK cacerts file to jssecacerts as follows:

sudo cp $JAVA_HOME/jre/lib/security/cacerts $JAVA_HOME/jre/lib/security/jssecacerts

3. import rootca cert into JKS store

sudo $JAVA_HOME/bin/keytool -importcert -alias rootca -keystore $JAVA_HOME/jre/lib/security/jssecacerts -file /opt/cloudera/security/pki/root.pem

4. Created JKS and imported host certificate in keystore.

$JAVA_HOME/bin/keytool -genkeypair -alias $(hostname -f) -keyalg RSA -keystore /opt/cloudera/security/pki/$(hostname -f).jks -keysize 2048 -dname "CN=$(hostname -f),OU=Engineering,O=Cloudera,L=Singapore,ST=Singapore,C=Singapore" -ext san=dns:$(hostname -f)

sudo $JAVA_HOME/bin/keytool -importcert -alias $(hostname -f) -file /opt/cloudera/security/pki/$(hostname -f).pem -keystore /opt/cloudera/security/pki/$(hostname -f).jks

5. creating symlinks

sudo ln -s /opt/cloudera/security/pki/$(hostname -f).pem /opt/cloudera/security/pki/agent.pem sudo ln -s /opt/cloudera/security/pki/$(hostname -f).jks /opt/cloudera/security/pki/server.jks

6. Enabled TLS from Cloudera Manager admin console

Property Description

Cloudera Manager TLS/SSL Server JKS Keystore File Location	The complete path to the keystore file. For example: /opt/cloudera/security/pki/server.jks
Cloudera Manager TLS/SSL Server JKS Keystore File Password	The password for the /opt/cloudera/security/jks/server.jks keystore.
Use TLS Encryption for Admin Console	Check this box to enable TLS encryption for Cloudera Manager.

7. Restart Cloudera Manager server

Cloudera manager starting successfully however I'm not able to open admin console from browser

sudo netstat -tulpn | grep 7183 tcp 0 0 0.0.0.0:7183 0.0.0.0:* LISTEN 4664/java

I'm getting below error on browser page

This site can’t provide a secure connection 1.1.1.1 uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH Unsupported protocol The client and server don't support a common SSL protocol version or cipher suite.

Can someone please suggest what am I missing here ?

Re: Enabling TLS for Cloudera Manager admin console

paras — Fri, 31 Jan 2020 07:43:46 GMT

@chhaya_vishwaka

The "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" error can happen if a JKS contains multiple certs with similar names.
Run below command for the keystore
# keytool -list -keystore server.jks
The correct cert with be the one with "Entry type: PrivateKeyEntry".
If you find a certificate with "Entry type: trustedCertEntry" and a similar alias name then that is the problem cert.

Remove this certificate from keystore using below steps:

i) Make a backup of the existing JKS.
ii) Stop CM
iii) Remove the cert identified above.
keytool -delete -alas <cert_alias> -keystore server.jks
iv) Start CM and test again.

Re: Enabling TLS for Cloudera Manager admin console

chhaya_vishwaka — Wed, 05 Feb 2020 09:44:25 GMT

thanks @paras

question Re: Enabling TLS for Cloudera Manager admin console in Support Questions

Enabling TLS for Cloudera Manager admin console

Re: Enabling TLS for Cloudera Manager admin console

Re: Enabling TLS for Cloudera Manager admin console