question Re: cloudera agent TLS configuration in Support Questions

cloudera agent TLS configuration

Yuriy_but — Tue, 15 Sep 2020 14:45:28 GMT

Hello.
I'm trying to use my own certs from CA(I converted them to right format)
I'm already configurated TLS for cloudera manager server (when I signed on https://{MASTER_IP}:7183 - I see it.
File cm_init.txt

setsettings AGENT_TLS true
setsettings WEB_TLS true
setsettings NEED_AGENTS_VALIDATION true
setsettings AUTO_TLS_TYPE NONE
setsettings KEYSTORE_PATH /opt/agentcerts/MYKEYSTORE.jks
setsettings KEYSTORE_PASSWORD MYPASSWORD
setsettings TRUSTSTORE_PATH /opt/agentcerts/MYTRUSTSTORE.jks
setsettings TRUSTSTORE_PASSWORD MYPASSWORD

Also I used them for HUE web UI and Hue Load Balancer - its also work too.
But, I need to configurate certs to agents too, because I didn't see status of my agents in (hosts ->all hosts tab).
I changed file /etc/cloudera-scm-agent/config.ini, there main changes on him:

use_tls=1
verify_cert_file=/opt/agentcerts/MYCERT.pem
client_key_file=/opt/agentcerts/MYKEY.pem
client_keypw_file=/opt/agentcerts/KEYPASS.pw
client_cert_file=/opt/agentcerts/MYCERT.pem
verify_cert_dir=/opt/agentcerts/
But in log file /var/log/cloudera-scm-agent/cloudera-scm-agent.log I still see defaults conf while it starts:

[14/Sep/2020 14:09:36 +0000] 2560 MainThread agent        INFO     Agent Logging Level: INFO
[14/Sep/2020 14:09:36 +0000] 2560 MainThread agent        INFO     Agent config:
[14/Sep/2020 14:09:36 +0000] 2560 MainThread agent        INFO      Security.max_cert_depth = 9
[14/Sep/2020 14:09:36 +0000] 2560 MainThread agent        INFO      Security.use_tls = 0
[14/Sep/2020 14:09:36 +0000] 2560 MainThread agent        INFO      Security.client_cert_file = /var/lib/cloudera-scm-agent/agent-cert/cm-auto-host_cert_chain.pem
[14/Sep/2020 14:09:36 +0000] 2560 MainThread agent        INFO      Security.verify_cert_file = /var/lib/cloudera-scm-agent/agent-cert/cm-auto-in_cluster_ca_cert.pem
[14/Sep/2020 14:09:36 +0000] 2560 MainThread agent        INFO      Security.client_key_file = /var/lib/cloudera-scm-agent/agent-cert/cm-auto-host_key.pem
[14/Sep/2020 14:09:36 +0000] 2560 MainThread agent        INFO      Security.client_keypw_file = /var/lib/cloudera-scm-agent/agent-cert/cm-auto-host_key.pw
[14/Sep/2020 14:09:36 +0000] 2560 MainThread agent        INFO      Security.cm_auto_cert_dir = /var/lib/cloudera-scm-agent/agent-cert

Especially Idk why in log I see what use_tls=0.

Re: cloudera agent TLS configuration

Bender — Mon, 14 Sep 2020 15:43:46 GMT

Hello @Yuriy_but ,

thank you for reaching out to the Community. What is the CDH version you are using, please?

For CDH6.3 please find here the related documentation on how to manually configure TLS Encryption for CM.

Did you follow the steps from the documentation, please?

Thank you:
Ferenc

Re: cloudera agent TLS configuration

Yuriy_but — Tue, 15 Sep 2020 10:25:10 GMT

I has enabled TLS Encryption for agents, but when I change file "/etc/cloudera-scm-agent/config.ini" to use_tls=1 and use path for my CA certs - its doesn't apply, in log I see parameters "use_tls=0 and standard auto_tls path to files".

Re: cloudera agent TLS configuration

Bender — Wed, 16 Sep 2020 08:23:21 GMT

Hello @Yuriy_but ,

thank you for this information.

Did you enable "Use TLS Encryption for Agents" on CM, please?

Did you restart both CM and the agent on the host after making these changes?

To verify if the configuration change worked the documentation describes:

"In the Cloudera Manager Admin Console, go to Hosts > All Hosts. If you see successful heartbeats reported in the Last Heartbeat column after restarting the agents, TLS encryption is working properly."

Kind regards:

Ferenc

Re: cloudera agent TLS configuration

Yuriy_but — Thu, 17 Sep 2020 10:09:23 GMT

There is some photo (sorry for quality, machine w/o internet access):

1) Log file /var/log/cloudera-scm-agent/cloudera-scm-agent.log

2) Administration-> Settings -> TLS in CM:

3)Configuration file in /etc/cloudera-scm-agent/config.ini

Re: cloudera agent TLS configuration

Bender — Thu, 17 Sep 2020 11:21:16 GMT

Hello @Yuriy_but ,

thank you for the screenshots.

Based on the log I would intuitively expect that if the agent was able to read the new configs, the "Agent config" section would reflect your TLS configuration however, it does not show the verify cert file neither the enabled TLS setting.

I guess you've tried to restart the agent already. Would you mind attempting to hard restart the agent to see if it transitioned into a bad state, so the restart did not work?

"Warning: The hard_stop and hard_restart commands kill all running managed service processes on the host(s) where the command is run."

Please let us know if the agent is able to read the updated configurations after a hard restart.

Thank you:
Ferenc

Re: cloudera agent TLS configuration

Yuriy_but — Thu, 17 Sep 2020 11:53:51 GMT

I did it, but doesn't work.

idk for cloudera server - all ok, but for agents - doesn't works.

(example for CM admin console, for hue - looks like this too).

Re: cloudera agent TLS configuration

Yuriy_but — Thu, 17 Sep 2020 12:33:20 GMT

Miracle!

It's start work while I delete file "config.ini.orig" from folder /etc/cloudera-scm/agent/

Now there only "config.ini" file.

Re: cloudera agent TLS configuration

Bender — Thu, 17 Sep 2020 12:38:59 GMT

Hello @Yuriy_but ,

it is good to hear you found the solution and it works for you now!

Best regards:

Ferenc