Reply
New Contributor
Posts: 3
Registered: ‎12-20-2013

Configure Cloudera Director to Access Cloudera Manager via TLS/SSL

I manually enabled TLS/SSL on Cloudera Manager and Agents, and I am trying to configure cloudera director to use this https to access cloudera manager api. I am trying to update the template via curl post to the API with the 

 

{
"name": "impala-cloudera-manager",
"tlsEnabled": true,
"port": 7183,
"trustedCertificate": "-----BEGIN CERTIFICATE-----\nMM...+OkuE6N36B9K\n
-----END CERTIFICATE-----\n" 

}, 

"managerVirtualInstance": {
"id": "d901df10-07a8-4a26-85bf-413b6b72fa5e",
"template": {
"name": "cloudera-manager",
"type": "m3.xlarge",

}

 

 and it doesn't seem to work. I am using the correct cert and root CA. 

 

Here is the error in cloudera director logs 

-----------------------------

Caused by: javax.ws.rs.ProcessingException: java.io.IOException: IOException invoking https://10.xxx.xxx.xxx:7183/api/version: HTTPS hostname wrong: should be <10.xxx.xxx.xxx>
at org.apache.cxf.jaxrs.client.AbstractClient.checkClientException(AbstractClient.java:596)
at org.apache.cxf.jaxrs.client.AbstractClient.preProcessResult(AbstractClient.java:578)
at org.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:748)
at org.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:231)
at com.cloudera.api.$Proxy228.getCurrentVersion(Unknown Source)
... 125 common frames omitted

--------------------------------

 

Why is it trying to validate against the IP Address? If I put the IP in the browser of course I would be presented with a SSL certificate error.

Cloudera Employee
Posts: 44
Registered: ‎08-13-2014

Re: Configure Cloudera Director to Access Cloudera Manager via TLS/SSL

Hi,

Cloudera Director uses the IP address of the Cloudera Manager server to communicate with it. This means you need the IP address of the server in the TLS certificate for this to work. You can find more information on this in the Cloudera documentation:

 

https://www.cloudera.com/documentation/director/latest/topics/director_tls_enable.html#concept_dcl_2...

 

If you can add the private IP address for the Cloudera Manager as a Subject Alternative Name (SAN) in the certificate then this should work around the issue.

 

Regards,

Jim

Announcements