11-07-2018 02:00 PM
I am facing issues while enabling TLS for Admin console -
I have Root CA, Inter CA and server side pub key and priv key. Generate jks file and imported inter ca and pub key into the keystore file referencing it in CM console. But the browser shows it uses self signed CA in keystore file.
How can we make CM console use the CA issued certificate ? Please advise.
Other way I tried is to convert the server pub key into jks and still it shows server certificate not valid.
11-07-2018 05:41 PM
Glad to hear you are enabling security.
Assuming that generated a CSR (certificate signing request) and it was signed by your CA (Certificate Authority) and that you imported that same signed certificate into your keystore, you should then see that the signed certificate is in your JKS file, listed by keytool as PrivateKeyEntry. If you see the "self-signed" certificate in your JKS for the PrivateKeyEntry, but you also see your server certificate (that was signed) in the JKS, that indicates that the import of the certificate did not match the Key from which the CSR was generated.
If you can show some more information about what you did and what you see (screen shots or command line text would be great) then we might be able to more clearly understand what the underlying problem is.
11-08-2018 07:57 AM
Thank you for the response. I have created keystore file using public cert and the private cert and was able to pass from this issue, but Cloudera management services are not starting.
After the creation of keystore, I have copied cacerts from java directory and named it as truststore.jks. This truststore contains root CA , Intermediate CA from the issuing authority. I have added trust store path and password in web console.
I see authentication failures in scm server log and cloudera management services are not coming-
INFO 285679310@scm-web-11:com.cloudera.server.web.cmf.AuthenticationFailureEventListener: Authentication failure for user: '__cloudera_internal_user__mgmt-ACTIVITYMONITOR-15d443db68f73fcfa654fd83bf04540e' from
Host monitor log
INFO com.cloudera.cmf.BasicScmProxy: Authentication to SCM required.
INFO com.cloudera.cmf.BasicScmProxy: Using encrypted credentials for SCM
Please let me know if I'm missing anything.
11-08-2018 09:13 AM
If you only created a JKS file with a private key and then imported the CA certificates, you will have a self-signed certificate.
You would still need to create a CSR and have it signed by a certificate authority in order to not have it self-signed.
Without seeing each command you ran, it is not possible to confirm.
That said, your issue is not caused by TLS issues if you only see:
Authentication failure for user: '__cloudera_internal_user__mgmt-ACTIVITYMONITOR-15d443db68f73fcfa654fd83bf04540e' from
This means that the TLS handshake completed and then the client attempted to authenticate with its username and password.
I would suggest making sure you have done the following after enabling TLS for the admin console and restarting Cloudera Manager with service cloudera-scm-server restart:
- Make sure you have configured Truststore for Cloudera Management Service. If it is self-signed, then you can use the same JKS file you specified for the keystore in the CM config.
- Restart Cloudera Management Service from the Cloudera Manager UI.
The Cloudera Management Service roles must be able to connect to and authenticate to Cloudera Manager in order to start.
11-09-2018 09:39 AM
@bgooley Thanks for the explanation and help. Intially I have tried with self signed and now I have received signed certificates.
Fixed the issue after creating a trustore.