Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Enable SSL for CDH 5.15 Cluster

Highlighted

Enable SSL for CDH 5.15 Cluster

Explorer

I am trying to enable SSL for all nodes and services in the cluster. How can I do this? Can someone please point me to some concise documentation where I can do this quickly and safely. Bit confused about Sentry and how it plays into authorization etc. Thanks.

20 REPLIES 20

Re: Enable SSL for CDH 5.15 Cluster

Master Collaborator
This is a little bit long but very good and detailed step-by-step documentation https://www.cloudera.com/documentation/enterprise/5-15-x/topics/cm_sg_hadoop_ssl_cm.html

Re: Enable SSL for CDH 5.15 Cluster

Super Guru

@AKB,

 

In CM 6, we introduce auto-tls that might be of interest to you if you are setting up a new cluster:

 

https://www.cloudera.com/documentation/enterprise/latest/topics/auto_tls.html

 

In CM 5, configuring TLS is a manual process that can take a good amount of time.  The documentation link provided before should help, but if you are new to TLS, PKI, etc. it may take a while to get everything done.

 

As for Sentry, you can start reading here:

 

https://www.cloudera.com/documentation/enterprise/5-15-x/topics/sentry_intro.html

Re: Enable SSL for CDH 5.15 Cluster

Explorer

Is Kerberos authentication mandatory before setting up SSL on Hadoop nodes?


Also, moving to CDH 6 is not an option for us at the moment.

Re: Enable SSL for CDH 5.15 Cluster

Master Collaborator
It does not make sense to enable SSL when you dont have Kerberos. Because
typically the reason for SSL is to protect the data (on the fly). Without
kerberos and with SSL anybody can access your data in hadoop if they have
access to the network of the cluster.


Re: Enable SSL for CDH 5.15 Cluster

Super Guru

@AKB,

 

SSL and Kerberos can be configured independently and do not depend on one another functionally.

 

It is recommended to use a mixture of both to ensure you can restrict access to your cluster via authentication/authorization and then also TLS (SSL) you protect against snooping your data over the wire.

 

 

Re: Enable SSL for CDH 5.15 Cluster

Explorer

What if I needed to setup SSL only and then use our corporate SSO mechanism for authentication? Any hints on that?

Re: Enable SSL for CDH 5.15 Cluster

Super Guru

@AKB,

 

If by SSO you mean SAML, then that would only apply to external access points in UIs:  Cloudera Manager, Hue, and Navigator.  You still need Kerberos for internals such as HDFS and YARN for instance.

 

Maybe if you can clarify what you are planning for security in your environment we can help answer more specific questions.

 

 

Re: Enable SSL for CDH 5.15 Cluster

Explorer

Can one SSL certificate be used on all nodes of the cluster? Sorry for the questions, I am not familiar with doing this. 

Re: Enable SSL for CDH 5.15 Cluster

Master Collaborator
No, it cant, because the fqdn of the host is in the certificate
Don't have an account?
Coming from Hortonworks? Activate your account here