Support Questions

Find answers, ask questions, and share your expertise

Enable SSL for CDH 5.15 Cluster

Explorer

I am trying to enable SSL for all nodes and services in the cluster. How can I do this? Can someone please point me to some concise documentation where I can do this quickly and safely. Bit confused about Sentry and how it plays into authorization etc. Thanks.

20 REPLIES 20

Master Collaborator
This is a little bit long but very good and detailed step-by-step documentation https://www.cloudera.com/documentation/enterprise/5-15-x/topics/cm_sg_hadoop_ssl_cm.html

Super Guru

@AKB,

 

In CM 6, we introduce auto-tls that might be of interest to you if you are setting up a new cluster:

 

https://www.cloudera.com/documentation/enterprise/latest/topics/auto_tls.html

 

In CM 5, configuring TLS is a manual process that can take a good amount of time.  The documentation link provided before should help, but if you are new to TLS, PKI, etc. it may take a while to get everything done.

 

As for Sentry, you can start reading here:

 

https://www.cloudera.com/documentation/enterprise/5-15-x/topics/sentry_intro.html

Explorer

Is Kerberos authentication mandatory before setting up SSL on Hadoop nodes?


Also, moving to CDH 6 is not an option for us at the moment.

Master Collaborator
It does not make sense to enable SSL when you dont have Kerberos. Because
typically the reason for SSL is to protect the data (on the fly). Without
kerberos and with SSL anybody can access your data in hadoop if they have
access to the network of the cluster.


Super Guru

@AKB,

 

SSL and Kerberos can be configured independently and do not depend on one another functionally.

 

It is recommended to use a mixture of both to ensure you can restrict access to your cluster via authentication/authorization and then also TLS (SSL) you protect against snooping your data over the wire.

 

 

Explorer

What if I needed to setup SSL only and then use our corporate SSO mechanism for authentication? Any hints on that?

Super Guru

@AKB,

 

If by SSO you mean SAML, then that would only apply to external access points in UIs:  Cloudera Manager, Hue, and Navigator.  You still need Kerberos for internals such as HDFS and YARN for instance.

 

Maybe if you can clarify what you are planning for security in your environment we can help answer more specific questions.

 

 

Explorer

Can one SSL certificate be used on all nodes of the cluster? Sorry for the questions, I am not familiar with doing this. 

Master Collaborator
No, it cant, because the fqdn of the host is in the certificate

Explorer

But a wildcard domain cert can be used, correct?

Explorer

Expert Contributor

Hello AKB,

 


@AKB wrote:

I have created a slef-signed cert using this: 

Where do I find the other files mentioned in step 7 - https://www.cloudera.com/documentation/enterpr...


While it is possible to use Self-Signed certificates we strongly recommend against their use for a variety of reasons including but not limited to Security, Usability, and Maintenance. We are debating the removal of this documentation internally. However with that said if you have followed this guide successfully the files you need to work with in step 7 should already exists on each host.

 


@AKB wrote:

Can one SSL certificate be used on all nodes of the cluster? 


While it is possible to use SAN and Wildcard certificates for a cluster we also strongly discourage the use of a single certificate for all cluster services. Using a single certificate exposes you to unnecessary risk and actually reduces the overall security of your TLS implementation because all of your certificates and services will rely on a single private key. There are certainly uses for SAN and Wildcards but you should avoid using these to cover all services in an environment. You will find similar information published by OWASP. https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Do_Not_Use_Wildcard_Ce...

---
Customer Operations Engineer | Security SME | Cloudera, Inc.

Explorer

Can anyone please suggest me a book to understand and implement Kerberos auth and SSL configs for cluster, Cloudera specific would be even better? I have not involved myself with this task before so it feels daunting after reading all the docs.

Super Guru

@AKBI am not sure what your skill level with Kerberos and TLS is, but the following book was written by Cloudera employees and does a good job of explaining security including Kerberos and TLS:

 

http://shop.oreilly.com/product/0636920033332.do

 

For configuration specifics in CDH, though, our latest documentation does well:

 

Security Guide for 6.0

Enabling Kerberos in CDH

Encryption in Transit

 

If you need clarification on anything in particular, let the community know.  We can probably help.

Explorer

Thanks, that book and additional docs were very helpful. Another question, how do I generate test certs for a test cluster to see the workflow end to end. Was reading this doc -> https://www.cloudera.com/documentation/enterprise/5-15-x/topics/how_to_configure_cm_tls.html#concept... and stuck on step 3 because I dont want to buy a CA cert yet, rather generate a local one and test.

 

Any help is appreciated.

Expert Contributor

Hi,

 

Even though this documentation targets Kafka you can use a similar process to create your own CA using openssl. You will want to review steps 1-3 but please do not use the bash script that is in the documentation. The bash script is an example to automate things but it will not do what you need it to do. I know that this answer is a little terse but you should be able to use what you need from this documentation and the normal TLS deployment documentation to get you to a place you want to be. You may have done step 1 on all of your host for example or already created CSRs.

 

https://www.cloudera.com/documentation/kafka/latest/topics/kafka_security.html#deploying_ssl_for_kaf...

 

Once you have certificates and truststores on all of your host you can configure services to use the keystores/truststores, and pem files where required. If you follow the steps in the guide you should in theory have all of the formats you need.

 

- Step 1 creates all of the java keys stores on each host.

- Step 2 creates the certificate signing authority and the java truststore you should distribute. Be aware that you will also need to distribute your root certificate in x509 pem format for the agent.

- Step 3 creates the CSR on each host, signs that CSR resulting in a usable client certificate, and imports that certificate into the Java Keystore. Be aware that you will also want to distribute the x509 pem encoded version of each host certificate to the host it belongs to so that it may be used by the agent.

 

I'd recommend creating a structure similar to this on each node.

 

/opt/cloudera/security/

/opt/cloudera/security/ca-certs

/opt/cloudera/security/jks

/opt/cloudera/security/x509

 

On the host you decide to make your CA you should add an additional sub-folder labeled setup with a structure similar to the one below. Keep in mind that this is for example purposes only and you can ultimately use any structure you decide.

 

 

/opt/cloudera/security/setup/keys

/opt/cloudera/security/setup/client_certs

/opt/cloudera/security/setup/csr

/opt/cloudera/security/setup/rootca

---
Customer Operations Engineer | Security SME | Cloudera, Inc.

Explorer

Thanks I will look into all of these.

 

Is there a plan for CM automating a lot of these steps in the future? In summary, what does Auto-TLS in CDH 6.x provide that is not there in 5.15?

 

 

Expert Contributor

Hi,

 

Auto TLS in CDH 6 at present simplifies and automates a number of task across supported services in relation to the deployment of TLS. There are still however some manual steps depending on what precisely you are trying to do. We do plan to continue working on Auto TLS to add features and capabilities in the future.

 

https://www.cloudera.com/documentation/enterprise/latest/topics/auto_tls.html#auto_tls

 

If you are a licenesed customer you should reach out to your account team. We do have other non-public and unoffical tools that can help automate certificate handling for all releases. 

---
Customer Operations Engineer | Security SME | Cloudera, Inc.

Explorer

Another question here, is it easier to setup Nginx reverse proxy with SSL certs to point to Hadoop services we need to expose like Hue and CM? If so, any CDH specific docs for that. Thanks

Expert Contributor

Hello AKB,

 

Unfortunately the answer to your question is, no. It will not be easier or better to rely soley on TLS termination on a reverse proxy. For most balancing/proxying algorithims, hardware, and software we recommend TCP Passthrough which means that all Hadoop services must still have TLS properly deployed as well as enabled.

 

If you cluster is accessible by any external network we would advise that you properly deploy both Kerberos and TLS on your cluster.

---
Customer Operations Engineer | Security SME | Cloudera, Inc.