I have created a slef-signed cert using this:
Now onwards trying to use CM for configs:
I have created a slef-signed cert using this:
While it is possible to use Self-Signed certificates we strongly recommend against their use for a variety of reasons including but not limited to Security, Usability, and Maintenance. We are debating the removal of this documentation internally. However with that said if you have followed this guide successfully the files you need to work with in step 7 should already exists on each host.
Can one SSL certificate be used on all nodes of the cluster?
While it is possible to use SAN and Wildcard certificates for a cluster we also strongly discourage the use of a single certificate for all cluster services. Using a single certificate exposes you to unnecessary risk and actually reduces the overall security of your TLS implementation because all of your certificates and services will rely on a single private key. There are certainly uses for SAN and Wildcards but you should avoid using these to cover all services in an environment. You will find similar information published by OWASP. https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Do_Not_Use_Wildcard_Ce...
Can anyone please suggest me a book to understand and implement Kerberos auth and SSL configs for cluster, Cloudera specific would be even better? I have not involved myself with this task before so it feels daunting after reading all the docs.
@AKBI am not sure what your skill level with Kerberos and TLS is, but the following book was written by Cloudera employees and does a good job of explaining security including Kerberos and TLS:
For configuration specifics in CDH, though, our latest documentation does well:
If you need clarification on anything in particular, let the community know. We can probably help.
Thanks, that book and additional docs were very helpful. Another question, how do I generate test certs for a test cluster to see the workflow end to end. Was reading this doc -> https://www.cloudera.com/documentation/enterprise/5-15-x/topics/how_to_configure_cm_tls.html#concept... and stuck on step 3 because I dont want to buy a CA cert yet, rather generate a local one and test.
Any help is appreciated.
Even though this documentation targets Kafka you can use a similar process to create your own CA using openssl. You will want to review steps 1-3 but please do not use the bash script that is in the documentation. The bash script is an example to automate things but it will not do what you need it to do. I know that this answer is a little terse but you should be able to use what you need from this documentation and the normal TLS deployment documentation to get you to a place you want to be. You may have done step 1 on all of your host for example or already created CSRs.
Once you have certificates and truststores on all of your host you can configure services to use the keystores/truststores, and pem files where required. If you follow the steps in the guide you should in theory have all of the formats you need.
- Step 1 creates all of the java keys stores on each host.
- Step 2 creates the certificate signing authority and the java truststore you should distribute. Be aware that you will also need to distribute your root certificate in x509 pem format for the agent.
- Step 3 creates the CSR on each host, signs that CSR resulting in a usable client certificate, and imports that certificate into the Java Keystore. Be aware that you will also want to distribute the x509 pem encoded version of each host certificate to the host it belongs to so that it may be used by the agent.
I'd recommend creating a structure similar to this on each node.
On the host you decide to make your CA you should add an additional sub-folder labeled setup with a structure similar to the one below. Keep in mind that this is for example purposes only and you can ultimately use any structure you decide.
Thanks I will look into all of these.
Is there a plan for CM automating a lot of these steps in the future? In summary, what does Auto-TLS in CDH 6.x provide that is not there in 5.15?
Auto TLS in CDH 6 at present simplifies and automates a number of task across supported services in relation to the deployment of TLS. There are still however some manual steps depending on what precisely you are trying to do. We do plan to continue working on Auto TLS to add features and capabilities in the future.
If you are a licenesed customer you should reach out to your account team. We do have other non-public and unoffical tools that can help automate certificate handling for all releases.
Another question here, is it easier to setup Nginx reverse proxy with SSL certs to point to Hadoop services we need to expose like Hue and CM? If so, any CDH specific docs for that. Thanks