Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Enabling Auto-TLS with an intermediate CA signed by an existing Root CA

avatar
Explorer
Hello, i'm installing a CDP Private Cloud Base 7.1.7 cluster and i have to enable Auto-TLS feature (Use case 2) as described in the cloudera documentation: https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-encrypting-data-in-transit/topics/cm... At the step 5 of the procedure is possibile to use the optional argument --trusted-ca-certs that as described is an optional argument, and if it is given, then ca-certs.pem should point to a PEM-formatted file containing one or more root CA certificates.
About this i have two questions:
1. Do have i to add also the RootCA used to sign the Intermediate CA certificate?
2. In general why should I add more trusted root CAs? Is it necessary for external client connections that use a specific RootCA?
Thanks.
2 ACCEPTED SOLUTIONS

avatar
Contributor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Explorer
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
4 REPLIES 4

avatar
Contributor

Hi @Ivoz.

1. As mentioned on the doc, cm_cert_chain.pem is a combination of the root CA certificate and the CA certificate that is generated by Cloudera Manager.

 

2. --trusted-ca-certs option is used to add additional CA's which are used to sign the certificates for services which you will be using with CDP cluster. For Example. LDAPS, so in order to authenticate with LDAPS URL, you need to add the CA used to sign the LDAPS certificate in AutoTLS if that is not the same CA used to sign the Cloudera manager's intermediate CA certificate.

 

Kindly Note:
- In this use case 2, rotation of the Auto-TLS certificate authority is not supported. Cloudera recommends creating an intermediate CA with a long lifetime. The host certificates can be rotated by using the generateHostCerts API.
- You can apply Use Case 2 only to new Cloudera Manager installations that have not had hosts added or clusters created. If you already added hosts or created clusters, then you can implement only Use case 1 and Use case 3.

 

So, I would highly recommend you to use AutoTLS use case 3. More details on AutoTLS Use case 3 on below document:
https://community.cloudera.com/t5/Customer/What-are-the-files-to-be-created-and-used-when-enabling/t...

avatar
Explorer

Hi @Manish2800 thank you for your answer, i cannot access to the link:

Ivoz_0-1684232805823.png

So regading the --trusted-ca-certs option, i need to use it only if i have to setup tls connection from cloudera clustera to external services. Is it correct?

Thanks.

Ivo

avatar
Contributor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Explorer
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login