Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Enabling Auto-TLS with an intermediate CA signed by an existing Root CA

avatar
author-rank Ivoz
Contributor

Created on ‎05-12-2023 09:41 AM - edited ‎05-12-2023 09:42 AM

Hello, i'm installing a CDP Private Cloud Base 7.1.7 cluster and i have to enable Auto-TLS feature (Use case 2) as described in the cloudera documentation: https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-encrypting-data-in-transit/topics/cm... At the step 5 of the procedure is possibile to use the optional argument --trusted-ca-certs that as described is an optional argument, and if it is given, then ca-certs.pem should point to a PEM-formatted file containing one or more root CA certificates.
About this i have two questions:
1. Do have i to add also the RootCA used to sign the Intermediate CA certificate?
2. In general why should I add more trusted root CAs? Is it necessary for external client connections that use a specific RootCA?
Thanks.
2,344 Views
0 Kudos
0
2 ACCEPTED SOLUTIONS

avatar
author-rank Manish2800 author-rank
Contributor

Created ‎05-16-2023 03:54 AM

Hi @Ivoz 

You need to have Cloudera account to access the KB articles. Kindy reach out to Cloudera Sales team if you are looking for one.

Here is the public doc for AutoTLS Use case 3 : 

https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-encrypting-data-in-transit/topics/cm...

 

And yes you need to use --trusted-ca-certs option only to add more CA certificates which are used to sign the certificates of external services like LDAPS if you will be connecting CDP services to LDAPS

 

 

View solution in original post

2,279 Views
0 Kudos
0

avatar
author-rank Ivoz
Contributor

Created on ‎05-16-2023 03:58 AM - edited ‎05-16-2023 03:59 AM

Hi @Manish2800 perfect! Thanks for your support!

View solution in original post

2,262 Views
0 Kudos
0
4 REPLIES 4

avatar
author-rank Manish2800 author-rank
Contributor

Created ‎05-16-2023 03:21 AM

Hi @Ivoz.

1. As mentioned on the doc, cm_cert_chain.pem is a combination of the root CA certificate and the CA certificate that is generated by Cloudera Manager.

 

2. --trusted-ca-certs option is used to add additional CA's which are used to sign the certificates for services which you will be using with CDP cluster. For Example. LDAPS, so in order to authenticate with LDAPS URL, you need to add the CA used to sign the LDAPS certificate in AutoTLS if that is not the same CA used to sign the Cloudera manager's intermediate CA certificate.

 

Kindly Note:
- In this use case 2, rotation of the Auto-TLS certificate authority is not supported. Cloudera recommends creating an intermediate CA with a long lifetime. The host certificates can be rotated by using the generateHostCerts API.
- You can apply Use Case 2 only to new Cloudera Manager installations that have not had hosts added or clusters created. If you already added hosts or created clusters, then you can implement only Use case 1 and Use case 3.

 

So, I would highly recommend you to use AutoTLS use case 3. More details on AutoTLS Use case 3 on below document:
https://community.cloudera.com/t5/Customer/What-are-the-files-to-be-created-and-used-when-enabling/t...

2,285 Views
0 Kudos

avatar
author-rank Ivoz
Contributor

Created ‎05-16-2023 03:29 AM

Hi @Manish2800 thank you for your answer, i cannot access to the link:

Ivoz_0-1684232805823.png

So regading the --trusted-ca-certs option, i need to use it only if i have to setup tls connection from cloudera clustera to external services. Is it correct?

Thanks.

Ivo

2,282 Views
0 Kudos

avatar
author-rank Manish2800 author-rank
Contributor

Created ‎05-16-2023 03:54 AM

Hi @Ivoz 

You need to have Cloudera account to access the KB articles. Kindy reach out to Cloudera Sales team if you are looking for one.

Here is the public doc for AutoTLS Use case 3 : 

https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-encrypting-data-in-transit/topics/cm...

 

And yes you need to use --trusted-ca-certs option only to add more CA certificates which are used to sign the certificates of external services like LDAPS if you will be connecting CDP services to LDAPS

 

 

2,280 Views
0 Kudos
0

avatar
author-rank Ivoz
Contributor

Created on ‎05-16-2023 03:58 AM - edited ‎05-16-2023 03:59 AM

Hi @Manish2800 perfect! Thanks for your support!

2,263 Views
0 Kudos
0
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements