Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

TLS Configuration to setup Kerberos

Highlighted

TLS Configuration to setup Kerberos

Contributor

I am trying to setup Kerberos on CDH 5.7.2 - Cloudera Express for our development environment. I am following the steps in : https://www.cloudera.com/documentation/enterprise/5-7-x/topics/cm_sg_intro_kerb.html

 

Apart of the requirement, is to install TLS Level 1 , before enabling Kerberos. I am using a self signed certificate, so I followed the steps from this link (https://www.cloudera.com/documentation/enterprise/5-7-x/topics/sg_self_signed_tls.html#xd_583c10bfdb...) and then followed STEP 2,3 from (https://www.cloudera.com/documentation/enterprise/5-7-x/topics/cm_sg_tls_browser.html#xd_583c10bfdbd...)

 

The management services do not start, I am not sure why its failing - any advice on how to troubleshoot this?

 

P.S: If I un-tick Run Manager over TLS, the management services comes up. So the problem seems to be with the TLS setup.

4 REPLIES 4

Re: TLS Configuration to setup Kerberos

Super Collaborator

Please validate that the Management Service Truststore as outlined in STEP 3 [0] is valid. Since you've enabled Cloudera Manager Server secure console, Cloudera Management Service roles act as HTTPS clients when communicating over HTTPS port 7183, see HTTPS Communication in Cloudera Manager and Cloudera Management Services [1] 

 

Initial step is to verify if the trusstore is valid and also check the logs under /var/log/cloudera-scm-firehose/

[root@host]# which keytool
/usr/java/jdk1.7.0_67-cloudera/bin/keytool

# verify the certificate

[root@host] echo | openssl s_client -verify 10 -showcerts -CAfile <(keytool -list -rfc -keystore /location/to/trusstore/truststore.file -storepass REPLACE_THIS_WITH_THE_TRUSTORE_PASSWORD) -connect CLOUDERA_MANAGER_HOST:7183

 

# look for 

...

    Verify return code: 0 (ok)

...

 

[0] https://www.cloudera.com/documentation/enterprise/5-7-x/topics/cm_sg_tls_browser.html#concept_pzt_g1...

[1] https://www.cloudera.com/documentation/enterprise/5-7-x/topics/cm_sg_roles_interact_ssl.html#concept...

Re: TLS Configuration to setup Kerberos

Super Guru

Hello,

 

What, exactly, did you uncheck to be able to start the Management Service?

 

If it was "Use TLS Encryption for Admin Console" then this is only used to encrypt communication with Cloudera Manager's UI (typically listening on port 7180 for non-secure and 7183 for secure)

 

That option does not apply to the agent/Cloudera Manager communication, however.

Based on what you describe, I believe the problem may be that once you have set "Use TLS Encryption for Admin Console" and restarted Cloudera Manager, the Cloudera Management Services must trust the Cloudera Manager's server certificate.

 

In order to configure that trust, you can use the following instructions:

 

https://www.cloudera.com/documentation/enterprise/5-7-x/topics/cm_sg_tls_browser.html#concept_pzt_g1...

 

Basically, make sure that you follow all the steps on that page and that the Management Service trust store is configured before restarting the Management Service roles.

 

In order to encrypt communication between the agents and Cloudera Manager, you then need to proceed to:

https://www.cloudera.com/documentation/enterprise/5-7-x/topics/cm_sg_config_tls_encr.html

 

Ben

 

Re: TLS Configuration to setup Kerberos

Contributor

My setup is on AWS. The AWS servers have a Internal IP, with a internal FQDN (ip-20-40-45.internal). For the purpose of TLS, We setup a ELASTIC PUBLIC IP, and assigned it a Public FQDN (say manager.example.com) 

 

When I generated the Self-Signed certificate, i used the new public FQDN (manager.example.com)

 

With the "Use TLS Encryption for Admin Console" - I was successful in running the admin console over SSL. 

 

I then proceeded to enabling "TLS" for the Agents. This is where i faced problems with my setup.  The agents are communicating with the server using the INTERNAL IP, where as the certificate is for EXTERNAL IP. So I changed the CM IP in /etc/cloudera-smc-agent/config.ini to manager.example.com. It still didn't help, somewhere its still trying to connect to the INTERNAL IP.

 

So I figured, why not generate the certificate usign the INTERNAL FQDN (ip-20-40-45.internal) - I repeated all the steps, and it works fine now. Now, all the agents are connecting to the Manager Service Server over TLS.

 

 

 

Re: TLS Configuration to setup Kerberos

Contributor
All that begin said, when we go into production - we want to have a PUBLIC FQDN for the manager, edge nodes - i am not sure, how to go about setting it up with TLS - with all this internal ip conflicts going on. Any one else faced similar issues with setting up CLOUDERA on AWS?
Don't have an account?
Coming from Hortonworks? Activate your account here