I am trying to setup Kerberos on CDH 5.7.2 - Cloudera Express for our development environment. I am following the steps in : https://www.cloudera.com/documentation/enterprise/5-7-x/topics/cm_sg_intro_kerb.html
Apart of the requirement, is to install TLS Level 1 , before enabling Kerberos. I am using a self signed certificate, so I followed the steps from this link (https://www.cloudera.com/documentation/enterprise/5-7-x/topics/sg_self_signed_tls.html#xd_583c10bfdb...) and then followed STEP 2,3 from (https://www.cloudera.com/documentation/enterprise/5-7-x/topics/cm_sg_tls_browser.html#xd_583c10bfdbd...)
The management services do not start, I am not sure why its failing - any advice on how to troubleshoot this?
P.S: If I un-tick Run Manager over TLS, the management services comes up. So the problem seems to be with the TLS setup.
Please validate that the Management Service Truststore as outlined in STEP 3  is valid. Since you've enabled Cloudera Manager Server secure console, Cloudera Management Service roles act as HTTPS clients when communicating over HTTPS port 7183, see HTTPS Communication in Cloudera Manager and Cloudera Management Services 
Initial step is to verify if the trusstore is valid and also check the logs under /var/log/cloudera-scm-firehose/
[root@host]# which keytool
# verify the certificate
[root@host] echo | openssl s_client -verify 10 -showcerts -CAfile <(keytool -list -rfc -keystore /location/to/trusstore/truststore.file -storepass REPLACE_THIS_WITH_THE_TRUSTORE_PASSWORD) -connect CLOUDERA_MANAGER_HOST:7183
# look for
Verify return code: 0 (ok)
What, exactly, did you uncheck to be able to start the Management Service?
If it was "Use TLS Encryption for Admin Console" then this is only used to encrypt communication with Cloudera Manager's UI (typically listening on port 7180 for non-secure and 7183 for secure)
That option does not apply to the agent/Cloudera Manager communication, however.
Based on what you describe, I believe the problem may be that once you have set "Use TLS Encryption for Admin Console" and restarted Cloudera Manager, the Cloudera Management Services must trust the Cloudera Manager's server certificate.
In order to configure that trust, you can use the following instructions:
Basically, make sure that you follow all the steps on that page and that the Management Service trust store is configured before restarting the Management Service roles.
In order to encrypt communication between the agents and Cloudera Manager, you then need to proceed to:
My setup is on AWS. The AWS servers have a Internal IP, with a internal FQDN (ip-20-40-45.internal). For the purpose of TLS, We setup a ELASTIC PUBLIC IP, and assigned it a Public FQDN (say manager.example.com)
When I generated the Self-Signed certificate, i used the new public FQDN (manager.example.com)
With the "Use TLS Encryption for Admin Console" - I was successful in running the admin console over SSL.
I then proceeded to enabling "TLS" for the Agents. This is where i faced problems with my setup. The agents are communicating with the server using the INTERNAL IP, where as the certificate is for EXTERNAL IP. So I changed the CM IP in /etc/cloudera-smc-agent/config.ini to manager.example.com. It still didn't help, somewhere its still trying to connect to the INTERNAL IP.
So I figured, why not generate the certificate usign the INTERNAL FQDN (ip-20-40-45.internal) - I repeated all the steps, and it works fine now. Now, all the agents are connecting to the Manager Service Server over TLS.