Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

cloudera agent TLS configuration

Labels:
avatar
author-rank Yuriy_but
Contributor

Created on ‎09-14-2020 07:59 AM - last edited on ‎09-15-2020 07:45 AM by Moderator

Hello.
I'm trying to use my own certs from CA(I converted them to right format)
I'm already configurated TLS for cloudera manager server (when I signed on https://{MASTER_IP}:7183 - I see it.
File cm_init.txt
 
setsettings AGENT_TLS true
setsettings WEB_TLS true
setsettings NEED_AGENTS_VALIDATION true
setsettings AUTO_TLS_TYPE NONE
setsettings KEYSTORE_PATH /opt/agentcerts/MYKEYSTORE.jks
setsettings KEYSTORE_PASSWORD MYPASSWORD
setsettings TRUSTSTORE_PATH /opt/agentcerts/MYTRUSTSTORE.jks
setsettings TRUSTSTORE_PASSWORD MYPASSWORD
Also I used them for HUE web UI and Hue Load Balancer - its also work too.
But, I need to configurate certs to agents too, because I didn't see status of my agents in (hosts ->all hosts tab).
I changed file /etc/cloudera-scm-agent/config.ini, there main changes on him:
 
use_tls=1
verify_cert_file=/opt/agentcerts/MYCERT.pem
client_key_file=/opt/agentcerts/MYKEY.pem
client_keypw_file=/opt/agentcerts/KEYPASS.pw
client_cert_file=/opt/agentcerts/MYCERT.pem
verify_cert_dir=/opt/agentcerts/
 But in log file /var/log/cloudera-scm-agent/cloudera-scm-agent.log I still see defaults conf while it starts:
 
[14/Sep/2020 14:09:36 +0000] 2560 MainThread agent        INFO     Agent Logging Level: INFO
[14/Sep/2020 14:09:36 +0000] 2560 MainThread agent        INFO     Agent config:
[14/Sep/2020 14:09:36 +0000] 2560 MainThread agent        INFO      Security.max_cert_depth = 9
[14/Sep/2020 14:09:36 +0000] 2560 MainThread agent        INFO      Security.use_tls = 0
[14/Sep/2020 14:09:36 +0000] 2560 MainThread agent        INFO      Security.client_cert_file = /var/lib/cloudera-scm-agent/agent-cert/cm-auto-host_cert_chain.pem
[14/Sep/2020 14:09:36 +0000] 2560 MainThread agent        INFO      Security.verify_cert_file = /var/lib/cloudera-scm-agent/agent-cert/cm-auto-in_cluster_ca_cert.pem
[14/Sep/2020 14:09:36 +0000] 2560 MainThread agent        INFO      Security.client_key_file = /var/lib/cloudera-scm-agent/agent-cert/cm-auto-host_key.pem
[14/Sep/2020 14:09:36 +0000] 2560 MainThread agent        INFO      Security.client_keypw_file = /var/lib/cloudera-scm-agent/agent-cert/cm-auto-host_key.pw
[14/Sep/2020 14:09:36 +0000] 2560 MainThread agent        INFO      Security.cm_auto_cert_dir = /var/lib/cloudera-scm-agent/agent-cert
 
Especially Idk why in log I see what use_tls=0.
4,171 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Yuriy_but
Contributor

Created ‎09-17-2020 05:33 AM

Miracle!

It's start work while I delete file "config.ini.orig" from folder /etc/cloudera-scm/agent/

Now there only "config.ini" file.

View solution in original post

4,063 Views
8 REPLIES 8

avatar
Bender author-rank
Moderator

Created ‎09-14-2020 08:43 AM

Hello @Yuriy_but ,

 

thank you for reaching out to the Community. What is the CDH version you are using, please?

 

For CDH6.3 please find here the related documentation on how to manually configure TLS Encryption for CM.

 

Did you follow the steps from the documentation, please?

 

Thank you:
Ferenc

Ferenc Erdelyi, Technical Solutions Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

4,156 Views
0 Kudos

avatar
author-rank Yuriy_but
Contributor

Created ‎09-15-2020 03:25 AM

I has enabled TLS Encryption for agents, but when I change file "/etc/cloudera-scm-agent/config.ini" to use_tls=1 and use path for my CA certs - its doesn't apply, in log I see parameters "use_tls=0 and standard auto_tls path to files".

4,132 Views
0 Kudos

avatar
Bender author-rank
Moderator

Created ‎09-16-2020 01:23 AM

Hello @Yuriy_but ,

 

thank you for this information.

 

Did you enable "Use TLS Encryption for Agents" on CM, please?

Did you restart both CM and the agent on the host after making these changes?

To verify if the configuration change worked the documentation describes:

"In the Cloudera Manager Admin Console, go to Hosts > All Hosts. If you see successful heartbeats reported in the Last Heartbeat column after restarting the agents, TLS encryption is working properly."

Kind regards:

Ferenc 

Ferenc Erdelyi, Technical Solutions Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

4,108 Views
0 Kudos

avatar
author-rank Yuriy_but
Contributor

Created ‎09-17-2020 03:09 AM

There is some photo (sorry for quality, machine w/o internet access):

1) Log file /var/log/cloudera-scm-agent/cloudera-scm-agent.log

photo_2020-09-17_12-53-55.jpg

2) Administration-> Settings -> TLS in CM:

photo_2020-09-17_12-55-19.jpg

3)Configuration file in /etc/cloudera-scm-agent/config.ini 

photo_2020-09-17_12-57-50.jpg

4,091 Views
0 Kudos

avatar
Bender author-rank
Moderator

Created ‎09-17-2020 04:21 AM

Hello @Yuriy_but ,

 

thank you for the screenshots.

 

Based on the log I would intuitively expect that if the agent was able to read the new configs, the "Agent config" section would reflect your TLS configuration however, it does not show the verify cert file neither the enabled TLS setting.

 

I guess you've tried to restart the agent already. Would you mind attempting to hard restart the agent to see if it transitioned into a bad state, so the restart did not work? 

"Warning: The hard_stop and hard_restart commands kill all running managed service processes on the host(s) where the command is run."

 

Please let us know if the agent is able to read the updated configurations after a hard restart.

 

Thank you:
Ferenc

 

 

 

Ferenc Erdelyi, Technical Solutions Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

4,088 Views
0 Kudos

avatar
author-rank Yuriy_but
Contributor

Created ‎09-17-2020 04:53 AM

I did it, but doesn't work.

idk for cloudera server - all ok, but for agents - doesn't works.

(example for CM admin console, for hue - looks like this too).

photo_2020-09-17_14-42-25.jpg

4,070 Views
0 Kudos

avatar
author-rank Yuriy_but
Contributor

Created ‎09-17-2020 05:33 AM

Miracle!

It's start work while I delete file "config.ini.orig" from folder /etc/cloudera-scm/agent/

Now there only "config.ini" file.

4,064 Views

avatar
Bender author-rank
Moderator

Created ‎09-17-2020 05:38 AM

Hello @Yuriy_but ,

 

it is good to hear you found the solution and it works for you now!

 

Best regards:

Ferenc

Ferenc Erdelyi, Technical Solutions Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

4,061 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements