Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

mTLS between minifi and EFM

Labels:
avatar
author-rank lyminh
New Contributor

Created ‎02-21-2022 01:20 PM

I'm using self signed certificates for mTLS communication between minifi agents and a stand-alone EFM server. Do I need to put the public keys of each into the others' truststores or is it ok to simply have the root/intermediate CA that was used to sign the public certs in the truststores? So far I haven't been able to establish communication over mTLS for either case, but would like to know so that I can go on and plan on developing infrastructure to automate importing into the EFM truststore all the minifi agent certificates if that is the case. I'm using Cloudera EFM 1.3.1 and Apache minif 1.3.0

 

Thanks,

minh

761 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank araujo author-rank
Super Guru

Created ‎02-21-2022 03:51 PM

Hi, @lyminh ,

 

If you using self-signed certificates you typically have to add them to the truststore. When I say "self-signed", it means that the Subject and the Issuer of the certificate are the same.

 

If you have a CA root (without or without the intermediate) your server certificates are *not* self-signed. They are signed by the CA. In this case the only self-signed certificate is the root. In this scenario, you don't need to put the certificates in the truststore; only the Root CA. The *key*store used by EFM and by MiNiFi, should contain the server certificate AND the intermediate certificate (if there's one).

 

HTH,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

746 Views
0 Kudos
2 REPLIES 2

avatar
author-rank araujo author-rank
Super Guru

Created ‎02-21-2022 03:51 PM

Hi, @lyminh ,

 

If you using self-signed certificates you typically have to add them to the truststore. When I say "self-signed", it means that the Subject and the Issuer of the certificate are the same.

 

If you have a CA root (without or without the intermediate) your server certificates are *not* self-signed. They are signed by the CA. In this case the only self-signed certificate is the root. In this scenario, you don't need to put the certificates in the truststore; only the Root CA. The *key*store used by EFM and by MiNiFi, should contain the server certificate AND the intermediate certificate (if there's one).

 

HTH,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.
747 Views
0 Kudos

avatar
author-rank VidyaSargur author-rank
Community Manager

Created ‎03-03-2022 10:21 PM

@lyminh, Has @araujo's reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. 


Regards,

Vidya Sargur,
Community Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
723 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements