Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

"Enabling Server Certificate Verification on Cloudera Manager Agents" with self-signed certificates

Labels:
avatar
author-rank IgorYakushin
Contributor

Created ‎02-23-2017 06:11 PM

If I am using self-signed certificates, how can I do "Enabling Server Certificate Verification on Cloudera Manager Agents" from

https://www.cloudera.com/documentation/enterprise/latest/topics/how_to_configure_cm_tls.html#topic_3

?

 

I do not have /opt/cloudera/security/pki/rootca.cert.pem. Instead I have on each host:

/opt/cloudera/security/x509/<hostname>.{pem,key}

/opt/cloudera/security/jks/<hostname>.keystore
/opt/cloudera/security/jks/Hadoop2.truststore

 

Should I copy /opt/cloudera/security/x509/<CM server hostname>.{pem,key} into /opt/cloudera/security/pki/rootca.cert.pem on each host?

 

What does the terminology mean: root certificate, intermediate certificate?

 

If I do not procede with TLS configuration any further, will I still be able to use Kerberos?

 

 

2,554 Views
0 Kudos
3 REPLIES 3

avatar
author-rank IgorYakushin
Contributor

Created ‎02-23-2017 09:14 PM

I guess, I can try to follow the instructions here

https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

to create self-signed root certificate and use it to sign host certificates... 

 

It looks like there is also a way to do it with keytool

 

2,544 Views
0 Kudos

avatar
mbigelow author-rank
Champion

Created ‎02-24-2017 01:13 PM

You could do that and create your own CA cert and then use that to sign your server certs.

You should be able to copy the CM self-sign certificate to each hosts and configure that as well. Just the cert, PEM file, not the key.

You will need to have this set up so that the Agents can talk to CM over TLS to move the keytabs around, if using the wizard. If you are not using the wizard you can still configure Kerberos and use it without going any further.
2,509 Views
0 Kudos

avatar
author-rank bgooley author-rank
Master Guru

Created ‎02-24-2017 05:22 PM

Hi @IgorYakushin,

 

To add to what @mbigelow mentioned, you can enable Kerberos without using TLS to secure communication between your agents and Cloudera Manager, but that would allow the kerberos keytabs to be transmitted from Cloudera Manager to your agents in the clear (risking a malicious party gaining access to your ketyab).

 

Most of the security you will likley need is taken care of by inabling TLS for Agent communication in this section:

Configuring TLS Encryption for Cloudera Manager Agents

 

This will encrypt communication when the agent gets the keytabs and other files from CM.

 

If you want more security by having the agents do verification of Cloudera Manager's certificate signer and hostname, then you can configure your trust file for each agent (to trust the CM signer).

 

In summary, you don't need to have TLS enabled to enable Kerberos.  If you need to protect the keytabs, enable TLS Encryption for Agents.

If you need higher security by having the agents trust the signer of the Cloudera Manager server certificate, you can proceed with the other steps:

https://www.cloudera.com/documentation/enterprise/latest/topics/how_to_configure_cm_tls.html#topic_3

 

Ben

 

 

2,496 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements