@mohammad_shamim Please use below sample curl command to renew the certs. curl -i -v -uadmin:admin -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "location" : "/opt/cloudera/AutoTLS", "customCA" : true, "interpretAsFilenames" : true, "cmHostCert" : "/tmp/auto-tls/certs/ccycloud-7.vcdp71.root.hwx.site.pem", "cmHostKey" : "/tmp/auto-tls/keys/ccycloud-7.vcdp71.root.hwx.site-key.pem", "caCert" : "/tmp/auto-tls/ca-certs/cfssl-chain-truststore.pem", "keystorePasswd" : "/tmp/auto-tls/keys/key.pwd", "truststorePasswd" : "/tmp/auto-tls/ca-certs/truststore.pwd", "trustedCaCerts" : "/tmp/auto-tls/ca-certs.pem", //This is a path to a PEM file on the Cloudera Manager host which contains a list of CA certificates that should be imported into the truststores of all hosts. This is an optional field. "hostCerts" : [ { "hostname" : "ccycloud-7.vcdp71.root.hwx.site", "certificate" : "/tmp/auto-tls/certs/ccycloud-7.vcdp71.root.hwx.site.pem", "key" : "/tmp/auto-tls/keys/ccycloud-7.vcdp71.root.hwx.site-key.pem" }, { "hostname" : "ccycloud-3.vcdp71.root.hwx.site", "certificate" : "/tmp/auto-tls/certs/ccycloud-3.vcdp71.root.hwx.site.pem", "key" : "/tmp/auto-tls/keys/ccycloud-3.vcdp71.root.hwx.site-key.pem" }, { "hostname" : "ccycloud-2.vcdp71.root.hwx.site", "certificate" : "/tmp/auto-tls/certs/ccycloud-3.vcdp71.root.hwx.site.pem", "key" : "/tmp/auto-tls/keys/ccycloud-3.vcdp71.root.hwx.site-key.pem" }, { "hostname" : "ccycloud-1.vcdp71.root.hwx.site", "certificate" : "/tmp/auto-tls/certs/ccycloud-1.vcdp71.root.hwx.site.pem", "key" : "/tmp/auto-tls/keys/ccycloud-1.vcdp71.root.hwx.site-key.pem" } ], "configureAllServices" : "true", "sshPort" : 22, "userName" : "root", "password" : "cloudera" }' 'http://ccycloud-7.vcdp71.root.hwx.site:7180/api/v41/cm/commands/generateCmca' ////This link is valid if you have not enabled TLS in the Cloudera Manager UI. If you enable TLS for the same deployment in the Cloudera Manager UI later, the port number and the protocol changes for the API calls and for accessing the link from a browser. In such a scenario, the correct API call is as follows: https://ccycloud-7.vcdp71.root.hwx.site:7183/api/v41/cm/commands/generateCmca. ... View more

Hi @mohammad_shamim  Thank you for reaching out to the Cloudera community. Since you mentioned you have generated csr for all hosts, I am assuming you are using auto-tls use-case:3 (CA signed certificates) You can renew the certificates using 2 methods. 1. generateCmca API 2. addCustomCerts API Below is the documentation for renewing both the methods. 1. https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-encrypting-data-in-transit/topics/cm-security-use-case-3.html#:~:text=Refer%20the%20example%20API%20given%20below.%20Customize%20this%20API%20to%20match%20the%20deployment%20that%20has%20been%20set%20up%20and%20then%20run%20the%20API. 2. https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-encryption-reference/topics/security-rotate-auto-tls-ca-and-host-certificates.html#pnavId2 Please let me what doubts you have in the documentation. Regards, JP ... View more

@ishashrestha Cloudera Manager tracks parcel state centrally in its DB (AVAILABLE_REMOTELY, DOWNLOADED, DISTRIBUTED, ACTIVATED, etc.).So even if the parcel bits are already present on the host, Agent will redistribute it.Also managing parcels is agents responsibility.It performs a lot of background tasks in parcel lifecycle. In Distribution phase it compares the .sha file (from the repo) with the .parcel file in the cache.This ensures no corruption or mismatch and then extracts parcel (.parcel is tarball). In activation phase creates/update symlinks in parcel directory, /etc/alternatives and in /var/lib/alternatives.Also creates service users which is needed service installation. If any of these don’t line up, CM will re-trigger distribution/activation even if the bits are there. ... View more

@Dalier Did the response assist in resolving your query? If it did, please mark the relevant reply as the solution, as it will help others locate the answer more easily in the future.  ... View more

@Dalier  Thank you for reaching out to the Cloudera community. Key Trustee Server and Key HSM depend on the bigtop-utils package, which is included in the CDH repository. But you have created the local repository for Cloudera manager. If Cloudera manager is installed already on both the VM's.Please create a local repository for keytrustee-keyhsm. https://archive.cloudera.com/p/cdh7/7.1.9.1000/keytrustee-keyhsm/ ... View more

Hi @jshng The KB has the same steps which in mentioned in my last comment.I just added the link for your reference. Regards, JP ... View more

@Alfa6 CDP 7.1.1 to 7.1.9 is not a supported upgrade path. You can upgrade the cluster to CDP Private Cloud Base 7.1.9 from CDP 7.1.8/7.1.7 SP2/7.1.7 For more information on the supported upgrade paths, see Supported in-place upgrade paths.   ... View more