Member since
10-04-2020
140
Posts
1
Kudos Received
1
Solution
My Accepted Solutions
Title | Views | Posted |
---|---|---|
2059 | 05-16-2023 03:54 AM |
05-16-2023
03:54 AM
Hi @Ivoz You need to have Cloudera account to access the KB articles. Kindy reach out to Cloudera Sales team if you are looking for one. Here is the public doc for AutoTLS Use case 3 : https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-encrypting-data-in-transit/topics/cm-security-use-case-3.html And yes you need to use --trusted-ca-certs option only to add more CA certificates which are used to sign the certificates of external services like LDAPS if you will be connecting CDP services to LDAPS
... View more
05-16-2023
03:21 AM
Hi @Ivoz. 1. As mentioned on the doc, cm_cert_chain.pem is a combination of the root CA certificate and the CA certificate that is generated by Cloudera Manager. 2. --trusted-ca-certs option is used to add additional CA's which are used to sign the certificates for services which you will be using with CDP cluster. For Example. LDAPS, so in order to authenticate with LDAPS URL, you need to add the CA used to sign the LDAPS certificate in AutoTLS if that is not the same CA used to sign the Cloudera manager's intermediate CA certificate. Kindly Note: - In this use case 2, rotation of the Auto-TLS certificate authority is not supported. Cloudera recommends creating an intermediate CA with a long lifetime. The host certificates can be rotated by using the generateHostCerts API. - You can apply Use Case 2 only to new Cloudera Manager installations that have not had hosts added or clusters created. If you already added hosts or created clusters, then you can implement only Use case 1 and Use case 3. So, I would highly recommend you to use AutoTLS use case 3. More details on AutoTLS Use case 3 on below document: https://community.cloudera.com/t5/Customer/What-are-the-files-to-be-created-and-used-when-enabling/tac-p/369997#M41087
... View more