If you have not done so, configure TLS encryption to use Level 2 security. For instructions, see Configuring TLS Encryption Only for Cloudera Manager and Level 1: Configuring TLS Encryption for Cloudera Manager Agents.

1. Agents can verify the Cloudera Manager Server using either the Server certificate or the associated root CA certificate. Do one of the following to proceed:
   • Copy the Cloudera Manager Server .pem file to the Agent host
     1. For verification by the Agent, copy the Server .pem file (for example, cmhost.pem ) to any directory on the Agent host. In the examples, this path is /opt/cloudera/security/x509/cmhost.pem.
     2. On the Agent host, open the /etc/cloudera-scm-agent/config.ini configuration file and edit the following properties.

        Property	Description
        verify_cert_file	Point this property to the copied .pem file on the Agent host; in this example, /opt/cloudera/security/x509/cmhost-cert.pem.
        use_tls	Set this property to 1.

     OR

   • Copy the CA certificates to the Agent host
     1. If you have a CA-signed certificate, copy the root CA or intermediate CA certificates in PEM format to the Agent host. In the example, the CA certificates are copied to /opt/cloudera/security/CAcerts/*.
     2. On the Agent host, open the /etc/cloudera-scm-agent/config.ini configuration file and edit the following properties.

        Property	Description
        verify_cert_dir	Point this property to the directory on the Agent host with the copied CA certificates; in the example, /opt/cloudera/security/CAcerts/.
        use_tls	Set this property to 1.

          Note: When configuring the verify_cert_dir property, ensure that the openssl-perl package is installed. The openssl-perl package comes with the c_rehash command required to generate the Subject Name hash values that will be linked to the certificates to make them usable. See the comments in the config.ini file for more information.

        The following example is for RHEL-compatible systems. The package name for Debian-based systems is the same. After the package is installed, go to the CA certificate path and run the c_rehash command. This generates symbolic links to the certificate in that location, with "." being the current path, as follows:

        $ yum -y install openssl-perl
        $ cd /opt/cloudera/security/CAcerts/ 
        $ c_rehash .
           Doing .
           w2k8-1-root.pem => 4507f087.0
           w2k8-2-intermediary.pem => 082ba6df.0 
        $ls -l 
        total 8.0K 
        lrwxrwxrwx 1 root root   23 Oct  6 22:44 082ba6df.0 -> w2k8-2-intermediary.pem 
        lrwxrwxrwx 1 root root   15 Oct  6 22:44 4507f087.0 -> w2k8-1-root.pem 
        -rw-r----- 1 root root 2.1K Oct  6 17:23 w2k8-1-root.pem 
        -rw-r----- 1 root root 2.8K Oct  6 17:23 w2k8-2-intermediary.pem

2. Repeat the approach you used in step 1 on every Agent host. You can copy the Agent’s config.ini file across all hosts. However, if you modify properties such as listening_hostname or listening_ip address in config.ini, you must configure config.ini for each host individually.

On every Agent host, restart the Agent:

$ sudo service cloudera-scm-agent restart

To restart the Cloudera Management Service from the Cloudera Manager Admin Console:

1. On the Home > Status tab, click to the right of the service name and select Restart.
2. Click Start on the next screen to confirm. When you see a Finished status, the service has restarted.

In the Cloudera Manager Admin Console, open the Hosts page. If the Agents heartbeat successfully, the Server and Agents are communicating. If not, check the Agent log /var/log/cloudera-scm-agent/cloudera-scm-agent.log, which shows errors if the connection fails.