This is the documentation for Cloudera Enterprise 5.8.x. Documentation for other versions is available at Cloudera Documentation.

Level 2: Configuring TLS Verification of Cloudera Manager Server by the Agents

Minimum Required Role: Cluster Administrator (also provided by Full Administrator)

Level 2 of TLS security requires that you provide a server certificate that is signed, either directly or through a chain, by a trusted root certificate authority (CA), to the Cloudera Manager Server. You must also provide the certificate of the CA that signed the Server certificate. For test environments, you can use a self-signed server certificate.

If the Cloudera Manager Server certificate or the associated CA certificate is missing or expired, Agents will not communicate with the Cloudera Manager Server.

Step 1: Configure TLS encryption

If you have not done so, configure TLS encryption to use Level 2 security. For instructions, see Configuring TLS Encryption Only for Cloudera Manager and Level 1: Configuring TLS Encryption for Cloudera Manager Agents.

Step 2: Copy the CA certificate or Cloudera Manager Server .pem file to the Agents

  1. Agents can verify the Cloudera Manager Server using either the Server certificate or the associated root CA certificate. Do one of the following to proceed:
    • Copy the Cloudera Manager Server .pem file to the Agent host
      1. For verification by the Agent, copy the Server .pem file (for example, cmhost.pem ) to any directory on the Agent host. In the examples, this path is /opt/cloudera/security/x509/cmhost.pem.
      2. On the Agent host, open the /etc/cloudera-scm-agent/config.ini configuration file and edit the following properties.
        Property Description
        verify_cert_file

        Point this property to the copied .pem file on the Agent host; in this example, /opt/cloudera/security/x509/cmhost-cert.pem.

        use_tls Set this property to 1.

      OR

    • Copy the CA certificates to the Agent host
      1. If you have a CA-signed certificate, copy the root CA or intermediate CA certificates in PEM format to the Agent host. In the example, the CA certificates are copied to /opt/cloudera/security/CAcerts/*.
      2. On the Agent host, open the /etc/cloudera-scm-agent/config.ini configuration file and edit the following properties.
        Property Description
        verify_cert_dir Point this property to the directory on the Agent host with the copied CA certificates; in the example, /opt/cloudera/security/CAcerts/.
        use_tls Set this property to 1.
          Note: When configuring the verify_cert_dir property, ensure that the openssl-perl package is installed. The openssl-perl package comes with the c_rehash command required to generate the Subject Name hash values that will be linked to the certificates to make them usable. See the comments in the config.ini file for more information.

        The following example is for RHEL-compatible systems. The package name for Debian-based systems is the same. After the package is installed, go to the CA certificate path and run the c_rehash command. This generates symbolic links to the certificate in that location, with "." being the current path, as follows:

        $ yum -y install openssl-perl
        $ cd /opt/cloudera/security/CAcerts/ 
        $ c_rehash .
           Doing .
           w2k8-1-root.pem => 4507f087.0
           w2k8-2-intermediary.pem => 082ba6df.0 
        $ls -l 
        total 8.0K 
        lrwxrwxrwx 1 root root   23 Oct  6 22:44 082ba6df.0 -> w2k8-2-intermediary.pem 
        lrwxrwxrwx 1 root root   15 Oct  6 22:44 4507f087.0 -> w2k8-1-root.pem 
        -rw-r----- 1 root root 2.1K Oct  6 17:23 w2k8-1-root.pem 
        -rw-r----- 1 root root 2.8K Oct  6 17:23 w2k8-2-intermediary.pem
  2. Repeat the approach you used in step 1 on every Agent host. You can copy the Agent’s config.ini file across all hosts. However, if you modify properties such as listening_hostname or listening_ip address in config.ini, you must configure config.ini for each host individually.

Step 3: Restart the Cloudera Manager Agents

On every Agent host, restart the Agent:

$ sudo service cloudera-scm-agent restart

Step 4: Restart the Cloudera Management Services

To restart the Cloudera Management Service from the Cloudera Manager Admin Console:

  1. On the Home > Status tab, click to the right of the service name and select Restart.
  2. Click Start on the next screen to confirm. When you see a Finished status, the service has restarted.

Step 5: Verify that the Server and Agents are communicating

In the Cloudera Manager Admin Console, open the Hosts page. If the Agents heartbeat successfully, the Server and Agents are communicating. If not, check the Agent log /var/log/cloudera-scm-agent/cloudera-scm-agent.log, which shows errors if the connection fails.

Page generated July 8, 2016.