Level 2: Configuring TLS Verification of Cloudera Manager Server by the Agents
Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
Level 2 of TLS security requires that you provide a server certificate that is signed, either directly or through a chain, by a trusted root certificate authority (CA), to the Cloudera Manager Server. You must also provide the certificate of the CA that signed the Server certificate. For test environments, you can use a self-signed server certificate.
If the Cloudera Manager Server certificate or the associated CA certificate is missing or expired, Agents will not communicate with the Cloudera Manager Server.
Step 1: Configure TLS encryption
If you have not done so, configure TLS encryption to use Level 2 security. For instructions, see Configuring TLS Encryption Only for Cloudera Manager and Level 1: Configuring TLS Encryption for Cloudera Manager Agents.
Step 2: Copy the CA certificate or Cloudera Manager Server .pem file to the Agents
- Agents can verify the Cloudera Manager Server using either the Server certificate or the associated root CA certificate. Do one of the following to proceed:
- Copy the Cloudera Manager Server .pem file to the Agent host
- For verification by the Agent, copy the Server .pem file (for example, cmhost.pem ) to any directory on the Agent host. In the examples, this path is /opt/cloudera/security/x509/cmhost.pem.
- On the Agent host, open the /etc/cloudera-scm-agent/config.ini configuration file and edit the following properties.
Property Description verify_cert_file Point this property to the copied .pem file on the Agent host; in this example, /opt/cloudera/security/x509/cmhost-cert.pem.
use_tls Set this property to 1.
OR
- Copy the CA certificates to the Agent host
- If you have a CA-signed certificate, copy the root CA or intermediate CA certificates in PEM format to the Agent host. In the example, the CA certificates are copied to /opt/cloudera/security/CAcerts/*.
- On the Agent host, open the /etc/cloudera-scm-agent/config.ini configuration file and edit the following properties.
Property Description verify_cert_dir Point this property to the directory on the Agent host with the copied CA certificates; in the example, /opt/cloudera/security/CAcerts/. use_tls Set this property to 1. Note: When configuring the verify_cert_dir property, ensure that the openssl-perl package is installed. The openssl-perl package comes with the c_rehash command required to generate the Subject Name hash values that will be linked to the certificates to make them usable. See the comments in the config.ini file for more information.The following example is for RHEL-compatible systems. The package name for Debian-based systems is the same. After the package is installed, go to the CA certificate path and run the c_rehash command. This generates symbolic links to the certificate in that location, with "." being the current path, as follows:
$ yum -y install openssl-perl $ cd /opt/cloudera/security/CAcerts/ $ c_rehash . Doing . w2k8-1-root.pem => 4507f087.0 w2k8-2-intermediary.pem => 082ba6df.0 $ls -l total 8.0K lrwxrwxrwx 1 root root 23 Oct 6 22:44 082ba6df.0 -> w2k8-2-intermediary.pem lrwxrwxrwx 1 root root 15 Oct 6 22:44 4507f087.0 -> w2k8-1-root.pem -rw-r----- 1 root root 2.1K Oct 6 17:23 w2k8-1-root.pem -rw-r----- 1 root root 2.8K Oct 6 17:23 w2k8-2-intermediary.pem
- Copy the Cloudera Manager Server .pem file to the Agent host
- Repeat the approach you used in step 1 on every Agent host. You can copy the Agent’s config.ini file across all hosts. However, if you modify properties such as listening_hostname or listening_ip address in config.ini, you must configure config.ini for each host individually.
Step 3: Restart the Cloudera Manager Agents
On every Agent host, restart the Agent:
$ sudo service cloudera-scm-agent restart
Step 4: Restart the Cloudera Management Services
To restart the Cloudera Management Service from the Cloudera Manager Admin Console:
- On the tab, click to the right of the service name and select Restart.
- Click Start on the next screen to confirm. When you see a Finished status, the service has restarted.
Step 5: Verify that the Server and Agents are communicating
In the Cloudera Manager Admin Console, open the Hosts page. If the Agents heartbeat successfully, the Server and Agents are communicating. If not, check the Agent log /var/log/cloudera-scm-agent/cloudera-scm-agent.log, which shows errors if the connection fails.