This is the documentation for Cloudera Enterprise 5.8.x. Documentation for other versions is available at Cloudera Documentation.

Deploying the Cloudera Manager Keystore for Level 1 TLS with Self-Signed Certificates

This topic describes how to perform Step 1: Create the Cloudera Manager Server Keystore, Generate a Certificate Request, and Install the Certificate, but with self-signed certificates.

  1. Create a directory to store the self-signed certificate-key pair that you will create.
    $ mkdir -p /opt/cloudera/security/x509/ /opt/cloudera/security/jks/
    $ cd /opt/cloudera/security/jks
    Use chmod/chown to change ownership of the /opt/cloudera/security/jks directory to give Cloudera Manager access to the directory.
  2. Generate a self-signed certificate-key pair and save it to a keystore, such as example.keystore. Set -keypass to the same value as -storepass. Cloudera Manager assumes that the same password is used to access both the key and the keystore, and therefore, does not support separate values for -keypass and -storepass.
      Note: The CN entry must match the fully-qualified domain name of the Cloudera Manager server, or you will get the java.io.IOException: HTTPS hostname wrong exception.
    $ keytool -genkeypair -keystore example.keystore -keyalg RSA -alias example \
    -dname "CN=example.cloudera" -storepass cloudera -keypass cloudera
  3. Copy the default Java truststore, cacerts, to the alternate truststore at the same location, jssecacerts. You can append any self-signed certificates to this truststore without modifying the default cacerts file.
    $ sudo cp $JAVA_HOME/jre/lib/security/cacerts $JAVA_HOME/jre/lib/security/jssecacerts
  4. Export the certificate from example.keystore.
    $ keytool -export -alias example -keystore example.keystore -rfc -file selfsigned.cer
  5. Copy the self-signed certificate to the /opt/cloudera/security/x509/ directory (or any location where it can be used by Cloudera Manager).
    $ cp selfsigned.cer /opt/cloudera/security/x509/cmhost.pem
  6. Import the public key into the alternate Java truststore, so that any process that runs with Java on this machine will trust the key. Repeat this on all machines. The default password for the Java truststore is changeit. Do not use the password created for the keystore in Step 2.
    $ keytool -import -alias example -file /opt/cloudera/security/selfsigned.cer \
    -keystore $JAVA_HOME/jre/lib/security/jssecacerts -storepass changeit
  7. Rename the keystore to cmhost-keystore.jks (this is to keep this example consistent with the documentation for CA-signed certificates). You can delete the certificate since it has already been exported to the keystore at /opt/cloudera/security/x509/cmhost.pem in a previous step.
    $ mv /opt/cloudera/security/jks/example.keystore /opt/cloudera/security/jks/cmhost-keystore.jks
    $ rm /opt/cloudera/security/selfsigned.cer

To continue setting up Level 1 TLS, go back to Step 2: Enable HTTPS for the Cloudera Manager Admin Console and Specify Server Keystore Properties.

Page generated July 8, 2016.