by  Oleksandra Klevets

Enabling TLS Level 1 Encryption for Cloudera Manager

clock-icon-white  4 min read

Keeping up with our Cloudera tech tips, here’s a detailed guide describing how to configure TLS Level 1 encryption for Cloudera Manager with self-signed certificate.

Transport Layer Security (TLS) Level 1 encryption configuration consists of the following elements:

  • TLS encryption Only for Cloudera Manager, which provides secure communication via HTTPS between Web browser running the Cloudera Manager Admin Console and the Cloudera Manager Server
  • TLS encryption for Cloudera Manager Agents that prevents snooping of commands and controls within the ongoing communication between Cloudera Agents and Manager

To establish secure communication of keytabs between the Cloudera Manager Server and Agents across the cluster, make sure TSL Level 1 encryption is setup before kerberizing a cluster.


Proper DNS setup on all cluster nodes is a must-have prerequisite for TLS configuration (as well as further Kerberos configuration). So, go through all the commands below and make sure they return the same values on all cluster nodes:

nslookup <node IP address>

Step 1. Generating and installing the self-signed certificate

Perform the following steps on Cloudera Manager Server host:

1.1. Check if JAVA_HOME environment variable is set and points to Oracle JDK, not to OpenJDK. If not, set JAVA_HOME:

export JAVA_HOME=/usr/java/jdk1.7.0_67-cl oudera
export PATH=$JAVA_HOME/bin:$PATH


1.2. Create a directory to store a to-be-created self-signed certificate-key pair.

mkdir -p /opt/cloudera/security/{x509,jks,CAcerts}
chown -R cloudera-scm:cloudera-scm /opt/cloudera/security


1.3. Change directory to /opt/cloudera/security/jks:

cd /opt/cloudera/security/jks

1.4. Generate a self-signed certificate-key pair and save it to a keystore (for example, cms.keystore). Then, set validity of your certificate (in this case it’s 365). Make sure that a CN entry matches with a fully-qualified domain name of the Cloudera Manager server (you may check it by issuing hostname command), or you will get the HTTPS hostname wrong exception.

keytool -genkeypair -keystore cms.keystore -keyalg RSA -alias cms -dname
"CN=" -storepass cloudera -keypass cloudera -validity 365


1.5. Copy default Java truststore, cacerts, to the alternate truststore at the same location, jssecacerts. You may append any self-signed certificates to this truststore without modifying a default cacerts file.

cp $JAVA_HOME/jre/lib/security/cacerts $JAVA_HOME/jre/lib/security/jssecacerts

1.6. Export the certificate from cms.keystore:

keytool -export -alias cms -keystore cms.keystore -rfc -file /opt/cloudera/security/selfsigned.cer -storepass cloudera

1.7. Copy the self-signed certificate to the /opt/cloudera/security/x509/ directory (or any other location where it can be used by Cloudera Manager).

cp /opt/cloudera/security/selfsigned.cer /opt/cloudera/security/x509/cmhost.pem chown cloudera-scm:cloudera- scm /opt/cloudera/security/x509/cmhost.pem

1.8. Important: Copy selfsigned.cer file to all cluster nodes to /tmp directory (using scp or sftp) and perform further steps on all cluster nodes.

Import the public key into the alternate Java truststore, so that any process running with Java on this machine trusts the key (this is needed, for example, for Cloudera Management Services). Default password for Java truststore is changeit (DO NOT change it in the command). Before running the following command, make sure that JAVA_HOME points to Oracle JDK.

keytool -import -alias cms -file /tmp/selfsigned.cer -keystore $JAVA_HOME/jre/lib/security/jssecacerts -storepass changeit

rm -f /tmp/selfsigned.cer

Step 2. Enable HTTPS for the Cloudera Manager Admin Console

2.1. Log in to Cloudera Manager Admin Console and go to Administration -> Settings -> Security.

Configure these settings:

  • Use TLS Encryption for Admin Console - check the box
  • Path to TLS Keystore File - /opt/cloudera/security/jks/cms.keystore
  • Keystore Password - cloudera (use the password from Step 1.4.)

2.2. Click Save Changes to save settings (do not restart Cloudera Manager Server as for now).

2.3. Go to Cloudera Management Services -> Configuration and set the following two parameters:

  • TLS/SSL Client Truststore File Location - /usr/java/jdk1.7.0_67-cloudera/jre/lib/security/jssecacerts
  • TLS/SSL Client Truststore File Password - changeit (the password from Step 1.8.)

2.4. Click Save Changes and restart Cloudera Management Services.

2.5. Log in to Cloudera Manag er Server host and restart CMS:

sudo service cloudera-scm-server restart

2.6. Verify if Cloudera Manager Admin Console redirects connection from HTTP port 7180 to HTTPS port 7183.

Step 3. Configuring TLS Level 1 encryption for Cloudera Manager Agents

3.1. Log in to Cloudera Manager Admin Console and go to Administration -> Settings -> Security.

Configure this setting:

  • Use TLS Encryption for Agents - check the box

3.2. Click Save Changes and restart CMS:

sudo service cloudera-scm-server restart

3.3. On every cluster node where Cloudera Manager Agent is running, run the following command:

sudo sed -i ‘s|use_tls=0|use_tls=1|g’ /etc/cloudera-scm-agent/config.ini
sudo service cloudera-scm-agent restart


3.4. In the Cloudera Manager Admin Console, open the Hosts page. If the Agent successfully provides a heartbeat, TLS encryption works properly.