Configuring SSL/TLS certificate exchange between two Cloudera Manager instances
You must manually set up an SSL/TLS certificate exchange between two Cloudera Manager instances that manage source and target cluster respectively. Replication Manager uses this information to set up the peers for secure data replication.
When the source Cloudera Manager is configured for high availability and is Auto-TLS enabled, the certificate exchange is initiated from the source cluster to the target cluster where the certificate is exported from the load balancer node of the source cluster.
-
Go to the truststore location in
source
Cloudera Manager, and perform the following steps:-
List the contents of the keystore file and password using the
[***KEYTOOL PATH***] -list
-keystore [***TRUSTSTORE JKS FILE LOCATION ***]
-storepass [***TRUSTSTORE
PASSWORD***] command.
For example, /usr/lib/jvm/java-openjdk-11/bin/keytool - list -keystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -storepass [***TRUSTSTORE PASSWORD***]
-
Export the certificate contents in the host to a file using the
[***KEYTOOL***] -exportcert
-keystore [***TRUSTSTORE JKS FILE LOCATION
***] -alias [***CM ALIAS ON SRC
CM***] -file ./[***TXT file, for example:
source-cert.txt***] -storepass [***TRUSTSTORE
PASSWORD***] command.
For example,
/usr/java/default/bin/keytool -exportcert -keystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -alias cmrootca-0 -file ./source-cert.txt -storepass [***TRUSTSTORE_PASSWORD***]
-
Copy the text file to all the hosts of the target cluster
Cloudera Manager securely using the scp
-i [***PEM FILE***]
[***TXT file - source-cert.txt***]
root@[***HOST IP***]:/home/
command.
The PEM file that you use in the scp command is the PEM file that you use to ssh login to the target cluster. Ensure that you add the PEM file in the source Cloudera Manager host before you run the scp command to copy the certificate from the source Cloudera Manager to all the target hosts in TXT format.
-
Import the certificate into the keystore file on all the hosts of the
target cluster Cloudera Manager using
the [***KEYTOOL***] -importcert -noprompt
-v -trustcacerts -keystore [***TRUSTSTORE JKS FILE LOCATION
***] -alias [***CM ALIAS ON DEST
CM***] -file ./[***TXT file, for example:
source-cert.txt***] --storepass
[***TRUSTSTORE PASSWORD***]
command.
For example, /usr/java/default/bin/keytool -importcert -noprompt -v -trustcacerts -keystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -alias cmrootca-1 -file ./source-cert.txt --storepass [***TRUSTSTORE PASSWORD***]
-
List the contents of the keystore file and password using the
[***KEYTOOL PATH***] -list
-keystore [***TRUSTSTORE JKS FILE LOCATION ***]
-storepass [***TRUSTSTORE
PASSWORD***] command.
-
Go to the truststore location in target
Cloudera Manager, and perform the following steps:
- List the contents of the keystore file and password using the [***KEYTOOL PATH***] -list -keystore [***TRUSTSTORE JKS FILE LOCATION***] -storepass [***TRUSTSTORE PASSWORD***] command.
- Export the certificate contents in the host to a file using the [***KEYTOOL***] -exportcert -keystore [***TRUSTSTORE JKS FILE LOCATION***] -alias [***CM ALIAS ON DEST CM***] -file ./[***TXT file, for example: dest-cert.txt***] -storepass [***TRUSTSTORE PASSWORD***] command.
- Copy the text file to all the hosts of the source cluster Cloudera Manager securely using the scp -i [***PEM FILE***] [***TXT file - dest-cert.txt***] root@[***HOST IP***]:/home/ command.
- Import the certificate into the keystore file on all the hosts of the source Cloudera Manager using the [***KEYTOOL***] -importcert -noprompt -v -trustcacerts -keystore [***TRUSTSTORE JKS FILE LOCATION***] -alias [***CM_ALIAS_ON_SRC_CM***] -file ./[***TXT file - dest-cert.txt***] --storepass [***TRUSTSTORE_PASSWORD***] command.
-
Copy the cert.txt file to all the hosts of the target
cluster Cloudera Manager securely.
$ mv cert.txt othercert.txt $ scp -i [***PEM FILE***] othercert.txt root@[***HOST_IP***]:/home/
-
Import the certificate into the keystore file on all the hosts of the target
cluster Cloudera Manager.
/usr/java/default/bin/keytool -importcert -noprompt -v -trustcacerts -keystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -alias cmrootca-1 -file ./othercert.txt --storepass [***TRUSTSTORE PASSWORD***]
- Run steps 1 and 2 in the target cluster Cloudera Manager, and then copy the cert.txt file to all the hosts in the source cluster Cloudera Manager securely, and import the certificate into the keystore file on all the hosts of the source cluster Cloudera Manager (steps 3 and 4).
-
Perform this step only for Ozone replication policies.
Import the S3G CA certificate from the cluster to the local JDK path using the following commands:
-
Run the keytool -importkeystore -destkeystore
[***JDK_CACERTS_LOCATION***] -srckeystore
[***CM-AUTO-GLOBAL_TRUSTSTORE.JKS
LOCATION***] -srcalias [***CM ALIAS ON SRC
CM***] command on all the hosts of the
source
Cloudera Manager.
For example, keytool -importkeystore -destkeystore /usr/java/default/lib/security/cacerts -srckeystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -srcalias cmrootca-0
-
Run the following commands on all the hosts of the target
Cloudera Manager:
-
keytool -importkeystore -destkeystore [***JDK_CACERTS LOCATION***] -srckeystore [***CM-AUTO-GLOBAL_TRUSTSTORE.JKS LOCATION***] -srcalias [***CM ALIAS ON SRC CM***]
-
keytool -importkeystore -destkeystore [***JDK_CACERTS_LOCATION***] -srckeystore [***CM-AUTO-GLOBAL_TRUSTSTORE.JKS LOCATION***] -srcalias [***CM ALIAS ON DEST CM***]
For example,keytool -importkeystore -destkeystore /usr/java/default/lib/security/cacerts -srckeystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -srcalias cmrootca-0 keytool -importkeystore -destkeystore /usr/java/default/lib/security/cacerts -srckeystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -srcalias cmrootca-1
-
-
Run the keytool -importkeystore -destkeystore
[***JDK_CACERTS_LOCATION***] -srckeystore
[***CM-AUTO-GLOBAL_TRUSTSTORE.JKS
LOCATION***] -srcalias [***CM ALIAS ON SRC
CM***] command on all the hosts of the
source
Cloudera Manager.