Setting up a certificate in Cloudera Manager
To set up the certificate in Cloudera Manager, perform the following steps on the Cloudera Manager server host.
Copy the content of the exported certificate and add it to the Keystore on the Cloudera Manager server host. This step ensures that the certificate is available for secure communication.
Import the root certificate on the Cloudera Manager server host. This ensures that the Cloudera Manager server can trust the certificate authority that issued the certificate.
The following steps explain to import the root certificate of the different databases on the Cloudera Manager Server host.Importing the MySQL root certificate
To import the MySQL database root certificate on the Cloudera Manager Server host, perform the following steps:
- View the contents of the
ssl-client.xmlfile by running the following commands:export SSL_CLIENT=/etc/hadoop/conf/ssl-client.xml cat $SSL_CLIENT - Obtain the truststore's location and password by running the following
commands:
export TRUSTSTORE_LOCATION=$(xmllint --xpath "//configuration/property[name='ssl.client.truststore.location']/value/text()" $SSL_CLIENT)export TRUSTSTORE_PASSWORD=$(xmllint --xpath "//configuration/property[name='ssl.client.truststore.password']/value/text()" $SSL_CLIENT) - Verify the contents of the truststore by running the following
command:
/usr/java/default/bin/keytool -list -rfc -keystore $TRUSTSTORE_LOCATION -storetype JKS -storepass $TRUSTSTORE_PASSWORD - Import the MySQL root certificate by running the following
command:
/usr/java/default/bin/keytool -importcert -alias mysql -file /var/lib/mysql/ca.pem -keystore $TRUSTSTORE_LOCATION -storetype jks -noprompt -storepass $TRUSTSTORE_PASSWORD - Verify the contents of the truststore again by running the following
command:
/usr/java/default/bin/keytool -list -rfc -keystore $TRUSTSTORE_LOCATION -storetype JKS -storepass $TRUSTSTORE_PASSWORD
Importing the MariaDB root certificate
To import the Maria DB database root certificate on the Cloudera Manager Server host, perform the following steps:
- View the contents of the
ssl-client.xmlfile by running the following commands:export SSL_CLIENT=/etc/hadoop/conf/ssl-client.xml cat $SSL_CLIENT - Obtain the truststore's location and password by running the following
commands:
export TRUSTSTORE_LOCATION=$(xmllint --xpath "//configuration/property[name='ssl.client.truststore.location']/value/text()" $SSL_CLIENT)export TRUSTSTORE_PASSWORD=$(xmllint --xpath "//configuration/property[name='ssl.client.truststore.password']/value/text()" $SSL_CLIENT) - Verify the contents of the truststore by running the following
command:
/usr/java/default/bin/keytool -list -rfc -keystore $TRUSTSTORE_LOCATION -storetype JKS -storepass $TRUSTSTORE_PASSWORD - Import the MariaDB root certificate by running the following
command:
/usr/java/default/bin/keytool -importcert -alias mariadb -file /etc/my.cnf.d/ssl/ca-cert.pem -keystore $TRUSTSTORE_LOCATION -storetype jks -noprompt -storepass $TRUSTSTORE_PASSWORD - Verify the contents of the truststore again by running the following
command:
/usr/java/default/bin/keytool -list -rfc -keystore $TRUSTSTORE_LOCATION -storetype JKS -storepass $TRUSTSTORE_PASSWORD
Importing the Oracle root certificate
To import the Oracle database root certificate on the Cloudera Manager Server host, perform the following steps:
-
Copy the content of the certificate that you exported earlier and add it to the keystore on the base cluster instances.
-
Paste the copied content to the
ca-cert.pemfile. - Fetch the keystore password from the
/etc/hadoop/conf/ssl-client.xml file by running the following
command:
/usr/java/default/bin/keytool -importcert -alias oracle -file ca-cert.pem -keystore /var/lib/example/truststore.jks -storetype jks -noprompt -storepass [***PASSWORD***]
Importing the PostgreSQL root certificate
If the Database host and Cloudera Manager Server host are located on the same machine, then
perform the following steps to import the PostgreSQL database root certificate:
- Go to the path where root cerificates are stored. By default it is
/var/lib/pgsql/14/data/.
cd /var/lib/pgsql/14/data/ - Copy the PostgreSQL root certificate by running the following
command:
cp server.crt root.crt - Create a new directory in the following path by running the following
command:
mkdir -p /var/lib/cloudera-scm-server/.postgresql - Copy the root certificate to the new directory on the Cloudera Manager server host by
running the following
command:
cd /var/lib/cloudera-scm-server/.postgresql cp /var/lib/pgsql/14/data/root.crt . - Change the ownership of the root certificate by running the following
command:
chown cloudera-scm root.crtThen, include this root certificate path in the JDBC URL as follows:jdbc:postgresql://<DB HOSTNAME>:<DB-PORT>/<DB NAME>?ssl=true&sslmode=verify-ca&sslrootcert=<PATH_TO_ROOT_CERTIFICATE>
If the Database host and Cloudera Manager Server host are not located on the same machine,
then perform the following steps to import the PostgreSQL database root certificate:
- Perform the following steps from the Database host:
- Go to the path where root cerificates are stored. By default it is
/var/lib/pgsql/14/data/.
cd /var/lib/pgsql/14/data/ - Copy the PostgreSQL root certificate by running the following
command:
cp server.crt root.crt
- Go to the path where root cerificates are stored. By default it is
/var/lib/pgsql/14/data/.
- Perform the following steps from the Cloudera Manager Server host:
- Create a new directory in the following path by running the following
command:
mkdir -p /var/lib/cloudera-scm-server/.postgresql - Go to the new directory on the Cloudera Manager server host by running the
following
command:
cd /var/lib/cloudera-scm-server/.postgresql - Secure copy (scp) the root certificate from the Database host to the Cloudera
Manager Server's PostgreSQL configuration directory by running the following
command:
scp root@<DB_HOST>:/var/lib/pgsql/14/data/root.crt . - Change the ownership of the root certificate by running the following
command:
chown cloudera-scm root.crtThen, include this root certificate path in the JDBC URL as follows:jdbc:postgresql://<DB HOSTNAME>:<DB-PORT>/<DB NAME>?ssl=true&sslmode=verify-ca&sslrootcert=<PATH_TO_ROOT_CERTIFICATE>
- Create a new directory in the following path by running the following
command:
