My Oracle Support Banner

How to Setup Certificates Signed by a User's Certificate Authority (CA) for Web Consoles and Hadoop Network Encryption Use on BDA 4.5 and Higher (Doc ID 2443887.1)

Last updated on JUNE 13, 2023

Applies to:

Big Data Appliance Integrated Software - Version 4.5.0 and later
Linux x86-64


This document provides step by step details to use certificates signed by a user's Certificate Authority (CA) with web consoles (Hue, Cloudera Manager), and hadoop network encryption on the Big Data Appliance (BDA).  It includes steps for handling one public CA certificate or a certificate chain.  Steps for certificate setup with TLS Level 2 and Level 3 are also addressed.  These steps apply to BDA 4.5 and higher clusters.


System administrators may use this document to set up a cluster with a public CA certificate or a certificate chain.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
 Known Issues
 Frequently Asked Questions
 What does an "unknown_ca" alert mean?
 When verifying the keystore /opt/cloudera/security/jks/node.jks what does it mean if the "Owner" and the "Issuer" are the same?
 Since TLS level 2 and TLS level 3 are discussed in this note, what is the definition for each?
 Prerequisites for Setting Up User Provided Certificates for Web Consoles and Hadoop Network Encryption
 Prerequisites for Cluster Health
 Prerequisites for Hue
 Prerequisites for Keystore/Truststore Password/Path
 Prerequisites to Determine if HDFS Transparent Encryption is Enabled
 Prerequisites for Backing up /opt/cloudera/security
 Generate the CA Signed Certificates
 Create a Temporary Directory to Generate the Keystore and CSR
 Create the Keystores from which CSRs are Created
 Generate a CSR for Each Node
 Use the Node Specific CSR to Create a Signed Certificate
 Copy the CA Public Root Certificate and Intermediate Certificates
 Steps to Setup User Provided Certificates for Web Consoles and Hadoop Network Encryption 
 Append Intermediate CA Certificates to the Signed Certificate
 Import the Generated Signed Certificate into the Keystore
 Create a Truststore with Only the Root CA Public Certificate
 Setup agents.pem File with Root CA Certificate
 Setup for Hue and HDFS Transparent Encryption if Enabled
 Setup for TLS Level 3
 Detailed Steps to Create hostname.key and hostname.pem
 Stop the Cluster
 Restore /opt/cloudera/security2 to /opt/cloudera/security
 Steps to Update CA Signed Certificates on Non-BDA Edge Nodes Which are Part of the Cluster
 Start the Cluster
 Non-BDA Edge Node Certificate Updates when the Cluster is Up
 Steps to Follow when the Cluster is Stopped
 Cluster Verification
 Steps to Remove  User Provided Certificates for Web Consoles and Hadoop Network Encryption 

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.