How to Setup Certificates Signed by a User's Certificate Authority (CA) for Web Consoles and Hadoop Network Encryption Use on BDA 4.5 and Higher
(Doc ID 2443887.1)
Last updated on JULY 20, 2024
Applies to:
Big Data Appliance Integrated Software - Version 4.5.0 and laterLinux x86-64
Purpose
This document provides step by step details to use certificates signed by a user's Certificate Authority (CA) with web consoles (Hue, Cloudera Manager), and hadoop network encryption on the Big Data Appliance (BDA). It includes steps for handling one public CA certificate or a certificate chain. Steps for certificate setup with TLS Level 2 and Level 3 are also addressed. These steps apply to BDA 4.5 and higher clusters.
Scope
System administrators may use this document to set up a cluster with a public CA certificate or a certificate chain.
Details
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Purpose |
| Scope |
| Details |
| Background |
| Known Issues |
| Frequently Asked Questions |
| What does an "unknown_ca" alert mean? |
| When verifying the keystore /opt/cloudera/security/jks/node.jks what does it mean if the "Owner" and the "Issuer" are the same? |
| Since TLS level 2 and TLS level 3 are discussed in this note, what is the definition for each? |
| Prerequisites for Setting Up User Provided Certificates for Web Consoles and Hadoop Network Encryption |
| Prerequisites for Cluster Health |
| Prerequisites for Hue |
| Prerequisites for Keystore/Truststore Password/Path |
| Prerequisites to Determine if HDFS Transparent Encryption is Enabled |
| Prerequisites for Backing up /opt/cloudera/security |
| Generate the CA Signed Certificates |
| Create a Temporary Directory to Generate the Keystore and CSR |
| Create the Keystores from which CSRs are Created |
| Generate a CSR for Each Node |
| Use the Node Specific CSR to Create a Signed Certificate |
| Copy the CA Public Root Certificate and Intermediate Certificates |
| Steps to Setup User Provided Certificates for Web Consoles and Hadoop Network Encryption |
| Append Intermediate CA Certificates to the Signed Certificate |
| Import the Generated Signed Certificate into the Keystore |
| Create a Truststore with Only the Root CA Public Certificate |
| Setup agents.pem File with Root CA Certificate |
| Setup for Hue and HDFS Transparent Encryption if Enabled |
| Setup for TLS Level 3 |
| Background |
| Detailed Steps to Create hostname.key and hostname.pem |
| Stop the Cluster |
| Restore /opt/cloudera/security2 to /opt/cloudera/security |
| Steps to Update CA Signed Certificates on Non-BDA Edge Nodes Which are Part of the Cluster |
| Start the Cluster |
| Non-BDA Edge Node Certificate Updates when the Cluster is Up |
| Steps to Follow when the Cluster is Stopped |
| Cluster Verification |
| Steps to Remove User Provided Certificates for Web Consoles and Hadoop Network Encryption |
| References |