How to Setup Certificates Signed by a User's Certificate Authority (CA) for Web Consoles and Hadoop Network Encryption Use on BDA 4.5 and Higher
(Doc ID 2443887.1)
Last updated on JULY 20, 2024
Applies to:
Big Data Appliance Integrated Software - Version 4.5.0 and laterLinux x86-64
Purpose
This document provides step by step details to use certificates signed by a user's Certificate Authority (CA) with web consoles (Hue, Cloudera Manager), and hadoop network encryption on the Big Data Appliance (BDA). It includes steps for handling one public CA certificate or a certificate chain. Steps for certificate setup with TLS Level 2 and Level 3 are also addressed. These steps apply to BDA 4.5 and higher clusters.
Scope
System administrators may use this document to set up a cluster with a public CA certificate or a certificate chain.
Details
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Purpose |
Scope |
Details |
Background |
Known Issues |
Frequently Asked Questions |
What does an "unknown_ca" alert mean? |
When verifying the keystore /opt/cloudera/security/jks/node.jks what does it mean if the "Owner" and the "Issuer" are the same? |
Since TLS level 2 and TLS level 3 are discussed in this note, what is the definition for each? |
Prerequisites for Setting Up User Provided Certificates for Web Consoles and Hadoop Network Encryption |
Prerequisites for Cluster Health |
Prerequisites for Hue |
Prerequisites for Keystore/Truststore Password/Path |
Prerequisites to Determine if HDFS Transparent Encryption is Enabled |
Prerequisites for Backing up /opt/cloudera/security |
Generate the CA Signed Certificates |
Create a Temporary Directory to Generate the Keystore and CSR |
Create the Keystores from which CSRs are Created |
Generate a CSR for Each Node |
Use the Node Specific CSR to Create a Signed Certificate |
Copy the CA Public Root Certificate and Intermediate Certificates |
Steps to Setup User Provided Certificates for Web Consoles and Hadoop Network Encryption |
Append Intermediate CA Certificates to the Signed Certificate |
Import the Generated Signed Certificate into the Keystore |
Create a Truststore with Only the Root CA Public Certificate |
Setup agents.pem File with Root CA Certificate |
Setup for Hue and HDFS Transparent Encryption if Enabled |
Setup for TLS Level 3 |
Background |
Detailed Steps to Create hostname.key and hostname.pem |
Stop the Cluster |
Restore /opt/cloudera/security2 to /opt/cloudera/security |
Steps to Update CA Signed Certificates on Non-BDA Edge Nodes Which are Part of the Cluster |
Start the Cluster |
Non-BDA Edge Node Certificate Updates when the Cluster is Up |
Steps to Follow when the Cluster is Stopped |
Cluster Verification |
Steps to Remove User Provided Certificates for Web Consoles and Hadoop Network Encryption |
References |