不多說,直接上干貨!
參考官網
https://www.cloudera.com/documentation/enterprise/5-2-x/topics/cm_sg_config_tls_security.html
Configuring TLS Security for Cloudera Manager
Important:
- Cloudera strongly recommends that you set up a fully-functional CDH cluster and Cloudera Manager before you begin configuring the Cloudera Manager Server and Agents to use TLS.
- Cloudera Manager will continue to accept HTTP requests on port 7180 (default) but will immediately redirect clients to port 7183 for HTTPS connectivity once TLS is enabled.
- Once Level 3 TLS is configured, if you want to add new hosts running Agents, you must manually deploy the Cloudera Manager agent and daemon's packages for your platform, issue a new certificate for the host, configure /etc/cloudera-scm-agent/config.ini to use SSL/TLS and then bring the host online.
Conversely, you can disable TLS to add the host, configure the new host for TLS, then re-enable with the proper configuration in place. Either approach is valid, based on your needs.
- For all hosts running Agents, Cloudera recommends you start with creating the keystore in Java first, and then exporting the key and certificate using openSSL for use by the Agent or Hue.
翻譯就是:
重要:
Cloudera強烈建議您在開始配置Cloudera Manager服務器和代理使用TLS之前,設置完整功能的CDH群集和Cloudera Manager。
Cloudera Manager將繼續接收端口7180上的HTTP請求(默認值),但一旦啟用TLS,它將立即將客戶端重定向到端口7183以進行HTTPS連接。
一旦配置了3級TLS,如果要添加運行代理的新主機,則必須手動部署適用於您的平台的Cloudera Manager代理和守護程序軟件包,為主機發出新的證書,配置/ etc / cloudera-scm-agent / config.ini使用SSL / TLS,然后使主機聯機。
相反,您可以禁用TLS添加主機,配置TLS的新主機,然后重新啟用適當的配置。任何一種方法都是有效的,根據您的需要。
對於運行代理的所有主機,Cloudera建議您首先使用Java創建密鑰庫,然后使用openSSL導出密鑰和證書以供代理或色相使用。
Transport Layer Security (TLS) provides encryption and authentication in the communications between the Cloudera Manager Server and Agents. Encryption prevents snooping of communications, and authentication helps prevent malicious servers or agents from causing problems in your cluster.
Cloudera Manager supports three levels of TLS security. It is necessary to work through the configuration of Level 1, and then Level 2 TLS to be able to configure Level 3 encryption. The configurations build on each other to reach Level 3 which is the strongest level of TLS security.
翻譯就是:
傳輸層安全性(TLS)在Cloudera Manager服務器和代理之間的通信中提供加密和身份驗證。 加密可防止通信偵聽,並且身份驗證有助於防止惡意服務器或代理在群集中引起問題。
Cloudera Manager支持三種級別的TLS安全性。 有必要通過配置1級,然后2級TLS才能配置3級加密。 配置相互建立,達到3級,這是TLS安全性最強的級別。
- Level 1 (Good) - This level only configures encrypted communication between the browser and Cloudera Manager, and between Agents and the Cloudera Manager Server. See Configuring TLS Encryption Only for Cloudera Manager followed by Level 1: Configuring TLS Encryption for Cloudera Manager Agents for instructions. Level 1 encryption prevents snooping of commands and controls ongoing communication between the Agents and Cloudera Manager.
- Level 2 (Better) - This level includes encrypted communication between the Agents and the Server, as well as strong verification of the Cloudera Manager Server certificate by the Agents. See Level 2: Configuring TLS Verification of Cloudera Manager Server by the Agents. Level 2 provides Agents with an additional level of security by verifying trust for the certificate presented by the Cloudera Manager Server.
- Level 3 (Best) - Encrypted communication between the Agents and the Server. Level 3 TLS includes encrypted communication between the Agents and the Server, strong verification of the Cloudera Manager Server certificate by the Agents and authentication of Agents to the Cloudera Manager Server using self-signed or CA-signed certs. See Level 3: Configuring TLS Authentication of Agents to the Cloudera Manager Server. Level 3 addresses the untrusted network scenario where you need to prevent cluster Servers being spoofed by untrusted Agents running on a host. Cloudera recommends you configure Level 3 TLS encryption for untrusted network environments before enabling Kerberos authentication. This provides secure communication of keytabs between the Cloudera Manager Server and verified Agents across the cluster.
翻譯就是:
級別1(好) - 此級別僅配置瀏覽器和Cloudera Manager之間以及代理和Cloudera Manager服務器之間的加密通信。請參閱僅為Cloudera Manager配置TLS加密,然后按照級別1:為Cloudera Manager代理配置TLS加密,以獲取說明。 1級加密可以防止對代理和Cloudera Manager之間的通信進行窺探。
級別2(更好) - 此級別包括代理和服務器之間的加密通信,以及代理對Cloudera Manager服務器證書的強大驗證。請參閱第2級:由代理配置Cloudera Manager服務器的TLS驗證。級別2通過驗證由Cloudera Manager服務器提供的證書的信任,為代理提供額外的安全級別。
級別3(最佳) - 代理和服務器之間的加密通信。 3級TLS包括代理和服務器之間的加密通信,由代理對Cloudera Manager服務器證書進行強大的驗證,並使用自簽名或CA簽名的證書將代理驗證到Cloudera Manager服務器。請參閱第3級:將代理的TLS驗證配置到Cloudera Manager服務器。級別3解決了不受信任的網絡場景,您需要防止群集服務器被主機上運行的不受信任的代理人欺騙。 Cloudera建議您在啟用Kerberos身份驗證之前,為不受信任的網絡環境配置3級TLS加密。這提供了Cloudera Manager服務器和集群中經過驗證的代理之間的keytab的安全通信。
To enable TLS encryption for all connections between your Web browser running the Cloudera Manager Admin Console and the Cloudera Manager Server, see the first 2 steps of Level 1: Configuring TLS Encryption for Cloudera Manager Agents.
For more details on how various aspects of HTTPS communication are handled by the Cloudera Manager Agents and the Cloudera Management Services daemons, see HTTPS Communication in Cloudera Manager.
翻譯就是:
要啟用運行Cloudera Manager管理控制台和Cloudera Manager服務器的Web瀏覽器之間的所有連接的TLS加密,請參閱Level 1:為Cloudera Manager代理配置TLS加密的前兩步。
有關如何通過Cloudera Manager代理和Cloudera管理服務守護程序處理HTTPS通信的各個方面的更多詳細信息,請參閱Cloudera Manager中的HTTPS通信。
我這里選擇, Level 1: Configuring TLS Encryption for Cloudera Manager Agents
同時,大家可以關注我的個人博客:
http://www.cnblogs.com/zlslch/ 和 http://www.cnblogs.com/lchzls/ http://www.cnblogs.com/sunnyDream/
詳情請見:http://www.cnblogs.com/zlslch/p/7473861.html
人生苦短,我願分享。本公眾號將秉持活到老學到老學習無休止的交流分享開源精神,匯聚於互聯網和個人學習工作的精華干貨知識,一切來於互聯網,反饋回互聯網。
目前研究領域:大數據、機器學習、深度學習、人工智能、數據挖掘、數據分析。 語言涉及:Java、Scala、Python、Shell、Linux等 。同時還涉及平常所使用的手機、電腦和互聯網上的使用技巧、問題和實用軟件。 只要你一直關注和呆在群里,每天必須有收獲
對應本平台的討論和答疑QQ群:大數據和人工智能躺過的坑(總群)(161156071)
