不多说,直接上干货!
参考官网
https://www.cloudera.com/documentation/enterprise/5-2-x/topics/cm_sg_config_tls_security.html
Configuring TLS Security for Cloudera Manager
Important:
- Cloudera strongly recommends that you set up a fully-functional CDH cluster and Cloudera Manager before you begin configuring the Cloudera Manager Server and Agents to use TLS.
- Cloudera Manager will continue to accept HTTP requests on port 7180 (default) but will immediately redirect clients to port 7183 for HTTPS connectivity once TLS is enabled.
- Once Level 3 TLS is configured, if you want to add new hosts running Agents, you must manually deploy the Cloudera Manager agent and daemon's packages for your platform, issue a new certificate for the host, configure /etc/cloudera-scm-agent/config.ini to use SSL/TLS and then bring the host online.
Conversely, you can disable TLS to add the host, configure the new host for TLS, then re-enable with the proper configuration in place. Either approach is valid, based on your needs.
- For all hosts running Agents, Cloudera recommends you start with creating the keystore in Java first, and then exporting the key and certificate using openSSL for use by the Agent or Hue.
翻译就是:
重要:
Cloudera强烈建议您在开始配置Cloudera Manager服务器和代理使用TLS之前,设置完整功能的CDH群集和Cloudera Manager。
Cloudera Manager将继续接收端口7180上的HTTP请求(默认值),但一旦启用TLS,它将立即将客户端重定向到端口7183以进行HTTPS连接。
一旦配置了3级TLS,如果要添加运行代理的新主机,则必须手动部署适用于您的平台的Cloudera Manager代理和守护程序软件包,为主机发出新的证书,配置/ etc / cloudera-scm-agent / config.ini使用SSL / TLS,然后使主机联机。
相反,您可以禁用TLS添加主机,配置TLS的新主机,然后重新启用适当的配置。任何一种方法都是有效的,根据您的需要。
对于运行代理的所有主机,Cloudera建议您首先使用Java创建密钥库,然后使用openSSL导出密钥和证书以供代理或色相使用。
Transport Layer Security (TLS) provides encryption and authentication in the communications between the Cloudera Manager Server and Agents. Encryption prevents snooping of communications, and authentication helps prevent malicious servers or agents from causing problems in your cluster.
Cloudera Manager supports three levels of TLS security. It is necessary to work through the configuration of Level 1, and then Level 2 TLS to be able to configure Level 3 encryption. The configurations build on each other to reach Level 3 which is the strongest level of TLS security.
翻译就是:
传输层安全性(TLS)在Cloudera Manager服务器和代理之间的通信中提供加密和身份验证。 加密可防止通信侦听,并且身份验证有助于防止恶意服务器或代理在群集中引起问题。
Cloudera Manager支持三种级别的TLS安全性。 有必要通过配置1级,然后2级TLS才能配置3级加密。 配置相互建立,达到3级,这是TLS安全性最强的级别。
- Level 1 (Good) - This level only configures encrypted communication between the browser and Cloudera Manager, and between Agents and the Cloudera Manager Server. See Configuring TLS Encryption Only for Cloudera Manager followed by Level 1: Configuring TLS Encryption for Cloudera Manager Agents for instructions. Level 1 encryption prevents snooping of commands and controls ongoing communication between the Agents and Cloudera Manager.
- Level 2 (Better) - This level includes encrypted communication between the Agents and the Server, as well as strong verification of the Cloudera Manager Server certificate by the Agents. See Level 2: Configuring TLS Verification of Cloudera Manager Server by the Agents. Level 2 provides Agents with an additional level of security by verifying trust for the certificate presented by the Cloudera Manager Server.
- Level 3 (Best) - Encrypted communication between the Agents and the Server. Level 3 TLS includes encrypted communication between the Agents and the Server, strong verification of the Cloudera Manager Server certificate by the Agents and authentication of Agents to the Cloudera Manager Server using self-signed or CA-signed certs. See Level 3: Configuring TLS Authentication of Agents to the Cloudera Manager Server. Level 3 addresses the untrusted network scenario where you need to prevent cluster Servers being spoofed by untrusted Agents running on a host. Cloudera recommends you configure Level 3 TLS encryption for untrusted network environments before enabling Kerberos authentication. This provides secure communication of keytabs between the Cloudera Manager Server and verified Agents across the cluster.
翻译就是:
级别1(好) - 此级别仅配置浏览器和Cloudera Manager之间以及代理和Cloudera Manager服务器之间的加密通信。请参阅仅为Cloudera Manager配置TLS加密,然后按照级别1:为Cloudera Manager代理配置TLS加密,以获取说明。 1级加密可以防止对代理和Cloudera Manager之间的通信进行窥探。
级别2(更好) - 此级别包括代理和服务器之间的加密通信,以及代理对Cloudera Manager服务器证书的强大验证。请参阅第2级:由代理配置Cloudera Manager服务器的TLS验证。级别2通过验证由Cloudera Manager服务器提供的证书的信任,为代理提供额外的安全级别。
级别3(最佳) - 代理和服务器之间的加密通信。 3级TLS包括代理和服务器之间的加密通信,由代理对Cloudera Manager服务器证书进行强大的验证,并使用自签名或CA签名的证书将代理验证到Cloudera Manager服务器。请参阅第3级:将代理的TLS验证配置到Cloudera Manager服务器。级别3解决了不受信任的网络场景,您需要防止群集服务器被主机上运行的不受信任的代理人欺骗。 Cloudera建议您在启用Kerberos身份验证之前,为不受信任的网络环境配置3级TLS加密。这提供了Cloudera Manager服务器和集群中经过验证的代理之间的keytab的安全通信。
To enable TLS encryption for all connections between your Web browser running the Cloudera Manager Admin Console and the Cloudera Manager Server, see the first 2 steps of Level 1: Configuring TLS Encryption for Cloudera Manager Agents.
For more details on how various aspects of HTTPS communication are handled by the Cloudera Manager Agents and the Cloudera Management Services daemons, see HTTPS Communication in Cloudera Manager.
翻译就是:
要启用运行Cloudera Manager管理控制台和Cloudera Manager服务器的Web浏览器之间的所有连接的TLS加密,请参阅Level 1:为Cloudera Manager代理配置TLS加密的前两步。
有关如何通过Cloudera Manager代理和Cloudera管理服务守护程序处理HTTPS通信的各个方面的更多详细信息,请参阅Cloudera Manager中的HTTPS通信。
我这里选择, Level 1: Configuring TLS Encryption for Cloudera Manager Agents
同时,大家可以关注我的个人博客:
http://www.cnblogs.com/zlslch/ 和 http://www.cnblogs.com/lchzls/ http://www.cnblogs.com/sunnyDream/
详情请见:http://www.cnblogs.com/zlslch/p/7473861.html
人生苦短,我愿分享。本公众号将秉持活到老学到老学习无休止的交流分享开源精神,汇聚于互联网和个人学习工作的精华干货知识,一切来于互联网,反馈回互联网。
目前研究领域:大数据、机器学习、深度学习、人工智能、数据挖掘、数据分析。 语言涉及:Java、Scala、Python、Shell、Linux等 。同时还涉及平常所使用的手机、电脑和互联网上的使用技巧、问题和实用软件。 只要你一直关注和呆在群里,每天必须有收获
对应本平台的讨论和答疑QQ群:大数据和人工智能躺过的坑(总群)(161156071)