Cloudera Enterprise 6.3.x | Other versions

Configuring TLS/SSL for Navigator Metadata Server

Cloudera Navigator supports TLS/SSL encryption for network communications between the Navigator Metadata Server and clients, such as the web browser used for Cloudera Navigator console. Typically, TLS/SSL is configured for the entire cluster, so it is possible that the server key and certificate already exist on the specific host running the Navigator Metadata Server role. The assumption in the steps below is that the cluster is already configured for TLS/SSL and the security artifacts have already been obtained and deployed to the host running the Navigator Metadata Server role instance.

  1. Validate that the JDK on the Navigator Metadata Server host has certificates configured.

    Navigator establishes trust for the TLS certificate used for network communication using the JDK on the local host. The JDK looks for certificates in three places:

    • $JAVA_HOME/jre/lib/security/jssecacerts
    • $JAVA_HOME/jre/lib/security/cacerts
    • Location specified by java.net.ssl.truststore. This property can be set through the Navigator Metadata Server Advanced Configuration Snippet (Safety Valve) for cloudera-navigator.properties.

    If the java.net.ssl.truststore location is set, the JDK ignores the default certificate locations.

    If there isn't a certificate in any of these locations, review Generate TLS Certificates and make sure that the Navigator Metadata Server host was included in step 7.

  2. Validate the location of the keystore file on the host running the Navigator Metadata Server role instance.

    For example, if TLS was enabled according to the instructions Manually Configuring TLS Encryption for Cloudera Manager, the TLS keystore would be located in /opt/cloudera/security/pki. If the keystore isn't already on the Navigator Metadata Server host, generate one from the instructions in Generate TLS Certificates.

  3. Log in to the Cloudera Manager Admin Console.
  4. Select Clusters > Cloudera Management Service.
  5. Click the Configuration tab.
  6. Select Scope > Navigator Metadata Server.
  7. Select Category > Security.
  8. Edit the following properties according to your cluster configuration.
    Property Description
    Enable TLS/SSL for Navigator Metadata Server Encrypt network communications between clients and Navigator Metadata Server using TLS/SSL.
    TLS/SSL Keystore File Location The path to the keystore file containing the server private key and certificate. The keystore must be in JKS format.
    TLS/SSL Keystore File Password The password for the Navigator Metadata Server JKS keystore file.
    TLS/SSL Keystore Key Password The password for the private key contained in the JKS keystore.
  9. Click Save Changes.
  10. Restart the Navigator Metadata Server role.
  Note: After TLS/SSL is enabled, Cloudera Manager links to the Cloudera Navigator console use HTTPS rather than unencrypted HTTP. The trust store password is encrypted when passed between Cloudera Manager and Cloudera Navigator.
Page generated August 29, 2019.