Cloudera Docs

The certmanager utility

Auto-TLS is managed using the certmanager utility, which is included in the Cloudera Manager Agent software, and not the Cloudera Manager Server software. You must install the Cloudera Manager Agent software on the Cloudera Manager Server host to be able to use the utility. You can use certmanager to manage auto-TLS on a new installation.

certmanager syntax

/opt/cloudera/cm-agent/bin/certmanager [OPTIONS] COMMAND [ARGS]...

Options

  • --location <certmanager-dir-root>

    The directory where certmanager stores all of its files on the Cloudera Manager Server host. If omitted, defaults to /var/lib/cloudera-scm-server/certmanager. This directory is created automatically, and must not exist before running the command. If it does exist, you can use the --rotate argument (documented below) to back up the existing directory and create a new one in its place.

    The agent host certificates and other files are stored elsewhere on each agent .

  • --help

    Displays the help message.

Commands

  • add_custom_cert

    Adds a custom certificate and key for a host. Use this command only if you have configured a custom certificate directory (using the setup_custom_certdir command). You must run this command before adding a host in Cloudera Manager.

  • export_ca_cert

    Displays the Cloudera Manager internal CA certificate. You can export the certificate to a file using a redirect operator (> or >>).

  • setup

    Initializes the certificate manager and the internal CA, and configures Cloudera Manager Server to enable auto-TLS.

    • --configure-services

      Configures Cloudera Manager Server to enable automatic configuration of TLS for supported components, such as HDFS, YARN, and so on. If you omit this option, auto-TLS will only be configured for Cloudera Manager agent/server communication.

    • --rotate

      Backs up the certmanager root directory (/var/lib/cloudera-scm-server/certmanager by default, or specified by the --location option) if it exists, and creates a new one in its place. If the directory does not exist, it is created. If the directory exists, and you do not use the --rotate argument, the command fails.

    • --override ca_dn="<CA_DN>"

      Overrides the default CA distinguished name (DN) with the provided DN. Use this if your environment requires that the common name (CN) matches the hostname. For example:

      --override ca_dn="CN=cm01,DC=example,DC=com"
    • --stop-at-csr

      Stops the setup process after generating the private key and certificate signing request (CSR) for an intermediate CA certificate, and outputs the CSR file location to the screen. Submit the provided CSR to your internal root CA for signing. After receiving the signed intermediate CA certificate, continue the setup using the --signed-ca-cert parameter.

      When using the --stop-at-csr and --signed-ca-cert arguments, make sure that the remaining command options and arguments are the same.

    • --signed-ca-cert=<intermediate_CA_cert>

      Resumes the setup process using the provided signed intermediate CA certificate.

      When using the --stop-at-csr and --signed-ca-cert arguments, make sure that the remaining command options and arguments are the same.

  • setup_custom_certdir

    Initializes the certificate manager using a custom certificate directory. Use this command if you are using existing certificates signed by a trusted public CA or your own internal CA.

    • --configure-services

      Configures Cloudera Manager Server to enable automatic configuration of TLS for supported components, such as HDFS, YARN, and so on. If you omit this option, auto-TLS will only be configured for Cloudera Manager agent/server communication.

    • --rotate

      Backs up the certmanager root directory (/var/lib/cloudera-scm-server/certmanager by default, or specified by the --location option) if it exists, and creates a new one in its place. If the directory does not exist, it is created. If the directory exists, and you do not use the --rotate argument, the command fails.