安装cloudermanager时如何正确Configuring TLS Security for Cloudera Manager

发布时间:2017-7-9 7:20:22编辑:www.fx114.net 分享查询网我要评论
本篇文章主要介绍了"安装cloudermanager时如何正确Configuring TLS Security for Cloudera Manager ",主要涉及到安装cloudermanager时如何正确Configuring TLS Security for Cloudera Manager 方面的内容,对于安装cloudermanager时如何正确Configuring TLS Security for Cloudera Manager 感兴趣的同学可以参考一下。

  参考官网

https://www.cloudera.com/documentation/enterprise/5-2-x/topics/cm_sg_config_tls_security.html

Configuring TLS Security for Cloudera Manager

Important:

  • Cloudera strongly recommends that you set up a fully-functional CDH cluster and Cloudera Manager before you begin configuring the Cloudera Manager Server and Agents to use TLS.
  • Cloudera Manager will continue to accept HTTP requests on port 7180 (default) but will immediately redirect clients to port 7183 for HTTPS connectivity once TLS is enabled.
  • Once Level 3 TLS is configured, if you want to add new hosts running Agents, you must manually deploy the Cloudera Manager agent and daemon's packages for your platform, issue a new certificate for the host, configure /etc/cloudera-scm-agent/config.ini to use SSL/TLS and then bring the host online.

    Conversely, you can disable TLS to add the host, configure the new host for TLS, then re-enable with the proper configuration in place. Either approach is valid, based on your needs.

  • For all hosts running Agents, Cloudera recommends you start with creating the keystore in Java first, and then exporting the key and certificate using openSSL for use by the Agent or Hue.

翻译就是:

  重要:
  Cloudera强烈建议您在开始配置Cloudera Manager服务器和代理使用TLS之前,设置完整功能的CDH群集和Cloudera Manager。
  Cloudera Manager将继续接收端口7180上的HTTP请求(默认值),但一旦启用TLS,它将立即将客户端重定向到端口7183以进行HTTPS连接。
一旦配置了3级TLS,如果要添加运行代理的新主机,则必须手动部署适用于您的平台的Cloudera Manager代理和守护程序软件包,为主机发出新的证书,配置/ etc /   cloudera-scm-agent / config.ini使用SSL / TLS,然后使主机联机。
相反,您可以禁用TLS添加主机,配置TLS的新主机,然后重新启用适当的配置。任何一种方法都是有效的,根据您的需要。

  对于运行代理的所有主机,Cloudera建议您首先使用Java创建密钥库,然后使用openSSL导出密钥和证书以供代理或色相使用。

   

   Transport Layer Security (TLS) provides encryption and authentication in the communications between the Cloudera Manager Server and Agents. Encryption prevents snooping of communications, and authentication helps prevent malicious servers or agents from causing problems in your cluster.

  Cloudera Manager supports three levels of TLS security. It is necessary to work through the configuration of Level 1, and then Level 2 TLS to be able to configure Level 3 encryption. The configurations build on each other to reach Level 3 which is the strongest level of TLS security.

  翻译就是:

  传输层安全性(TLS)在Cloudera Manager服务器和代理之间的通信中提供加密和身份验证。 加密可防止通信侦听,并且身份验证有助于防止恶意服务器或代理在群集中引起问题。
  Cloudera Manager支持三种级别的TLS安全性。 有必要通过配置1级,然后2级TLS才能配置3级加密。 配置相互建立,达到3级,这是TLS安全性最强的级别。

 

 

  • Level 1 (Good) - This level only configures encrypted communication between the browser and Cloudera Manager, and between Agents and the Cloudera Manager Server. See Configuring TLS Encryption Only for Cloudera Manager followed by Level 1: Configuring TLS Encryption for Cloudera Manager Agents for instructions. Level 1 encryption prevents snooping of commands and controls ongoing communication between the Agents and Cloudera Manager.
  • Level 2 (Better) - This level includes encrypted communication between the Agents and the Server, as well as strong verification of the Cloudera Manager Server certificate by the Agents. See Level 2: Configuring TLS Verification of Cloudera Manager Server by the Agents. Level 2 provides Agents with an additional level of security by verifying trust for the certificate presented by the Cloudera Manager Server.
  • Level 3 (Best) - Encrypted communication between the Agents and the Server. Level 3 TLS includes encrypted communication between the Agents and the Server, strong verification of the Cloudera Manager Server certificate by the Agents and authentication of Agents to the Cloudera Manager Server using self-signed or CA-signed certs. See Level 3: Configuring TLS Authentication of Agents to the Cloudera Manager Server. Level 3 addresses the untrusted network scenario where you need to prevent cluster Servers being spoofed by untrusted Agents running on a host. Cloudera recommends you configure Level 3 TLS encryption for untrusted network environments before enabling Kerberos authentication. This provides secure communication of keytabs between the Cloudera Manager Server and verified Agents across the cluster.

  翻译就是:

  级别1(好) - 此级别仅配置浏览器和Cloudera Manager之间以及代理和Cloudera Manager服务器之间的加密通信。请参阅仅为Cloudera Manager配置TLS加密,然后按照级别1:为Cloudera Manager代理配置TLS加密,以获取说明。 1级加密可以防止对代理和Cloudera Manager之间的通信进行窥探。
  级别2(更好) - 此级别包括代理和服务器之间的加密通信,以及代理对Cloudera Manager服务器证书的强大验证。请参阅第2级:由代理配置Cloudera Manager服务器的TLS验证。级别2通过验证由Cloudera Manager服务器提供的证书的信任,为代理提供额外的安全级别。
  级别3(最佳) - 代理和服务器之间的加密通信。 3级TLS包括代理和服务器之间的加密通信,由代理对Cloudera Manager服务器证书进行强大的验证,并使用自签名或CA签名的证书将代理验证到Cloudera Manager服务器。请参阅第3级:将代理的TLS验证配置到Cloudera Manager服务器。级别3解决了不受信任的网络场景,您需要防止群集服务器被主机上运行的不受信任的代理人欺骗。 Cloudera建议您在启用Kerberos身份验证之前,为不受信任的网络环境配置3级TLS加密。这提供了Cloudera Manager服务器和集群中经过验证的代理之间的keytab的安全通信。

 

   

  To enable TLS encryption for all connections between your Web browser running the Cloudera Manager Admin Console and the Cloudera Manager Server, see the first 2 steps of Level 1: Configuring TLS Encryption for Cloudera Manager Agents.

  For more details on how various aspects of HTTPS communication are handled by the Cloudera Manager Agents and the Cloudera Management Services daemons, see HTTPS Communication in Cloudera Manager.

 

  翻译就是:

  要启用运行Cloudera Manager管理控制台和Cloudera Manager服务器的Web浏览器之间的所有连接的TLS加密,请参阅Level 1:为Cloudera Manager代理配置TLS加密的前两步。

  有关如何通过Cloudera Manager代理和Cloudera管理服务守护程序处理HTTPS通信的各个方面的更多详细信息,请参阅Cloudera Manager中的HTTPS通信。

 

  我这里选择, Level 1: Configuring TLS Encryption for Cloudera Manager Agents


上一篇:Bootstrap缩略图
下一篇:oracle 常用命令

相关文章

相关评论

本站评论功能暂时取消,后续此功能例行通知。

一、不得利用本站危害国家安全、泄露国家秘密,不得侵犯国家社会集体的和公民的合法权益,不得利用本站制作、复制和传播不法有害信息!

二、互相尊重,对自己的言论和行为负责。

好贷网好贷款