Simple Tool to Enable SSL/TLS for CM/CDH Cluster

Since earlier this year, Cloudera has started a new program that allows each Support Engineer to do a full week offline self-learning. Topics can be chosen by each individual engineer so long as the outcome has a value to the business, It can be either the engineer skilled up with a certification that helps with day to day work, or a presentation to share with the rest of the team what he/she had learnt from the week doing self-learning. Last week, from 27th of August to 31st of August was my turn.

After a careful consideration, I thought that my knowledge on SSL/TLS area needed to be skilled up, so I had decided to find some SSL/TLS related courses on either SafariOnline or Lynda, and then see if I could try to enable Cloudera Manager as well as most of the CDH services with SSL/TLS, ideally to put everything into a script so that this process can be automated. I discussed this with my manager and we agreed on my plan.

On the first two days, I found a couple of very useful video courses from Lynda.com, see below link:

SSL Certificates For Web Developers
Learning Secure Sockets Layer

They were very useful in helping me getting a better understanding of the fundamental of SSL/TLS and how to generate keys and sign the cerficate all by yourself.

After that I reviewed Cloudera’s official online documentation on how to enable SSL/TLS for Cloudera Manager as well as the rest of CDH services and built a little tool that is written in shell script to allow anyone to generate certificates on the fly and enable SSL/TLS for his/her cluster with a simple couple of commands.

The documentation links can be found below:

Configuring TLS Encryption for Cloudera Manager
Configuring TLS/SSL Encryption for CDH Services

I have published this little tool on github and is available here. Currently it supports enabling SSL/TLS for the following services:

Cloudera Manager (from Level 1 to Level 3 security)
HDFS
YARN
Hive
Impala
Oozie
HBase
Hue

With this tool, user can enable SSL/TLS for any of the above services with ease in a few minutes.

If you have any suggestions or comments, please leave them in the comment section below, thanks.

ericlin.me Secured with SSL signed by “Let’s Encrypt”

Cloudera recently introduced a new way of self learning for Employees, especially in the Support organization, that allows each engineer to spend 1 week off our duty to do full self-learning offline, every 4-6 months. There are lots of topics to choose from, including some public available courses to anything that we are interested in and also useful for our day to day work. This week is my turn and I have chosen SSL/TLS to enhance my experience with CDH, because I have faced lots of issues from customers who face TLS related issues across wide range of CDH components, including Hive, Impala and Oozie etc, so I need to skill up my knowledge in this area.

This is my second day into the week and I have finished two courses about TLS on Lynda.com:

Learning Secure Sockets Layer
SSL Certificate for Web Developers

As part of the learning, I have enhanced my knowledge on SSL/TLS and understand the process of how to enable SSL/TLS for a website, from generating private key up until getting certificate signed and eventually enabled on Apache/Ngnix web server. And I think it is great time to enable SSL/TLS for my own blog as well, because the traffic to my blog has increased in the last couple of years and I do receive comments from my various blog posts every now and then. So securing my blog is a logical next step.

As part of the course in SSL Certificate for Web Developers that provided by Kevin Skoglund, Kevin has suggested that since 2016, Let’s Encrypt has started offering free, automated signed certificates to general public. So why not use it to get my blog secured? Even though the certificate needs to be renewed every 90 days, Certbot, the tool provided by Let’s Encrypt, not only installs certificate for you with ease, but also can setup a cron job to renew the certificate automatically. All you need to do is to install Certbot from here, select the web server and OS that match your site and follow instructions, and your site can be secured by SSL/TLS in a few minutes.

Don’t forget that you also need to open port 443 from your cloud service, if you are using AWS or Google Cloud, as by default port 443 is disabled. Instructions are different depending on where your host is, so please Google around as this topic goes beyond the scope of my post here.

I highly suggest you to do this, because the trend in all modern browsers is that they will all issue warnings to visitors if the site they are visiting is not secured and your site will just look unprofessional, insecure and visitors will think twice before entering any details on your site, including submitting a simple comment. The number of sites getting secured is increasing and it will become the standard, below are some stats from Let’s Encrypt since launched in 2016:

So, with this free service, it is time to secure your site without hesitation.