Configure SSL Near Real-Time Monitoring on Port 50505 (Parcel)

By default, the port that Pepperdata uses for listening (port 50505 for PepAgents) is unsecured.

To secure the Supervisor and/or PepAgents’ ports in a cluster with Auto-TLS enabled, use the Enable TLS/SSL for Supervisor and/or Enable TLS/SSL for PepAgent parameters in Cloudera Manager, respectively. If the cluster is not enabled for Auto-TLS, you can configure the ports for secure SSL communication by using certificates and adding properties for the certificate’s keystore location, name, and password to the Pepperdata site file, pepperdata-site.xml.

(For information about accessing the stats that Pepperdata collects through its listeners, see Pepperdata Status Views via Web Servlets.)

Securing Ports: Auto-TLS Enabled Clusters

For clusters that are enabled for Auto-TLS, Pepperdata automatically enables the required CSD parameters for securing the ports. If the CSD parameters are disabled for any reason, you can re-enable them any time.

Prerequisites

  • Install Pepperdata on all the hosts in your cluster that you want Pepperdata to monitor.

Procedure

Unless the default CSD parameters for securing the ports on clusters enabled for Auto-TLS have been removed, skip this procedure.
  1. (Supervisor listening port) In Cloudera Manager, locate the Enable TLS/SSL for Supervisor parameter, and select it.

  2. (PepAgents listening port) In Cloudera Manager, locate the Enable TLS/SSL for PepAgent parameter, and select it.

  3. Restart the Hadoop services.

    1. In Cloudera Manager, navigate to your cluster’s YARN (MR2 Included) service > Instances, select all ResourceManager and NodeManager hosts, and in the Actions for Selected, select Restart.

    2. (If using HBase) Navigate back to the cluster view, and for the HBase service, select the Restart action.

Securing Ports: Clusters Without Auto-TLS

If the cluster is not enabled enabled for Auto-TLS, you can still manually secure the Supervisor and/or PepAgent listening ports.

Prerequisites

  1. Install Pepperdata on all the hosts in your cluster that you want Pepperdata to monitor.

  2. Provide a certificate to use for securing the HTTPS connections to port 50505.

    • PKCS #12 and JKS (Java KeyStore) certificates are supported.

      • If the certificate name extension is .jks, Pepperdata assumes that it is a JKS certificate.
      • For any other extension, Pepperdata assumes that it is a PKCS #12 certificate.
    • For highest security, we recommend using certificates that are signed by a trusted certificate authority (CA). Work with your security team or system administrator to obtain a certificate that complies with your organization’s security policies.

    • As a temporary measure or for non-production environments, you can use a self-signed certificate. Although not as secure as certificates from trusted CAs, self-signed certificates are better than transmitting account names and passwords in cleartext.

      You can use a commercial or open source tool to generate a self-signed certificate.

      • For example, the following command uses the Java keytool utility (keytool ) to generate a self-signed PKCS #12 certificate named testpepperpkcs.pfx, with password pepperdata given in the command-line argument -storepass, with an RSA key of size 2048, and writes it to the /etc/pepperdata directory:

        keytool -genkey -storetype PKCS12 -alias testpepperdatapkcs12 -keystore /etc/pepperdata/testpepperpkcs.pfx -keyalg RSA -storepass pepperdata -validity 730 -keysize 2048
        
      • Similarly, the following command uses the Java keytool utility (keytool ) to generate a self-signed JKS certificate named testpepperjks.jks, with password pepperdata given in the command-line argument -storepass, with an RSA key of size 2048, and writes it to the /etc/pepperdata directory:

        keytool -genkey -storetype JKS -alias testpepperdatajks -keystore /etc/pepperdata/testpepperjks.jks -keyalg RSA -storepass pepperdata -validity 730 -keysize 2048
        
  3. Encrypt your keystore password, and copy/note the result.

    1. Run the Pepperdata password encryption script.

      /opt/cloudera/parcels/PEPPERDATA_SUPERVISOR/supervisor/encrypt_password.sh

    2. At the Enter the password to encrypt: prompt, enter your keystore password.

    3. Copy (or make note of) the resulting encrypted password.

      For example, in the following output from the script, the encrypted password is the string W+ONY3ZcR6QLP5sqoRqcpA=2.

      Encrypted password is W+ONY3ZcR6QLP5sqoRqcpA=2

  4. Ensure that you have privileges to use the command line for copying the certificate to the required location on every host: the host’s /etc/pepperdata directory. If you do not have privileges, contact your System Administrator before starting the procedure.

Procedure

  1. On any host, ensure that the certificate (from the prerequisites) is available on the host, and note its certificate keystore location.

  2. Add the certificate’s keystore location and encrypted password to the Pepperdata configuration.

    Use Cloudera Manager to add the following snippet to the Pepperdata > Service Wide > Pepperdata Service Advanced Configuration Snippet (Safety Valve) for conf/pepperdata-site.xml template, as an XML block.

    Be sure to substitute your keystore name and keystore password for the your-keystore and your-encrypted-password placeholders in the following code snippet.

    <property>
      <name>pepperdata.supervisor.rpc.server.keystore.location</name>
      <value>/etc/pepperdata/your-keystore.pfx</value>
    </property>
    <property>
      <name>pepperdata.supervisor.rpc.server.keystore.password</name>
      <value>your-encrypted-password</value>
    </property>
    
  3. Restart the Hadoop services.

    1. In Cloudera Manager, navigate to your cluster’s YARN (MR2 Included) service > Instances, select all ResourceManager and NodeManager hosts, and in the Actions for Selected, select Restart.

    2. (If using HBase) Navigate back to the cluster view, and for the HBase service, select the Restart action.