Configure SSL Near Real-Time Monitoring on Port 50505 (RPM/DEB)

By default, the port that Pepperdata uses for listening (port 50505 for PepAgents) is unsecured.

You can configure the ports for secure SSL communication by using certificates and adding properties for the certificate’s keystore location, name, and password to the Pepperdata site file, pepperdata-site.xml. (For information about accessing the stats that Pepperdata collects through its listeners, see Pepperdata Status Views via Web Servlets.)

Prerequisites

Install Pepperdata on all the hosts in your cluster that you want Pepperdata to monitor.
Provide a certificate to use for securing the HTTPS connections to port 50505.

Note: If the cluster configuration is managed by Cloudera Manager, and you do not have privileges to use the command line for generating and/or copying the certificate to the required locations, contact your System Administrator.
- PKCS #12 and JKS (Java KeyStore) certificates are supported.
  - If the certificate name extension is .jks, Pepperdata assumes that it is a JKS certificate.
  - For any other extension, Pepperdata assumes that it is a PKCS #12 certificate.
- For highest security, we recommend using certificates that are signed by a trusted certificate authority (CA). Work with your security team or system administrator to obtain a certificate that complies with your organization’s security policies.
- As a temporary measure or for non-production environments, you can use a self-signed certificate. Although not as secure as certificates from trusted CAs, self-signed certificates are better than transmitting account names and passwords in cleartext.
  
  You can use a commercial or open source tool to generate a self-signed certificate.
  - For example, the following command uses the Java keytool utility (keytool ) to generate a self-signed PKCS #12 certificate named testpepperpkcs.pfx, with password pepperdata given in the command-line argument -storepass, with an RSA key of size 2048, and writes it to the /etc/pepperdata directory:
    keytool -genkey -storetype PKCS12 -alias testpepperdatapkcs12 -keystore /etc/pepperdata/testpepperpkcs.pfx -keyalg RSA -storepass pepperdata -validity 730 -keysize 2048
  - Similarly, the following command uses the Java keytool utility (keytool ) to generate a self-signed JKS certificate named testpepperjks.jks, with password pepperdata given in the command-line argument -storepass, with an RSA key of size 2048, and writes it to the /etc/pepperdata directory:
    keytool -genkey -storetype JKS -alias testpepperdatajks -keystore /etc/pepperdata/testpepperjks.jks -keyalg RSA -storepass pepperdata -validity 730 -keysize 2048
Encrypt your keystore password, and copy/note the result.
1. Run the Pepperdata password encryption script.
  
  /opt/pepperdata/supervisor/encrypt_password.sh
2. At the Enter the password to encrypt: prompt, enter your keystore password.
3. Copy (or make note of) the resulting encrypted password.
  
  For example, in the following output from the script, the encrypted password is the string W+ONY3ZcR6QLP5sqoRqcpA=2.
  
  Encrypted password is W+ONY3ZcR6QLP5sqoRqcpA=2

Procedure

Important: You can begin with any host on which Pepperdata is running, but be sure to repeat the configuration and restart steps on every host.

Beginning with any host, ensure that the certificate (from the prerequisites) is available on the host, and note its certificate keystore location.
Add the certificate’s keystore location and encrypted password to the Pepperdata configuration.
1. Open the host’s Pepperdata site file, pepperdata-site.xml, for editing.
  
  By default, the Pepperdata site file, pepperdata-site.xml, is located in /etc/pepperdata. If you customized the location, the file is specified by the PD_CONF_DIR environment variable. See Change the Location of pepperdata-site.xml for details.
2. Add the required properties.
  
  Be sure to substitute your keystore name and keystore password for the your-keystore and your-encrypted-password placeholders in the following code snippet.
```
<property>
  <name>pepperdata.supervisor.rpc.server.keystore.location</name>
  <value>/etc/pepperdata/your-keystore.pfx</value>
</property>
<property>
  <name>pepperdata.supervisor.rpc.server.keystore.password</name>
  <value>your-encrypted-password</value>
</property>
```
  Malformed XML files can cause operational errors that can be difficult to debug. To prevent such errors, we recommend that you use a linter, such as xmllint, after you edit any .xml configuration file.
3. Save your changes and close the file.
Restart the PepAgent.

You can use either the service (if provided by your OS) or systemctl command:
- sudo service pepagentd restart
- sudo systemctl restart pepagentd
Tip: Any time you modify the yaml rules file, you must reload the rules file by restarting PepAgent.
Repeat steps 1–4 on every host in your cluster. You can individually edit the Pepperdata site file, pepperdata-site.xml, on every host or you can distribute a common file to all hosts.

Important: Be sure to repeat steps 1–4 on every host. If you skip the SSL configuration process on a host, Pepperdata cannot monitor it via the secured port.
Restart the cluster’s ResourceManager.
Restart every NodeManager in the cluster.