Configure a Custom Certificate of Authority (Parcel)

If your environment includes a custom Certificate of Authority (CA) that contains custom or non-standard certificates/chains (such as self-signed certificates) that are not included in the set of standard certificates typically included in internet browsers, you must enable Pepperdata to find the CA file. You can either configure the REQUESTS_CA_BUNDLE and SSL_CERT_FILE environment variables or install the custom CA file according to Cloudera’s requirements, which results in a known location/file that Pepperdata can find. The environment variables take precedence: if you assign them, Pepperdata does not search for the certificates anywhere else, and so will not find them even if you’ve installed them according to Cloudera’s requirements.

Choose the procedure for your preferred approach:

Procedure: Assign Environment Variables

  1. Add the environment variables for the locations of the CA bundle and SSL certificate filenames.

    Use Cloudera Manager to add the environment variables for the number of history fetcher retries to the Pepperdata > Configuration > PepAgent Environment Advanced Configuration Snippet (Safety Valve) template.

    Add the environment variables in the following format.

    • Be sure to substitute your CA bundle and SSL certificate filenames for the your-fully-qualified-ca-bundle-file and your-fully-qualified-ssl-cert-file placeholders in the following snippet, respectively.

    • If you set only one of the environment variables, Pepperdata assigns its value to the other environment variable.

    • The REQUESTS_CA_BUNDLE certificate is used by libraries that use the Python requests package.

    • The SSL_CERT_FILE certificate is used only by libraries that directly use OpenSSL instead of using the Python requests package.

    export REQUESTS_CA_BUNDLE=your-fully-qualified-ca-bundle-file
    export SSL_CERT_FILE=your-fully-qualified-ssl-cert-file
  2. Restart the Pepperdata services.

    In Cloudera Manager, select the Restart action for the PepAgent service.

Procedure: Install the Custom CA File per Cloudera Requirements

Be sure to leave the REQUESTS_CA_BUNDLE and SSL_CERT_FILE environment variables unassigned. If you assign them, Pepperdata expects to find the certificates as assigned, and will not look anywhere else.
  • Consult the Cloudera documentation for how to install your (single) custom CA file in the Cloudera default location for CA files.

    The procedure and the default location vary according to your environment’s OS version.

    Pepperdata looks in the default locations for all supported OSes, and uses the first CA file that it finds. The locations can be symbolic links whose targets are the actual CA files.