Configure SSL Near Real-Time Monitoring on Port 50505 (RPM/DEB)
By default, the port that Pepperdata uses for listening (port 50505
for PepAgents) is unsecured.
(In Pepperdata Supervisor v7.1.10 or earlier, PepAgents on the ResourceManager hosts also listen on port 50510
for communication in addition to the common port 50505
. Port 50510
is also unsecured.
The steps below apply both to port 50505
and 50510
in Pepperdata Supervisor
v7.1.10 or earlier. No extra step is needed to secure port 50510
separately.)
You can configure the ports for secure SSL communication by using certificates and adding properties for the certificate’s keystore location, name, and password to the Pepperdata site file, pepperdata-site.xml
.
(For information about accessing the stats that Pepperdata collects through its listeners, see Pepperdata Status Views via Web Servlets.)
Prerequisites
-
Install Pepperdata on all the hosts in your cluster that you want Pepperdata to monitor.
-
Provide a certificate to use for securing the HTTPS connections to port 50505.
Note: If the cluster configuration is managed by Cloudera Manager, and you do not have privileges to use the command line for generating and/or copying the certificate to the required locations, contact your System Administrator.-
PKCS #12 and JKS (Java KeyStore) certificates are supported.
- If the certificate name extension is
.jks
, Pepperdata assumes that it is a JKS certificate. - For any other extension, Pepperdata assumes that it is a PKCS #12 certificate.
- If the certificate name extension is
-
For highest security, we recommend using certificates that are signed by a trusted certificate authority (CA). Work with your security team or system administrator to obtain a certificate that complies with your organization’s security policies.
-
As a temporary measure or for non-production environments, you can use a self-signed certificate. Although not as secure as certificates from trusted CAs, self-signed certificates are better than transmitting account names and passwords in cleartext.
You can use a commercial or open source tool to generate a self-signed certificate.
-
For example, the following command uses the Java
keytool
utility (keytool ) to generate a self-signed PKCS #12 certificate namedtestpepperpkcs.pfx
, with passwordpepperdata
given in the command-line argument-storepass
, with an RSA key of size 2048, and writes it to the/etc/pepperdata
directory:keytool -genkey -storetype PKCS12 -alias testpepperdatapkcs12 -keystore /etc/pepperdata/testpepperpkcs.pfx -keyalg RSA -storepass pepperdata -validity 730 -keysize 2048
-
Similarly, the following command uses the Java
keytool
utility (keytool ) to generate a self-signed JKS certificate namedtestpepperjks.jks
, with passwordpepperdata
given in the command-line argument-storepass
, with an RSA key of size 2048, and writes it to the/etc/pepperdata
directory:keytool -genkey -storetype JKS -alias testpepperdatajks -keystore /etc/pepperdata/testpepperjks.jks -keyalg RSA -storepass pepperdata -validity 730 -keysize 2048
-
-
-
Encrypt your keystore password, and copy/note the result.
-
Run the Pepperdata password encryption script.
/opt/pepperdata/supervisor/encrypt_password.sh
-
At the
Enter the password to encrypt:
prompt, enter your keystore password. -
Copy (or make note of) the resulting encrypted password.
For example, in the following output from the script, the encrypted password is the string
W+ONY3ZcR6QLP5sqoRqcpA=2
.Encrypted password is W+ONY3ZcR6QLP5sqoRqcpA=2
-
Procedure
-
Beginning with any host, ensure that the certificate (from the prerequisites) is available on the host, and note its certificate keystore location.
-
Add the certificate’s keystore location and encrypted password to the Pepperdata configuration.
-
Open the host’s Pepperdata site file,
pepperdata-site.xml
, for editing.By default, the Pepperdata site file,
pepperdata-site.xml
, is located in/etc/pepperdata
. If you customized the location, the file is specified by thePD_CONF_DIR
environment variable. See Change the Location of pepperdata-site.xml for details. -
Add the required properties.
Be sure to substitute your keystore name and keystore password for the
your-keystore
andyour-encrypted-password
placeholders in the following code snippet.<property> <name>pepperdata.supervisor.rpc.server.keystore.location</name> <value>/etc/pepperdata/your-keystore.pfx</value> </property> <property> <name>pepperdata.supervisor.rpc.server.keystore.password</name> <value>your-encrypted-password</value> </property>
Malformed XML files can cause operational errors that can be difficult to debug. To prevent such errors, we recommend that you use a linter, such asxmllint
, after you edit any .xml configuration file. -
Save your changes and close the file.
-
-
Restart the PepAgent.
You can use either the
service
(if provided by your OS) orsystemctl
command:sudo service pepagentd restart
sudo systemctl restart pepagentd
Tip: Any time you modify the yaml rules file, you must reload the rules file by restarting PepAgent. -
Repeat steps 1–4 on every host in your cluster. You can individually edit the Pepperdata site file,
pepperdata-site.xml
, on every host or you can distribute a common file to all hosts.Important: Be sure to repeat steps 1–4 on every host. If you skip the SSL configuration process on a host, Pepperdata cannot monitor it via the secured port. -
Restart the cluster’s ResourceManager.
-
Restart every NodeManager in the cluster.