Manage SSL Certificates for Pulse Services and Connectors

If SSL/TLS is enabled for a Hadoop service, Kafka cluster, or other integration monitored by Pulse, update the SSL certificate files on the Pulse node before deploying or restarting Pulse services.

Pulse uses the following files to establish secure connections with SSL-enabled services:

cacerts – Java truststore that contains the certificates used for SSL/TLS authentication.
certs_password – Encrypted password used to access the truststore.

During Pulse CLI configuration, you provide the truststore path and password. Pulse securely stores the truststore information and encrypted credentials, allowing Pulse services, connectors, and streaming components to automatically authenticate with SSL-enabled services.

After updating the truststore or password files, push the changes to the Pulse database and restart the affected services to apply the updated SSL/TLS configuration.

The steps to configure SSL certificates for the Pulse UI service (ad-pulse-ui) remain different. For details, see Enable Native SSL/TLS for Pulse Web UI.

Before You Begin

Ensure that the truststore file is available in one of the following formats:

JKS (Java KeyStore)
PKCS12

SSL Certificate Management for Multiple Clusters

Pulse currently uses a single shared cacerts file for all SSL-enabled clusters.

When configuring a new SSL-enabled cluster, providing a new cacerts file overwrites the existing file and may affect previously configured SSL clusters.

Workaround: Before configuring additional SSL-enabled clusters, manually merge certificates from all clusters into a single cacerts file and use that combined file for configuration.

Add Truststore Files

Copy the following files to the security directory on the Pulse node:

Files:

Bash
    
xxxxxxxxxx
 
-rw-rw---- 1 acceldata acceldata      86     Jun  8 14:20  certs_password-rwxr-x--- 1 acceldata acceldata      167055 Jun  15 14:07 cacerts
Copy

Cacerts: Java truststore that contains the certificates used for SSL/TLS authentication.
Certs_password: Contains the encrypted password used to access the truststore.

Directory:

Bash
    
xxxxxxxxxx
 
/data01/acceldata/config/security
Copy

Update the Truststore Password

The default truststore password is:

Bash
    
xxxxxxxxxx
 
changeit
Copy

If you use a different truststore password, update the truststore and encrypted password file by running:

Bash
    
xxxxxxxxxx
 
accelo config cacerts
Copy

When prompted, provide the truststore file path and password.

Example:

Bash
    
xxxxxxxxxx
 
accelo config cacerts Enter the Java Keystore cacerts File Path: : /home/acceldata/kafka.truststore.jksEnter CaCerts Password (Press Enter to Skip, if its passwordless.): ************** INFO: cacerts stored in /data01/acceldata/config/security/cacerts Enter the Java Keystore jsseCaCerts File Path: : /home/acceldata/kafka.truststore.jksEnter JsseCaCerts Password (Press Enter to Skip, if its passwordless.): ************** INFO: jssecacerts stored in /data01/acceldata/config/security/jssecacertsINFO: Password file with encrypted password stored at: /data01/acceldata/config/security/certs_passwordINFO: cacerts configuration setup completed.
Copy

The command performs the following actions:

Copies the truststore to the Pulse security directory.
Creates or updates the jssecacerts truststore.
Encrypts and stores the truststore password in certs_password.
Updates the SSL certificate configuration used by Pulse services and connectors.

Configure Certificate Details During Cluster Configuration

The steps to configure SSL certificate details during cluster configuration are the same for standalone services, Ambari-managed clusters, and CDP clusters.

Run:

Bash
    
xxxxxxxxxx
 
accelo config cluster
Copy

When SSL is enabled for the cluster or any standalone service, and you select Yes for the question Do you use TLS? In the CLI questions, Pulse prompts for the following information:

Bash
    
xxxxxxxxxx
 
Enter the Truststore File path: $ACCELDATA_HOME/config/security/cacertsEnter Truststore password: **************
Copy

Pulse encrypts the password and stores it locally in:

Bash
    
xxxxxxxxxx
 
/data01/acceldata/config/security/certs_password
Copy

The truststore metadata and encrypted credentials are stored in MongoDB.

The connectors and other services automatically retrieve these details from the database and use them to authenticate with SSL-enabled services.
No additional connector-level certificate configuration is required.

Push the Changes to the Database

After updating the truststore or password configuration, push the changes to the Pulse database.

Run:

Bash
    
xxxxxxxxxx
 
accelo admin database push-config
Copy

This command updates the Pulse configuration stored in the database.

Restart the Affected Services

Restart any Pulse core service or add-on that uses the updated truststore.

Example:

Bash
    
xxxxxxxxxx
 
accelo restart ad-kafka-connector.yml
Copy

Verify Stored Credentials

To verify that the encrypted password file exists:

Bash
    
xxxxxxxxxx
 
cd config/securityls -l certs_password
Copy

To inspect the encrypted password file:

Bash
    
xxxxxxxxxx
 
vim certs_password
Copy

The password is stored in encrypted form and cannot be viewed in plain text.

Result

After the services restart:

Pulse uses the configured truststore for SSL/TLS authentication.
Connectors automatically retrieve SSL credentials from the database.
Streaming services can establish secure connections to monitored services.
No manual connector-level certificate configuration is required.

Last updated on

Was this page helpful?