Updating the Certificate Parcels without a Restart

After you update the certificate parcel and distribute them to the nodes, you must restart the BDP PEP service. This restart enables Cloudera Manager to ensure the state of BDP PEP service is up to date and links itself with the latest activated PTY_CERT parcel. However, restarting results in a loss of production hours. Therefore, Protegrity has introduced a feature wherein you can update the certificate parcel without restarting the BDP PEP service.

To update the certificates parcel without restarting the BDP PEP service:

  1. Follow steps from 1 to 23 as mentioned in the section Updating the certificate parcels

    Note: Do not restart the BDP PEP service at this point.

  2. Using a browser, navigate to the Cloudera Manager screen.

  3. Enter the Username.

  4. Enter the Password.

  5. Click Sign In.

    The Cloudera Manager Home page appears.

  6. From the left pane, click Parcels. The Cloudera Manager Parcels page appears.

  7. To distribute the Certificates parcel, besides the PTY_CERT parcel, click Distribute. Cloudera Manager distributes the Certificates parcel to all the nodes and enables the Activate button.

  8. To activate the certificates parcel without a restart, besides the PTY_CERT parcel, click Activate. The prompt to activate the certificates parcel appears.

  9. Select Activate Only.

  10. Click OK. Cloudera Manager deactivates the existing certificates parcel from all the nodes and activates the updated certificates parcel on all the nodes. After the activation is complete, Cloudera Manager enables the Deactivate option for the updated PTY_CERT parcel.

  11. Navigate to the Cloudera Manager home page. The Cloudera Manager home page indicates a stale configuration in the BDP PEP service because we activated the updated certificates parcel without a restart.

    Note: You can safely ignore the stale configuration alert because the update certificate feature does not require a restart of the BDP PEP service.

  12. To view the service page, click BDP PEP. The BDP PEP page appears.

  13. To update the certificates parcel on all the nodes, select Actions > Rotate certificates for all RP Agents.

    The prompt to confirm the action appears.

  14. Click Rotate certificates for all RP Agents. Cloudera Manager executes the rotate certificate command and updates the certificates used by the RP Agents on all the nodes in the cluster.

  15. Click Close.

    The command extracts the certificates from the latest activated PTY_CERT parcel directory /opt/cloudera/parcels/PTY_CERT/data/esacerts.tar to the default RP Agent directory /opt/cloudera/parcels/PTY_BDP/rpagent/data/ on each node. The RP Agent will establish a TLS connection, download the policy, and fetch the certificates from the rpagent/data/ directory every time it polls ESA. This eliminates the need to restart the service to fetch the updated certificates.

    Note: The BDP PEP service in Cloudera Manager will fetch the updated certificates (PTY_CERT) parcel on the new node whenever you add a new node to an existing cluster.


Last modified : February 20, 2026