Setting up mTLS for Prometheus

Along with or instead of basic authentication, mTLS can also be used for client authentication.

When using mTLS, both the server and the client authenticate themselves with a TLS certificate. As Streams Messaging Manager (SMM) is configured to recognize Nginx’s certificate, it needs to be configured the other way around.

  1. Export SMM’s certificate or its CA certificate.
    • In case of Auto-TLS, it is
    • In case of manual TLS, you can use keytool to export the certificate. For example,
      keytool -exportcert -rfc -keystore /opt/cloudera/smm_keystore.jks -alias smm -file smm.cer
  2. Add the highlighted lines to Nginx server configuration (/etc/nginx/nginx.conf or a custom configuration file in the /etc/nginx/conf.d directory).
        server {
            listen              9443 ssl;
            server_name         _;
            ssl_certificate     /<PATH TO CERTIFICATE>/nginx-server-crt.pem;
            ssl_certificate_key /<PATH TO CERTIFICATE>/nginx-server-key.pem;
            ssl_client_certificate /<PATH TO SMM’S CERTIFICATE>;
            ssl_verify_client      on;
            location /prometheus/ {
                proxy_pass http://localhost:9090/;
  3. Restart Nginx.