Configuring mutual TLS for Schema Registry

Schema Registry supports two-way TLS authentication, also known as mutual TLS or mTLS. Learn how to configure mutual TLS for Schema Registry.

In one-way (or regular) TLS, the server certificate is validated by the client to check if the server can be trusted. Two-way TLS authentication allows both the client and the server to validate each other by both parties sending their respective certificates to the other side.

You must have enabled server-side TLS as described in Configuring TLS Encryption Manually for Schema Registry.
  1. Go to your cluster in Cloudera Manager.
  2. Select Schema Registry from the list of services.
  3. Go to the Configuration tab.
  4. Search for the SSL Client Authentication property, and select the checkbox.


  5. Click Save Changes.

mTLS integrates with Ranger authorization as well. The TLS certificate sent by the client contains a subject field which has a string value. By default, the contents of this value is passed to Ranger which performs authorization against it.

The value of the subject field may have a complex value and you might want to use a regular expression to extract the value of the principal. In this case you can set the rules in Cloudera Manager.

  1. Go to your cluster in Cloudera Manager.
  2. Select Schema Registry from the list of services.
  3. Go to the Configuration tab.
  4. Search for the SSL Client Authentication Mapping Rules property, and set it.


    The mapping rules are in the same format as used for Kerberos principals. For more information, see:https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=89071740.
  5. Search for the Schema Registry Kerberos Name Rules property, and set it.
    For example, the Schema Registry Kerberos Name Rules property is set to RULE:^CN=(.*?),OU=ServiceUsers.*$/$1/L in the following image:


  6. Click Save Changes.