Configuring Streams Messaging Manager to recognize Prometheus’s TLS certificate
You can configure Streams Messaging Manager either to use its own keystore or truststore, or to use the auto-TLS feature in Cloudera Manager. Cloudera recommends using the auto-TLS feature for Cloudera Data Platform clusters.
If the TLS proxy certificate is not recognized by Streams Messaging Manager, it must be added to the Streams Messaging Manager truststore. The process is different for auto-TLS and the manual TLS setups.
Auto-TLS
- Go to
- Click Rotate Auto-TLS Certificates.
- In the Trusted CA Certificates Location field, enter
the path to the Nginx server’s certificate. For example,
/etc/nginx/certs/ca-certificate.pem
. Ensure that the file is accessible by thecloudera-scm
user. - Specify the authentication method with other nodes of the cluster (password or certificate).
- Click Next and follow the instructions in the wizard.
Manual TLS
You can use the keytool command to configure the manual TLS settings.
Keytool is a tool provided by the Java Runtime Environment to manipulate JKS type keystores. You can find it in thebin
folder of your JRE installation. For example,
/usr/java/default/jre/bin/keytool
.- Use the following command to add the TLS proxy certificate to the Streams Messaging Manager
truststore:
keytool -import -file <TLS PROXY OR CA CERTIFICATE> -alias Nginx_for_Prometheus -keystore <STREAMS MESSAGING MANAGER TRUSTSTORE> -storepass <TRUSTSTORE PASSWORD>
For example,keytool -import -file /etc/nginx/certs/ca-certificate.pem -alias Nginx_for_Prometheus -keystore smm_trusstore.jks
This command creates the truststore if it does not already exist.
- Create a keystore for Streams Messaging Manager if it does not
already
exist:
keytool -genkey -keystore smm_keystore.jks -alias smm -keyalg RSA -sigalg SHA256withRSA -validity 365 -keysize 3072
It creates a keystore with a self-signed key.
- Set the following Streams Messaging Manager properties in Cloudera Manager:
streams.messaging.manager.ssl.keyStorePath
/ssl_server_keystore_location
ssl_server_keystore_password
ssl_server_keystore_keypassword
(by default it is the same as the keystore file password)streams.messaging.manager.ssl.trustStorePath
/ssl_client_truststore_location
ssl_client_truststore_password