TLS/SSL settings for Streams Messaging Manager
To enable TLS/SSL settings for Streams Messaging Manager (SMM), you need to configure SMM server properties, SMM UI properties, and SMM Server’s Oracle TLS connection properties in Cloudera Manager according to the cluster configuration.
Properties | Description |
---|---|
SMM server properties | |
Enable TLS/SSL for Streams Messaging Manager Rest Admin
Server
|
Encrypt communication between clients and Streams Messaging Manager Rest Admin Server using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)). |
Streams Messaging Manager port
(SSL)
|
HTTPS port Streams Messaging Manager rest server runs on when SSL is enabled. |
Streams Messaging Manager Admin Port
(SSL)
|
HTTPS admin port Streams Messaging Manager rest server runs on when SSL is enabled. |
SSL Keystore
Type
|
The keystore type. Required if Streams Messaging Manager rest server's SSL is enabled. e.g. PKCS12 or JKS. If it is left empty then the keystore type will come from CM settings. |
SSL TrustStore
Type
|
The truststore type. Required if streams messaging manager's ssl is enabled. e.g. PKCS12 or JKS. If it is left empty then the keystore type will come from CM settings. |
Streams Messaging Manager Rest Admin Server TLS/SSL Server JKS Keystore File
Location
|
The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Streams Messaging Manager Rest Admin Server is acting as a TLS/SSL server. |
Streams Messaging Manager Rest Admin Server TLS/SSL Server JKS Keystore File Password | The password for the Streams Messaging Manager Rest Admin Server keystore file. |
Streams Messaging Manager Rest Admin Server TLS/SSL Server JKS Keystore Key Password | The password that protects the private key contained in the keystore used when Streams Messaging Manager Rest Admin Server is acting as a TLS/SSL server. |
Streams Messaging Manager Rest Admin Server TLS/SSL Client Trust Store
File
|
The location on disk of the trust store used to confirm the authenticity of TLS/SSL servers that Streams Messaging Manager Rest Admin Server might connect to. This is used when Streams Messaging Manager Rest Admin Server is the client in a TLS/SSL connection. This trust store must contain the certificate(s) used to sign the service(s) connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead. |
Streams Messaging Manager Rest Admin Server TLS/SSL Client Trust Store Password | The password for the Streams Messaging Manager Rest Admin Server TLS/SSL Certificate Trust Store File. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information. |
Cloudera Manager Metrics TrustStore
Type
|
Cloudera Manager's truststore type. If it is left empty then the keystore type will come from CM settings. If it is left empty then the keystore type will come from CM settings. |
SSL
ValidateCerts
|
Whether or not to validate TLS certificates before starting. If enabled, it will refuse to start with expired or otherwise invalid certificates. |
SSL
validatePeers
|
Whether or not to validate TLS peer certificates. |
SMM UI properties | |
Enable TLS/SSL for Streams Messaging Manager UI
Server
|
Encrypt communication between clients and Streams Messaging Manager UI Server using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)). |
Streams Messaging Manager UI Server TLS/SSL Server Private Key File (PEM
Format)
|
The path to the TLS/SSL file containing the private key used for TLS/SSL. Used when Streams Messaging Manager UI Server is acting as a TLS/SSL server. The certificate file must be in PEM format. |
Streams Messaging Manager UI Server TLS/SSL Server Certificate File (PEM
Format)
|
The path to the TLS/SSL file containing the server certificate key used for TLS/SSL. Used when Streams Messaging Manager UI Server is acting as a TLS/SSL server. The certificate file must be in PEM format. |
Streams Messaging Manager UI Server TLS/SSL Server CA Certificate (PEM
Format)
|
The path to the TLS/SSL file containing the certificate of the certificate authority (CA) and any intermediate certificates used to sign the server certificate. Used when Streams Messaging Manager UI Server is acting as a TLS/SSL server. The certificate file must be in PEM format, and is usually created by concatenating all of the appropriate root and intermediate certificates. |
Streams Messaging Manager UI Server TLS/SSL Private Key Password | The password for the private key in the Streams Messaging Manager UI Server TLS/SSL Server Certificate and Private Key file. If left blank, the private key is not protected by a password. |
Streams Messaging Manager UI Server TLS/SSL Certificate Trust Store
File
|
The location on disk of the trust store, in .pem format, used to confirm the authenticity of TLS/SSL servers that Streams Messaging Manager UI Server might connect to. This is used when Streams Messaging Manager UI Server is the client in a TLS/SSL connection. This trust store must contain the certificate(s) used to sign the service(s) connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead. |
SMM server’s Oracle TLS connection properties | |
Enable TLS with Oracle
DB
|
Enable TLS with Oracle as DB for Schema Registry. |
Oracle.net.ssl_version
|
Oracle net ssl version. |
Oracle TLS
javax.net.ssl.keyStore
|
Path to keystore file if enabling TLS using Oracle DB. |
Oracle TLS
javax.net.ssl.keyStoreType
|
KeyStoreType type if enabling TLS using Oracle DB. |
Oracle TLS
javax.net.ssl.keyStorePassword
|
KeyStorePassword if enabling TLS using Oracle DB. |
Oracle TLS
javax.net.ssl.trustStore
|
Required Path to truststore file if enabling TLS using Oracle DB. |
Oracle TLS
javax.net.ssl.trustStoreType
|
Required Truststore type if enabling TLS using Oracle DB. |
Oracle TLS
javax.net.ssl.trustStorePassword
|
TrustStorePassword type if enabling TLS using Oracle DB. |
Oracle TLS
oracle.net.ssl_cipher_suites
|
net ssl cipher suites if enabling TLS using Oracle DB e.g. SSL_DH_DSS_WITH_DES_CBC_SHA. |
Oracle TLS
oracle.net.ssl_server_dn_match
|
ssl server domain name match if enabling TLS using Oracle DB. |
Oracle TLS
oracle.net.authentication_services
|
Oracle net authentication service if enabling TLS using Oracle DB. |