Configuring SMM to recognize Prometheus’s TLS certificate

You can configure Streams Messaging Manager (SMM) either to use its own keystore or truststore, or to use the auto-TLS feature in Cloudera Manager. Cloudera recommends using the auto-TLS feature for CDP clusters.

If the TLS proxy’s certificate is not recognized by SMM, it must be added to SMM truststore. The process is different for auto-TLS and the manual TLS setups.


If the TLS proxy certificate is not recognized by the cluster, you can add the TLS proxy certificate to the CA truststore of the cluster by triggering a certificate regeneration. This involves restarting the services in the cluster.
  1. Go to Administration > Security from the left menu bar.

  2. Click Rotate Auto-TLS Certificates.
  3. In the Trusted CA Certificates Location field, enter the path to the Nginx server’s certificate. For example, /etc/nginx/certs/ca-certificate.pem. Ensure that the file is accessible by the cloudera-scm user.
  4. Specify the authentication method with other nodes of the cluster (password or certificate).
  5. Click Next and follow the instructions in the wizard.

Manual TLS

You can use the keytool command to configure the manual TLS settings.

Keytool is a tool provided by the Java Runtime Environment to manipulate JKS type keystores. You can find it in the bin folder of your JRE installation. For example, /usr/java/default/jre/bin/keytool.
  1. Use the following command to add the TLS proxy’s certificate to SMM’s truststore:
    keytool -import -file <TLS PROXY OR CA CERTIFICATE> -alias Nginx_for_Prometheus -keystore <SMM_TRUSTSTORE> -storepass <TRUSTSTORE PASSWORD>
    For example,
    keytool -import -file /etc/nginx/certs/ca-certificate.pem -alias Nginx_for_Prometheus -keystore smm_trusstore.jks

    This command creates the truststore if it does not already exist.

  2. Create a keystore for SMM if it does not already exist:
    keytool -genkey -keystore smm_keystore.jks -alias smm -keyalg RSA -sigalg SHA256withRSA -validity 365 -keysize 3072

    It creates a keystore with a self-signed key.

  3. Set the following SMM properties in Cloudera Manager:
    • streams.messaging.manager.ssl.keyStorePath/ssl_server_keystore_location
    • ssl_server_keystore_password
    • ssl_server_keystore_keypassword (by default it is the same as the keystore file password)
    • streams.messaging.manager.ssl.trustStorePath/ssl_client_truststore_location
    • ssl_client_truststore_password