Setting up mTLS for Prometheus

Along with or instead of basic authentication, mTLS can also be used for client authentication.

When using mTLS, both the server and the client authenticate themselves with a TLS certificate. As Streams Messaging Manager is configured to recognize Nginx’s certificate, it needs to be configured the other way around.

Export the certificate or CA certificate of Streams Messaging Manager.
- In case of Auto-TLS, it is
```
/var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_cacerts.pem
```
  or
```
/var/lib/cloudera-scm-agent/agent-cert/cm-auto-in_cluster_ca_cert.pem
```
- In case of manual TLS, you can use keytool to export the certificate. For example,
```
keytool -exportcert -rfc -keystore /opt/cloudera/smm_keystore.jks -alias smm -file smm.cer
```

Add the highlighted lines to Nginx server configuration (/etc/nginx/nginx.conf or a custom configuration file in the /etc/nginx/conf.d directory).

    server {
        listen              9443 ssl;
        server_name         _;
        ssl_certificate     /<PATH TO CERTIFICATE>/nginx-server-crt.pem;
        ssl_certificate_key /<PATH TO CERTIFICATE>/nginx-server-key.pem;
        ssl_client_certificate /<PATH TO STREAMS MESSAGING MANAGER CERTIFICATE>;
        ssl_verify_client      on;

        location /prometheus/ {
            proxy_pass http://localhost:9090/;
        }
    }

Restart Nginx.