Hi @bgooley ! thanks for replying back. sorry for the delay since this COVID-19 situation i can't get to the cluster for troubleshooting steps until now. To follow up the test using the keystore and truststore of each cluster CM, i found that JKS files in both clusters CM are contains 2 entries : PrivateKeyEntry and trustedCertEntry with Certificate fingerprint (SHA1) completely identical, only differs in alias name Target BDR JKS content: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries servercert, Dec 20, 2019, PrivateKeyEntry, Certificate fingerprint (SHA1): D8:41:3A:3E:D8:9B:81:0E:D8:49:F7:3E:F1:93:52:C5:FC:BB:E7:CE cmdrc.company.co.id, Dec 20, 2019, trustedCertEntry, Certificate fingerprint (SHA1): D8:41:3A:3E:D8:9B:81:0E:D8:49:F7:3E:F1:93:52:C5:FC:BB:E7:CE   Source BDR JKS content: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries servercert, Jan 16, 2020, PrivateKeyEntry, Certificate fingerprint (SHA1): D8:41:3A:3E:D8:9B:81:0E:D8:49:F7:3E:F1:93:52:C5:FC:BB:E7:CE cmprod.company.co.id, Jan 16, 2020, trustedCertEntry, Certificate fingerprint (SHA1): D8:41:3A:3E:D8:9B:81:0E:D8:49:F7:3E:F1:93:52:C5:FC:BB:E7:CE While on truststore on each cluster CM, entries with same Certificate fingerprint (SHA1) were found also : Target BDR truststore jssecacerts content: rootca, Jan 16, 2020, trustedCertEntry, Certificate fingerprint (SHA1): D8:41:3A:3E:D8:9B:81:0E:D8:49:F7:3E:F1:93:52:C5:FC:BB:E7:CE   Source BDR truststore jssecacerts content: rootca2, Dec 20, 2019, trustedCertEntry, Certificate fingerprint (SHA1): D8:41:3A:3E:D8:9B:81:0E:D8:49:F7:3E:F1:93:52:C5:FC:BB:E7:CE   For another background, the process of setting TLS/SSL on both cluster are a bit different from Cloudera docs. Since the cluster share the same domain and security team already had signed certificate from trusted CA, we  were provided with signed wildcard certificate in .PEM and . KEY files. so instead of generate JKS file from Java keytool on Cloudera nodes, we executes this steps : Create p12 file by combining signed certificate CA from root to local PEM files with corresponding KEY files (openssl pkcs12 -export command) Convert p12 file to JKS file with name of each hostname (keytool -importkeystore -destkeystore command) Import the root CA certificate into the JDK truststore jssecacerts (keytool -importcert command) Also another question, is BDR are sufficient with Level 1: Encryption only TLS/SSL setup on both cluster or is it require more (Level 2 :server-side certificate validation or even Level 3: dual certificate validation)?   Many thanks, Al ... View more