How to enable SSL/TLS connections between BE and Kafka
Article ID: KB0073241
Updated On:
| Products | Versions |
|---|---|
| TIBCO BusinessEvents Enterprise Edition | 5.6 |
Description
We are now required to make connections to Kafka from BE over SSL/TLS. Until now, we've only been making insecure tcp connections. How can we configure our BE application and Kafka server to connect with each other over a secure port?
Issue/Introduction
Summarizes how to enable 1-way and 2-way SSL/TLS connections between BE and Kafka.
Environment
All Supported Platforms
Resolution
A successful SSL/TLS connection requires the Kafka server to supply its public certificate to the client. It also requires the client to be configured to trust the Kafka server's identity, which is accomplished by adding the Kafka server's issuer (CA) certificate to the client's trust store. In this case, the client is your BE application that uses the Kafka Channel. To ensure the Kafka server supplies its public certificate, set the following in your Kafka server configuration file:
For 2-way SSL/TLS the BE client must provide a verifiable identity to the Kafka server. This identity may be stored in a certificate and imported into the client.keystore.jks you created earlier (again, using the keytool utility).
Once the client's certificate is placed in the client's keystore, the Kafka server must be configured to trust the BE client's identity. This means the BE client's issuer (CA) certificate needs to be added to the Kafka server's truststore. Following the above example, the BE client's issuer certificate would need to be added to /path/to/kafka.server.truststore.jks on the Kafka server (as set in the Kafka server configuration file).
Finally, configure the Kafka server to authenticate clients by setting the following in your Kafka server configuration file:
listeners=PLAINTEXT://:9092,SSL://:9093
advertised.listeners=PLAINTEXT://kafka.server.host:9092,SSL://kafka.server.host:9093
zookeeper.connect=kafka.server.host:2181
#### SSL config ####
ssl.keystore.location=/path/to/kafka.server.keystore.jks
ssl.keystore.password=serversecret
ssl.key.password=serversecret
ssl.truststore.location=/path/to/kafka.server.truststore.jks
ssl.truststore.password=serversecret
..where:
- kafka.server.host = the publicly-accessible hostname of the Kafka server
- kafka.server.keystore.jks = the keystore containing the Kafka server's private key
- kafka.server.truststore.jks = the truststore containing the Kafka server's issuer (CA) certificate
keytool -genkeypair -alias deleteme -storepass storePassword -keypass secretPassword -keystore client.keystore.jks -dname "CN=Developer, OU=Department, O=Company, L=City, ST=State, C=CA"
keytool -delete -alias deleteme -storepass storePassword -keystore client.keystore.jks
keytool -list -keystore client.keystore.jks -storepass storePassword
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 0 entries
In your BE project under the SharedResources directory, create a client identity file. Right-click on the SharedResources directory and select New > Other > TIBCO Shared Resources > Identity Resource, and name it 'client'. Open the generated client.id file in the Studio Identity editor, and set the following:
- URL = path to the client keystore file (e.g. C:/keystores/client.keystore.jks)
- File Type = JKS
- Password = storePassword
- Kafka Broker URLs = kafka.server.host:9093
- Security Protocol = SSL
- Trusted Certificates Folder = The folder where the Kafka server's issuer (CA) certificate is located. If the cert is located in a project sub-directory, you can click the browse button in the SSL configuration view, and browse to that folder. If the cert is located outside of the project, then it should be set via a global variable. For example, if the issuer certificate is located in C:/trustedcerts/, set the value for your global variable to file:///C:/trustedcerts. Then specify this global variable in your SSL configuration for the Kafka channel using the %%global_variable_syntax%%. For example, if your global variable is named TRUSTED_CERTS_FOLDER, you would set the value for this property to %%TRUSTED_CERTS_FOLDER%%.
- Identity = /SharedResources/client.id
- Trust Store Password = A password for the temporary trust store that is generated when you start your BE application. This trust store will contain the certs found in your Trusted Certificates Folder. This trust store has a *.ks file extension, and is placed in a temp directory:
- On Windows: C:/Users/<YourWindowsUser>/AppData/Local/Temp/kafka_ssl_*.ks
- On Linux: /tmp/kafka_ssl_*.ks
For 2-way SSL/TLS the BE client must provide a verifiable identity to the Kafka server. This identity may be stored in a certificate and imported into the client.keystore.jks you created earlier (again, using the keytool utility).
Once the client's certificate is placed in the client's keystore, the Kafka server must be configured to trust the BE client's identity. This means the BE client's issuer (CA) certificate needs to be added to the Kafka server's truststore. Following the above example, the BE client's issuer certificate would need to be added to /path/to/kafka.server.truststore.jks on the Kafka server (as set in the Kafka server configuration file).
Finally, configure the Kafka server to authenticate clients by setting the following in your Kafka server configuration file:
ssl.client.auth=required
You are now configured for 2-way SSL.Feedback
Yes
No
Powered by
