THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
| Code Block | ||
|---|---|---|
| ||
ssl.keystore.location = /var/private/ssl/kafka.server.keystore.jks
ssl.keystore.password = test1234
ssl.key.password = test1234
ssl.truststore.location = /var/private/ssl/kafka.server.truststore.jks
ssl.truststore.password = test1234 |
Optional settings that are worth considering:
| Code Block | ||
|---|---|---|
| ||
ssl.client.auth = none ("required" => client authentication is required, "requested" => client authentication is requested and client without certs can still connect when this option chosen"protocol = TLS ssl.provider (Optional. The name of the security provider used for SSL connections. Default value is the defaultsecurity provider of the JVM.) ssl.cipher.suites = "A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a networkconnectionnetwork connection using TLS or SSL network protocol." ssl.enabled.protocols = TLSv1.2,TLSv1.1,TLSv1 (list out the SSL protocols that you are going to goingacceptaccept from clients . Do note SSL is deprecated and using that in production is not recommended) ssl.keystore.type = JKS ssl.keystore.location = /var/private/ssl/kafka.server.keystore.jks ssl.keystore.password = test1234 ssl.key.password = test1234 ssl.truststore.type = JKS ssl.truststore.location = /var/private/ssl/kafka.server.truststore.jks ssl.truststore.password = test1234 ssl.client.auth = none ("required" => client authentication is required, "requested" => client authentication is requested and client without certs can still connect when this option chosen") |
If you want to enable SSL for inter-broker communication, add the following to the broker properties file (it defaults to PLAINTEXT)
...
SSL supported only for new Kafka Producer & Consumer, the older api API is not supported.
The The configs for SSL will be same for both producer & consumer.
If client authentication is not required in the broker, then the following is a minimal configuration example:
| Code Block | ||
|---|---|---|
| ||
security.protocol = SSL ssl.truststore.location = "/var/private/ssl/kafka.client.truststore.jks" ssl.truststore.password = "test1234" |
If client authentication is required, then a keystore must be created like in step 1 and the following must also be configured:| Code Block | ||
|---|---|---|
| ||
ssl.keystore.location = "/var/private/ssl/kafka.client.keystore.jks"
ssl.keystore.password = "test1234"
ssl.key.password = "test1234" |
Other configuration settings that may also be needed depending on our requirements and the broker configuration:
| Code Block | ||
|---|---|---|
| ||
ssl.provider (Optional). The name of the security provider used for SSL connections. Default value is the default security provider of the JVM.) ssl.cipher.suites (Optional). ."A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol." ssl.enabled.protocols= TLSv1.2,TLSv1.1,TLSv1 **Should list atleastat least one of the protocols configured on the broker side** if you are configuring client authentication than you must create keystore like step-1 otherwiser keystore config is optional for client. ssl.keystoressl.truststore.type = "JKS" ssl.keystore.location = "/var/private/ssl/kafka.client.keystore.jks" ssl.keystore.password = "test1234" ssl.key.password = "test1234" ssl.truststore.type = "JKS" ssl.truststore.location = "/var/private/ssl/kafka.client.truststore.jks" ssl.truststore.password = "test1234" |
Examples Example using console-producer and console-consumer:
| Code Block | ||
|---|---|---|
| ||
kafka-console-producer.sh --broker-list localhost:9093 --topic test --new-producer --producer-property "security.protocol=SSL" --producer-property "ssl.truststore.location=client.truststore.jks" --producer-property "ssl.truststore.password=test1234" kafka-console-consumer.sh --bootstrap-server localhost:9093 --topic test --new-consumer --consumer.config "security.protocol=SSL" --consumer.config "ssl.truststore.location=client.truststore.jks" --consumer.config "ssl.truststore.password=test1234"properties |