Enabling SSL for Apache Kafka Wire Protocol Service
Describes the security protocol values that are needed to enable SSL for Apache Kafka Wire Protocol Service.
Data Access Gateway 5.1 and later added SSL support for the Apache Kafka Wire Protocol Service. This
section provides examples for configuring
/opt/mapr/data-access-gateway/conf/kafka-server.conf
to enable SASL_SSL and
SSL security in server-side and client-side configurations.
New Security Protocol Values
Release 7.2.0 and later support two new values for the
1
security-protocol
parameter of kafka-server.conf
:SASL_SSL
SSL
SASL_SSL
value, you must also specify the
corresponding sasl-mechanism
value as indicated in the following
table:Specifying security-protocol as . . . |
With sasl-mechanism as . . . |
Enables |
---|---|---|
SASL_SSL |
PLAIN1 |
Username/password-based (PAM) client authentication with SSL encryption and one-way SSL server authentication. |
SSL |
(Unspecified) | SSL authentication (two-way mutual SSL authentication) and SSL encryption. |
PLAIN
is the only mechanism currently supported.SASL_SSL Server-Side Configuration Example
Here is a typical
SASL_SSL
server-side configuration
example:kafka.server = {
rpc = {
# TCP port for the Kafka Wire protocol service. Default is 9092
port = 9092
# Configures authentication and encryption schemes
# Supported values are PLAINTEXT|SASL_PLAINTEXT|SASL_SSL|SSL
# To enable authentication, set to SASL_PLAINTEXT, SASL_SSL or SSL
# Encryption is supported for SASL_SSL and SSL
security-protocol = SASL_SSL
# Configures list of SASL authentication mechanisms
# The only supported mechanism in this release is PLAIN
# Effective only if "security-protocol" is set to SASL_PLAINTEXT or SASL_SSL
sasl-mechanism = PLAIN
}
}
SASL_SSL Client-Side Configuration
You can configure the
SASL_SSL
client-side configuration the same way it
is configured in Apache Kafka. In this configuration,
/opt/mapr/conf/ssl_truststore
performs the one-way SSL server
authentication. For example:security.protocol=SASL_SSL
ssl.truststore.location=/opt/mapr/conf/ssl_truststore
ssl.truststore.password=<some_password>
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="user1" password="user1";
SSL Server-Side Configuration
To make the SSL protocol work correctly in a server-side configuration, the cluster
administrator MUST specify the
rpc.ssl.principal-mapping-rules
in the
server config file. For example: kafka.server = {
rpc = {
# TCP port for the Kafka Wire protocol service. Default is 9092
port = 9092
# Configures authentication and encryption schemes
# Supported values are PLAINTEXT|SASL_PLAINTEXT|SASL_SSL|SSL
# To enable authentication, set to SASL_PLAINTEXT, SASL_SSL or SSL
# Encryption is supported for SASL_SSL and SSL
security-protocol = SSL
ssl.principal-mapping-rules = [
"RULE:^CN=.*O=(.*?),.*$/$1/L,",
"DEFAULT"
]
}
}
The ssl.principal-mapping-rules
parameter specifies a list of
mapping rules. For information about how to configure the mapping rules, see Customizing the SSL User Name in the Kafka documentation.SSL Client-Side Configuration
You can configure the client-side configuration the same way it is configured in Apache
Kafka. In this configuration, the
/opt/mapr/conf/ssl_truststore
performs
the SSL server authentication. To perform client authentication by the server, you must add
the CA of the client certificate to the /opt/mapr/conf/ssl_truststore
. Both
the server and the client use this trust store file.
security.protocol=SSL
ssl.truststore.location=/opt/mapr/conf/ssl_truststore
ssl.truststore.password=<some_password>
ssl.keystore.location=/<client_cert_path>/example_ssl_client_keystore
ssl.keystore.password=<some_password>
ssl.key.password=<some_password>
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1