Control Center Configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Create a file with a ``KafkaClient`` entry at ``/tmp/kafka_client_jaas.conf``. The ``KafkaClient`` section of
is where the principal for the client needs to be specified. This will be used later to authenticate the Control Center and Kafka Connect

.. _controlcenter_security_kafkaclient:

.. sourcecode:: bash

  KafkaClient {
    org.apache.kafka.common.security.plain.PlainLoginModule required
    username="monitoring_interceptor"
    password="monitoring-interceptor-secret";
  };

It is possible to pass the JAAS config file location as JVM parameter to each client JVM as

.. sourcecode:: bash

  -Djava.security.auth.login.config=/tmp/kafka_client_jaas.conf

This will allow the ``confluent.monitoring.interceptor.`` and ``confluent.metrics.reporter.`` to communicate with the secured Kafka broker. Any broker with the 
``confluent.monitoring.interceptor.`` or ``confluent.metrics.reporter.`` will need to have a valid ``KafkaClient`` section in the JAAS config.

The Control Center needs to know that security is enabled. Internally, the Control Center uses Kafka Streams as a state store, so with a secured broker, they
also need to be secured.

Edit the ``/tmp/control-center.properties``:

.. sourcecode:: bash

  ########### Control Center security ###########
  security.protocol=SASL_PLAINTEXT
  sasl.mechanism=PLAIN

  ########### Kafka Streams ###########
  confluent.controlcenter.streams.sasl.mechanism=PLAIN
  confluent.controlcenter.streams.security.protocol=SASL_PLAINTEXT

The Control Center can be now be started

.. sourcecode:: bash

  $ CONTROL_CENTER_OPTS=-Djava.security.auth.login.config=/tmp/kafka_client_jaas.conf \
  KAFKA_OPTS=-Djava.security.auth.login.config=/tmp/kafka_client_jaas.conf \
  ./bin/control-center-start /tmp/control-center.properties