|c3-short| Configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Create a file with a ``KafkaClient`` entry at ``/tmp/kafka_client_jaas.conf``. The ``KafkaClient`` section of
is where the principal for the client needs to be specified. This will be used later to authenticate the |c3-short| and Kafka Connect.

.. _controlcenter_security_kafkaclient:

.. sourcecode:: bash

  KafkaClient {
    org.apache.kafka.common.security.plain.PlainLoginModule required
    username="confluent"
    password="confluent-secret";
  };

It is possible to pass the JAAS config file location as JVM parameter to each client JVM as

.. sourcecode:: bash

  -Djava.security.auth.login.config=/tmp/kafka_client_jaas.conf

This will allow the ``confluent.monitoring.interceptor.`` and ``confluent.metrics.reporter.`` to communicate with the secured Kafka broker. Any broker with the 
``confluent.monitoring.interceptor.`` or ``confluent.metrics.reporter.`` will need to have a valid ``KafkaClient`` section in the JAAS config.

The |c3-short| needs to know that security is enabled. Internally, the |c3-short| uses Kafka Streams as a state store, so with a secured broker, they
also need to be secured.

Edit the ``<path-to-confluent>/etc/confluent-control-center/control-center.properties``:

.. sourcecode:: bash

  ########### Control Center security ###########
  confluent.controlcenter.streams.sasl.mechanism=PLAIN
  confluent.controlcenter.streams.security.protocol=SASL_PLAINTEXT

The |c3-short| can be now be started

.. sourcecode:: bash

  $ CONTROL_CENTER_OPTS=-Djava.security.auth.login.config=/tmp/kafka_client_jaas.conf \
  <path-to-confluent>/bin/control-center-start <path-to-confluent>/etc/confluent-control-center/control-center.properties