Control Center Configuration

Create a file with a KafkaClient entry at /tmp/kafka_client_jaas.conf. The KafkaClient section of is where the principal for the client needs to be specified. This will be used later to authenticate the Control Center and Kafka Connect.

KafkaClient {
  org.apache.kafka.common.security.plain.PlainLoginModule required
  username="confluent"
  password="confluent-secret";
};

It is possible to pass the JAAS config file location as JVM parameter to each client JVM as

-Djava.security.auth.login.config=/tmp/kafka_client_jaas.conf

This will allow the confluent.monitoring.interceptor. and confluent.metrics.reporter. to communicate with the secured Kafka broker. Any broker with the confluent.monitoring.interceptor. or confluent.metrics.reporter. will need to have a valid KafkaClient section in the JAAS config.

The Control Center needs to know that security is enabled. Internally, the Control Center uses Kafka Streams as a state store, so with a secured broker, they also need to be secured.

Edit the <path-to-confluent>/etc/confluent-control-center/control-center.properties:

########### Control Center security ###########
confluent.controlcenter.streams.sasl.mechanism=PLAIN
confluent.controlcenter.streams.security.protocol=SASL_PLAINTEXT

The Control Center can be now be started

$ CONTROL_CENTER_OPTS=-Djava.security.auth.login.config=/tmp/kafka_client_jaas.conf \
<path-to-confluent>/bin/control-center-start <path-to-confluent>/etc/confluent-control-center/control-center.properties