Configuring SSL¶
Important
- Having a working understanding of the following topics will help in setting up a secured Control Center sucessfully.
- A Kafka broker setup using the existing SSL documentation.
- Familiarity with Authorization Settings
- Locations of the properties files for Kafka brokers, Connect producers and consumers, and the Control Center
Simply having a secured Kafka broker does not guarentee that the Control Center is secured and working. Each component communicating with a secured Control Center
requires a specific config to be set by prefix. The prefixes confluent.controlcenter.streams.
, confluent.metrics.reporter.
, producer.
, consumer.
, and confluent.monitoring.interceptor.
could conceiveably be configured (in different files of the Control Center stack) to secure the Control Center end to end. Not all confliguration settings may be required.
For instance, if you have not enabled the metrics reporter for a Kafka broker, there is no need to configure security for it.
The Control Center supports SSL one and two way authentication and can be enabled for different communications. Some possible configurations are:
- secured Client interceptors (Connect/Confluent/regular client) -> secured Control Center Broker
- secured Kafka Broker -> secured Control Center Broker
- secured Metrics Reporter + (un)secured Kafka Broker -> secured Control Center Broker
Kafka Brokers¶
If a Kafka broker has been set up to use SSL, the same configurations need to be set for the metrics reporter. In the link, a broker was set with the following configuration:
... sasl.mechanism.inter.broker.protocol=SSL ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks ssl.keystore.password=test1234 ssl.key.password=test1234 ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks ssl.truststore.password=test1234 ...
In order to secure the metrics reporter on the broker, the same values should be used with the prefix confluent.metrics.reporter.
.
In order to secure the stream monitoring interceptor on the broker, the same values should be used with the prefix confluent.monitoring.interceptor.
.
confluent.metrics.reporter.security.protocol=SSL confluent.metrics.reporter.ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks confluent.metrics.reporter.ssl.keystore.password=test1234 confluent.metrics.reporter.ssl.key.password=test1234 confluent.metrics.reporter.ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks confluent.metrics.reporter.ssl.truststore.password=test1234
Note
These settings will work against a secured Control Center running on a non-secured broker
There are other configuration options in the settings for Authorization
To learn more about overriding/setting configuration options for interceptors, go here.
Any configuration for the interceptor is prefixed by confluent.metrics.reporter.
.
Note
With any of the config changes, a restart of the service is required. When restarting brokers, make sure each broker is available before restarting another.
Control Center¶
The Control Center needs to know that security is enabled. Internally, the Control Center uses Kafka Streams as a state store, so with a secured broker, they also need to be secured.
The following changes need to be made to the control-center.properties
file:
security.protocol=SSL
ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
ssl.truststore.password=test1234
confluent.controlcenter.streams.security.protocol=SSL
confluent.controlcenter.streams.ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
confluent.controlcenter.streams.ssl.keystore.password=test1234
confluent.controlcenter.streams.ssl.key.password=test1234
confluent.controlcenter.streams.ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
confluent.controlcenter.streams.ssl.truststore.password=test1234
Note
For a more detailed explaination of configuring Kafka client interceptors, click here.
Connect¶
The modifications to distributed connect works very similarly from the confluent.metrics.reporter
.
The connect documentation covers this thoroughly.
Complete Configuring Workers with Security and Configuring Connectors with Security. The Control Center uses both of those.
In addition to the generic Connect and producer/consumer changes, the monitoring interceptors should take the same configuration in the connect-distrubted.properties
:
#### Monitoring producer interceptor ####
producer.confluent.monitoring.interceptor.security.protocol=SSL
producer.confluent.monitoring.interceptor.ssl.truststore.location=/var/private/ssl/kafka.client.truststore.jks
producer.confluent.monitoring.interceptor.ssl.truststore.password=test1234
producer.confluent.monitoring.interceptor.ssl.keystore.location=/var/private/ssl/kafka.source.keystore.jks
producer.confluent.monitoring.interceptor.ssl.keystore.password=connector1234
producer.confluent.monitoring.interceptor.ssl.key.password=connector1234
consumer.confluent.monitoring.interceptor.security.protocol=SSL
consumer.confluent.monitoring.interceptor.ssl.truststore.location=/var/private/ssl/kafka.client.truststore.jks
consumer.confluent.monitoring.interceptor.ssl.truststore.password=test1234
consumer.confluent.monitoring.interceptor.ssl.keystore.location=/var/private/ssl/kafka.source.keystore.jks
consumer.confluent.monitoring.interceptor.ssl.keystore.password=connector1234
consumer.confluent.monitoring.interceptor.ssl.key.password=connector1234