Documentation Index
Fetch the complete documentation index at: https://platform.docs.zenoo.com/llms.txt
Use this file to discover all available pages before exploring further.
Kafka SSL
For safe usage of Kafka, it is recommended to use mutual TSL for security. This setup means, that both brokers and clients will have their own certificate. Also, because SSL isn’t trusting by default we need to make sure, that the other side’s certificates are trusted.Kafka Configuration
Kafka is by default plaintext only. To enable SSL you need to configure following:Service configuration
- advertised.listeners: configuration where Kafka broker listens for client conenctions, recommended value:
PLAINTEXT://kafka3:9092,SSL://kafka3:9093 - ssl.keystore.filename: filename/location of the key store, example value:
kafka_keystore.jks - ssl.keystore.password: password of the key store, example value:
changeit - ssl.truststore.filename: filename/location of the trust store, example value:
kafka_truststore.jks - ssl.truststore.password: password of the trust store, example value:
changeit - security.inter.broker.protocol: protocol, that will be used for communication between Kafka brokers, for local and dev
deployment
PLAINTEXTis recommended. For production deployment:SSL - ssl.client.auth: this field enables/disables client authorization on broker’s side. To enable, set value to:
required - security.protocol: protocol, that will be used for verification. Use
SSLor leave blank
Example configuration
Docker configuration
We need to configure same things as in service configuration, but for Docker we use env variables. These variables correspond to fields in service, but they are uppercase, use _ instead of . and have prefix KAFKA_.- KAFKA_ADVERTISED_LISTENERS: configuration where Kafka broker listens for client connections, recommended value:
PLAINTEXT://kafka3:9092,SSL://kafka3:9093 - KAFKA_SSL_KEYSTORE_FILENAME: filename/location of the key store, example value:
kafka_keystore.jks - KAFKA_SSL_KEYSTORE_CREDENTIALS: filename/location of keystore file, example value:
kafka-keystore-creds - KAFKA_SSL_KEY_CREDENTIALS: filename/location of key credential file, example value:
kafka-key-creds - KAFKA_SSL_TRUSTSTORE_FILENAME: filename/location of the trust store, example value:
kafka_truststore.jks - KAFKA_SSL_TRUSTSTORE_CREDENTIALS: filename/location of truststore file, example value:
kafka-truststore-creds - KAFKA_SECURITY_INTER_BROKER_PROTOCOL: protocol, that will be used for communication between Kafka brokers, for local and dev
deployment
PLAINTEXTis recommended. For production deployment:SSL - KAFKA_SSL_CLIENT_AUTH: this field enables/disables client authorization on broker’s side. To enable, set value to:
required - KAFKA_SECURITY_PROTOCOL: protocol, that will be used for verification. Use
SSLor leave blank
Example configuration
Local
We will use Kafka with SSL in Docker, because we need to do some changes in configuration and configuring through Docker compose is the easiest option. In sample-hub-instance directory is located sample docker-compose. But to use it, we need to generate keystores and truststores for both brokers and client (our application).Generating keystores and truststores
To make this process less painful, we have script that helps this process. Script is used like this:./generate-stores.sh KEY_ALIAS TARGET_KEYSTORE.jks TARGET_TRUSTSTORE.jks
Where:
- KEY_ALIAS is alias, that the key will have in keystore and truststore with suffix public
- TARGET_KEYSTORE is location of the keystore, you want to add key to. If keystore doesn’t exist it will be created.
- TARGET_TRUSTSTORE is location of the truststore, you want to add public part of key to. If truststore doesn’t exist it will be created.
- Key generation - you will be prompted for keystore’s password (twice if keystore doesn’t exist yet)
- Public key extraction - you will be promoted for keystore’s password
- Public key import to trust store - you will be promoted for trust store’s password (twice if trust store doesn’t exist yet)