Securing Apache Kafka client communications
Set up secure, SSL-encrypted communication between Kafka clients and Kafka brokers (servers). Along with secured communication, you can also authenticate client applications with the Kafka brokers using either SASL or SSL.
Securing Kafka client communications using SSL
- Enable SSL on the Kafka broker.Kafka brokers use the server.properties file for security configuration.Important: The server.properties configuration file is used by Apache Kafka components, so the passwords must be stored in clear text format. It is important to ensure that you protect the files using file system permissions.
- Update the server.properties file to add the following security parameters:
listeners=SSL://<KAFKA_SERVER_HOSTNAME>:<KAFKA_SERVER_SSL_PORT> ssl.keystore.location=<SSL_KEYSTORE_FILEPATH> ssl.keystore.password=<KEYSTORE_PASSWORD> ssl.key.password=<KEY_PASSWORD> ssl.truststore.location=<SSL_TRUSTSTORE_FILEPATH> ssl.truststore.password=<SSL_TRUSTSTORE_PASSWORD> security.inter.broker.protocol=SSL
Replace the placeholders with the corresponding values for your deployment.
- If you want client authentication to be done using SSL, add the following additional parameter
to the file:
ssl.client.auth=required
- Update the server.properties file to add the following security parameters:
- Enable SSL on the Kafka client applications.
The InfoSphere® MDM implementation of Apache Kafka uses multiple client applications such as the Database Connector, batch stream processor, and runtime stream processor. These all must be secured.
- Configuring security for the Database ConnectorThe Database Connector uses the connect-distributed.properties file for security configuration.Important: The connect-distributed.properties configuration file is used by Apache Kafka components, so the passwords must be stored in clear text format. It is important to ensure that you protect the files using file system permissions.
- Update the connect-distributed.properties file to add the following
security parameters:
# Worker authentication settings bootstrap.servers= SSL://<KAFKA_SERVER_HOSTNAME>:<KAFKA_SERVER_SSL_PORT> security.protocol=SSL ssl.truststore.location=<CLIENT_SSL_TRUSTSTORE_FILEPATH> ssl.truststore.password=<CLIENT_SSL_TRUSTSTORE_PASSWORD> # Source Connector authentication settings producer.security.protocol=SSL producer.ssl.truststore.location=<CLIENT_SSL_TRUSTSTORE_FILEPATH> producer.ssl.truststore.password=<CLIENT_SSL_TRUSTSTORE_PASSWORD>
Replace the placeholders with the corresponding values for your deployment.
- If client authentication using SSL is configured for the broker
(
ssl.client.auth=required
), then configure the following additional properties in connect-distributed.properties:producer.ssl.keystore.location=<CLIENT_SSL_KEYSTORE_FILEPATH> producer.ssl.keystore.password=<CLIENT_KEYSTORE_PASSWORD> producer.ssl.key.password=<CLIENT_KEY_PASSWORD> ssl.keystore.location=<CLIENT_SSL_KEYSTORE_FILEPATH> ssl.keystore.password=<CLIENT_KEYSTORE_PASSWORD> ssl.key.password=<CLIENT_KEY_PASSWORD>
Replace the placeholders with the corresponding values for your deployment.
- Update the connect-distributed.properties file to add the following
security parameters:
- Configuring security for Kafka in WebSphere® Application Server
To configure SSL security for your Kafka client deployment in WebSphere Application Server, complete the steps documented in Enabling SSL on Kafka to secure MDM notifications.
- Configuring security for the batch stream processorThe batch stream processor uses the kafkabatch.properties file for security configuration.Important: Encode the passwords for client stream applications using the PropFilePasswordEncoder utility in WebSphere Application Server.
- Update the kafkabatch.properties file to add the following security
parameters:
enableSSLMessaging=true security.protocol=SSL kafkaconnect.ssl.truststore.location=<CLIENT_TRUST_STORE_FILE_PATH> kafkaconnect.ssl.truststore.password=<CLIENT_TRUSTSTORE_PASSWORD>
Replace the placeholders with the corresponding values for your deployment.
- If client authentication using SSL is configured for the broker
(
ssl.client.auth=required
), then configure the following additional properties in kafkabatch.properties:kafkaconnect.ssl.keystore.location=<CLIENT_KEYSTORE_FILE_PATH> kafkaconnect.ssl.keystore.password=<CLIENT_KEYSTORE_PASSWORD> kafkaconnect.ssl.key.password=<CLIENT_KEY_PASSWORD>
Replace the placeholders with the corresponding values for your deployment.
- Update the kafkabatch.properties file to add the following security
parameters:
- Configuring security for the runtime stream processorThe runtime stream processor uses the kafkaruntime.properties file for security configuration.Important: Encode the passwords for client stream applications using the PropFilePasswordEncoder utility in WebSphere Application Server.
- Update the kafkabatch.properties file to add the following security
parameters:
enableSSLMessaging=true security.protocol=SSL kafkaconnect.ssl.truststore.location=<CLIENT_TRUST_STORE_FILE_PATH> kafkaconnect.ssl.truststore.password=<CLIENT_TRUSTSTORE_PASSWORD>
Replace the placeholders with the corresponding values for your deployment.
- If client authentication using SSL is configured for the broker
(
ssl.client.auth=required
), then configure the following additional properties in kafkaruntime.properties:kafkaconnect.ssl.keystore.location=<CLIENT_KEYSTORE_FILE_PATH> kafkaconnect.ssl.keystore.password=<CLIENT_KEYSTORE_PASSWORD> kafkaconnect.ssl.key.password=<CLIENT_KEY_PASSWORD>
Replace the placeholders with the corresponding values for your deployment.
- Update the kafkabatch.properties file to add the following security
parameters:
- Configuring SSL for the MDM Statistics feature
The MDM Statistics feature uses the statistics-streams.properties and statistics-connect-standalone.properties files for security configuration.
- Update the statistics-streams.properties file to add the following security
parameters:
entity.statistics.ssl.truststore.location=<CLIENT_TRUST_STORE_FILE_PATH> entity.statistics.ssl.truststore.password=<CLIENT_TRUSTSTORE_PASSWORD> entity.statistics.security.protocol=SSL transaction.statistics.ssl.truststore.location=<CLIENT_TRUST_STORE_FILE_PATH> transaction.statistics.ssl.truststore.password=<CLIENT_TRUSTSTORE_PASSWORD> transaction.statistics.security.protocol=SSL
Replace the placeholders with the corresponding values for your deployment.
- If client authentication using SSL is configured for the broker
(
ssl.client.auth=required
), then configure the following additional properties in statistics-streams.properties:entity.statistics.ssl.keystore.location=<CLIENT_KEYSTORE_FILE_PATH> entity.statistics.ssl.keystore.password=<CLIENT_KEYSTORE_PASSWORD> entity.statistics.ssl.key.password=<CLIENT_KEY_PASSWORD> transaction.statistics.ssl.keystore.location=<CLIENT_KEYSTORE_FILE_PATH> transaction.statistics.ssl.keystore.password=<CLIENT_KEYSTORE_PASSWORD> transaction.statistics.ssl.key.password=<CLIENT_KEY_PASSWORD>
Replace the placeholders with the corresponding values for your deployment.
- Update the statistics-connect-standalone.properties file to add the
following security parameters:
consumer.ssl.truststore.location=<CLIENT_TRUST_STORE_FILE_PATH> consumer.ssl.truststore.password=<CLIENT_TRUSTSTORE_PASSWORD> consumer.security.protocol=SSL ssl.truststore.location=<CLIENT_TRUST_STORE_FILE_PATH> ssl.truststore.password=<CLIENT_TRUSTSTORE_PASSWORD> security.protocol=SSL
Replace the placeholders with the corresponding values for your deployment.
- If client authentication using SSL is configured for the broker
(
ssl.client.auth=required
), then configure the following additional properties in statistics-connect-standalone.properties:consumer.ssl.keystore.location=<CLIENT_KEYSTORE_FILE_PATH> consumer.ssl.keystore.password=<CLIENT_KEYSTORE_PASSWORD> consumer.ssl.key.password=<CLIENT_KEY_PASSWORD> ssl.keystore.location=<CLIENT_KEYSTORE_FILE_PATH> ssl.keystore.password=<CLIENT_KEYSTORE_PASSWORD> ssl.key.password=<CLIENT_KEY_PASSWORD>
Replace the placeholders with the corresponding values for your deployment.
- Update the statistics-streams.properties file to add the following security
parameters:
- Configuring security for the MDM Publisher
ongoing synchronization stream processor
Complete the steps documented in Configuring InfoSphere MDM to enable ongoing synchronization.
- Configuring security for the Database Connector
Securing Kafka client communications using SASL
- Enable SASL on the Kafka broker.
- In each Kafka broker's config directory, create a new JAAS file named
kafka_server_jaas.conf. The content should be similar to the following example:
KafkaServer { org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret" user_admin="admin-secret" user_mdmuser=" mdmuser-secret"; };
This example configuration defines two users:
admin
andmdmuser
. Theusername
andpassword
properties in theKafkaServer
section are used by the broker to initiate connections to other brokers. In this example,admin
is the user for inter-broker communication. The set of propertiesuser_userName
defines the passwords for all users that connect to the broker. The broker validates all client connections, including those from other brokers using these properties. For more information, see the Apache Kafka documentation. - Pass the JAAS configuration file location to each Kafka broker as a JVM parameter:
Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf
- Update the server.properties file to add the following security parameters
and configure the SASL_SSL port and the SASL mechanism:
listeners=SASL_SSL://host.name:port security.inter.broker.protocol=SASL_SSL sasl.mechanism.inter.broker.protocol=PLAIN sasl.enabled.mechanisms=PLAIN ssl.truststore.location=/kafkasecurity/server.truststore.jks ssl.truststore.password=storep@ss ssl.keystore.location=/kafkasecurity/server.keystore.jks ssl.keystore.password=keyp@ss ssl.key.password=keyp@ss
- In each Kafka broker's config directory, create a new JAAS file named
kafka_server_jaas.conf. The content should be similar to the following example:
- Enable SASL on the Kafka client applications.
The InfoSphere MDM implementation of Apache Kafka uses multiple client applications such as the Database Connector, batch stream processor, and runtime stream processor. These all must be secured.
- Configuring security for the Database Connector
- Create a JAAS configuration file named kafka_client_jaas.conf.
- Within kafka_client_jaas.conf, create a client login section named
KafkaClient
to configure a login module for the selected mechanism.KafkaClient { org.apache.kafka.common.security.plain.PlainLoginModule required username="<USER_NAME>" password="<PASSWORD>"; };
Replace the placeholders with the corresponding values for the user who will be used to authenticate with the Kafka broker.
- Pass the JAAS configuration location to each Kafka client as a JVM
parameter.
Djava.security.auth.login.config=/etc/kafka/kafka_client_jaas.conf
- Update the connect-distributed.properties file to add the following
security parameters:
security.protocol=SASL_SSL sasl.mechanism=PLAIN producer.protocol=SASL_SSL producer.sasl.mechanism=PLAIN
- Configuring security for Kafka in WebSphere Application Server
In WebSphere Application Server, the default JAAS file is named wsjaas.conf. This file is stored in the properties folder of the WebSphere Application Server profile.
- Edit wsjaas.conf and append the following
KafkaClient
section:KafkaClient { org.apache.kafka.common.security.plain.PlainLoginModule required username="<USER_NAME>" password="<PASSWORD>"; };
Replace the placeholders with the corresponding values for the user who will be used to authenticate with the Kafka broker.
- Add the same
KafkaClient
section to the default WebSphere Application Server wsjaas.conf configuration files found in the following locations:- <MDM_INSTALL_HOME>/KafkaProcessor/properties
- <WAS_INSTALL_HOME>/AppServer/profiles/<PROFILE_NAME>/properties
- Complete the steps documented in Enabling SSL on Kafka to secure MDM notifications.
- Edit wsjaas.conf and append the following
- Configuring security for the batch stream processor
- Create a JAAS configuration file named kafka_client_jaas.conf.
- Within kafka_client_jaas.conf, create a client login section named
KafkaClient
to configure a login module for the selected mechanism.KafkaClient { org.apache.kafka.common.security.plain.PlainLoginModule required username="<USER_NAME>" password="<PASSWORD>"; };
Replace the placeholders with the corresponding values for the user who will be used to authenticate with the Kafka broker.
- Pass the JAAS configuration location to each Kafka client as a JVM
parameter.
Djava.security.auth.login.config=/etc/kafka/kafka_client_jaas.conf
- Update the kafkabatch.properties file to add the following security
parameters:
security.protocol=SASL_SSL kafkaconnect.sasl.mechanism=PLAIN
Replace the placeholders with the corresponding values for your deployment.
- Configuring security for the runtime stream processor
- Create a JAAS configuration file named kafka_client_jaas.conf.
- Within kafka_client_jaas.conf, create a client login section named
KafkaClient
to configure a login module for the selected mechanism.KafkaClient { org.apache.kafka.common.security.plain.PlainLoginModule required username="<USER_NAME>" password="<PASSWORD>"; };
Replace the placeholders with the corresponding values for the user who will be used to authenticate with the Kafka broker.
- Pass the JAAS configuration location to each Kafka client as a JVM
parameter.
Djava.security.auth.login.config=/etc/kafka/kafka_client_jaas.conf
- Update the kafkaruntime.properties file to add the following security
parameters:
security.protocol=SASL_SSL kafkaconnect.sasl.mechanism=PLAIN
Replace the placeholders with the corresponding values for your deployment.
- Configuring SSL for the MDM Statistics feature
- Create a JAAS configuration file named kafka_client_jaas.conf.
- Within kafka_client_jaas.conf, create a client login section named
KafkaClient
to configure a login module for the selected mechanism.KafkaClient { org.apache.kafka.common.security.plain.PlainLoginModule required username="<USER_NAME>" password="<PASSWORD>"; };
Replace the placeholders with the corresponding values for the user who will be used to authenticate with the Kafka broker.
- Pass the JAAS configuration location to each Kafka client as a JVM
parameter.
Djava.security.auth.login.config=/etc/kafka/kafka_client_jaas.conf
- Update the statistics-streams.properties file to add the following security
parameters:
entity.statistics.security.protocol=SASL_SSL entity.statistics.sasl.mechanism=PLAIN transaction.statistics.security.protocol=SASL_SSL transaction.statistics.sasl.mechanism=PLAIN
- Update the statistics-connect-standalone.properties file to add the
following security parameters:
consumer.protocol=SASL_SSL consumer.sasl.mechanism=PLAIN security.protocol=SASL_SSL sasl.mechanism=PLAIN
- Configuring security for the MDM Publisher
stream processor
- Create a JAAS configuration file named kafka_client_jaas.conf.
- Within kafka_client_jaas.conf, create a client login section named
KafkaClient
to configure a login module for the selected mechanism.KafkaClient { org.apache.kafka.common.security.plain.PlainLoginModule required username="<USER_NAME>" password="<PASSWORD>"; };
Replace the placeholders with the corresponding values for the user who will be used to authenticate with the Kafka broker.
- Pass the JAAS configuration location to each Kafka client as a JVM
parameter.
Djava.security.auth.login.config=/etc/kafka/kafka_client_jaas.conf
- To complete the configuration, follow the steps documented in Configuring InfoSphere MDM to enable ongoing synchronization.
- Configuring security for the Database Connector