Connecting to Kafka over SSL with username and password authentication

Add truststore and security protocol properties to the Content event emitter configuration file. The security protocol is SASL_SSL. The JAAS configuration uses the Kafka username and password.

Procedure

Add the following properties to the configuration file of the Content event emitter, which is located in the cpe-cfgstore persistent volume claim for the Content Platform Engine configuration.

The configuration file is located in the ConfigDropins/overrides/BAIConfiguration/configuration directory.

See Customizing the configuration file.

contentemitter.input.content.server

The Content Platform Engine server that has the configured content event emitter.

contentemitter.output.kafka.topic

The name of the Kafka topic where raw content events are stored.

contentemitter.output.kafka.bootstrap.servers

The list of Kafka servers that is used to bootstrap connections to Kafka. For connecting to a Kafka cluster, this list must be in the format of host1:port1,host2:port2. These servers, which might change dynamically, are used for the initial connection to discover the full cluster membership. This list does not need to contain the full set of servers. You might want to list more than one server in case one is down.

contentemitter.output.kafka.security.protocol

The value is SASL_SSL.

contentemitter.output.kafka.ssl.truststore.location

The full path to a truststore client.truststore.jks must be in the /opt/ibm/wlp/usr/servers/defaultServer/configDropins/overrides/BAIForContent directory. To generate the truststore file, see Generate delegation tokens for Kafka client.

contentemitter.output.kafka.ssl.truststore.password

The password to the truststore.

contentemitter.output.kafka.ssl.enabled.protocols

The value is TLSv1.2.

contentemitter.output.kafka.ssl.truststore.type

The file format of the truststore file.

contentemitter.output.kafka.ssl.endpoint.identification.algorithm

The value is HTTPS.

contentemitter.output.kafka.sasl.mechanism

The value is PLAIN.

contentemitter.output.kafka.sasl.jaas.config

The template is org.apache.kafka.common.security.plain.PlainLoginModule and the required username=\"<username>\" password=\"<userpassword>\";".

The username value is the Kafka username.
The user password value is the Kafka password.

Example

contentemitter.input.content.server=${CPE_HOSTNAME}
contentemitter.output.kafka.topic=ibm-bai-ingress
contentemitter.output.kafka.bootstrap.servers=${IBM_EVENT_STREAM_HOST}:{PORT}
contentemitter.output.kafka.security.protocol=SASL_SSL
contentemitter.output.kafka.ssl.truststore.location=/opt/ibm/wlp/usr/servers/defaultServer/configDropins/overrides/BAIForContent/es-cert.jks
contentemitter.output.kafka.ssl.truststore.password=${KAFKA_BROKERS_TRUSTSTORE_PASSWORD}
contentemitter.output.kafka.ssl.enabled.protocols=TLSv1.2
contentemitter.output.kafka.ssl.truststore.type=JKS
contentemitter.output.kafka.ssl.endpoint.identification.algorithm=HTTPS
contentemitter.output.kafka.sasl.mechanism=PLAIN
contentemitter.output.kafka.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="token" password="${IBM_EVENT_STREAMS_API_KEY}";