Connecting to Kafka over SSL with username and password authentication
Add truststore and security protocol properties to the Content event emitter configuration file. The security protocol is SASL_SSL. The JAAS configuration uses the Kafka username and password.
Procedure
Add the following properties to the configuration file of the Content event emitter, which is
located in the cpe-cfgstore persistent volume claim for the Content Platform Engine
configuration.
The configuration file is located in the
ConfigDropins/overrides/BAIConfiguration/configuration directory.
- contentemitter.input.content.server
- The Content Platform Engine server that has the configured content event emitter.
- contentemitter.output.kafka.topic
- The name of the Kafka topic where raw content events are stored.
- contentemitter.output.kafka.bootstrap.servers
- The list of Kafka servers that is used to bootstrap connections to Kafka. For connecting to a Kafka cluster, this list must be in the format of host1:port1,host2:port2. These servers, which might change dynamically, are used for the initial connection to discover the full cluster membership. This list does not need to contain the full set of servers. You might want to list more than one server in case one is down.
- contentemitter.output.kafka.security.protocol
- The value is SASL_SSL.
- contentemitter.output.kafka.ssl.truststore.location
- The full path to a truststore client.truststore.jks must be in the /opt/ibm/wlp/usr/servers/defaultServer/configDropins/overrides/BAIForContent directory. To generate the truststore file, see Generate delegation tokens for Kafka client.
- contentemitter.output.kafka.ssl.truststore.password
- The password to the truststore.
- contentemitter.output.kafka.ssl.enabled.protocols
- The value is TLSv1.2.
- contentemitter.output.kafka.ssl.truststore.type
- The file format of the truststore file.
- contentemitter.output.kafka.ssl.endpoint.identification.algorithm
- The value is HTTPS.
- contentemitter.output.kafka.sasl.mechanism
- The value is PLAIN.
- contentemitter.output.kafka.sasl.jaas.config
- The template is org.apache.kafka.common.security.plain.PlainLoginModule and
the required
username=\"<username>\" password=\"<userpassword>\";"
.- The username value is the Kafka username.
- The user password value is the Kafka password.
Example
contentemitter.input.content.server=${CPE_HOSTNAME}
contentemitter.output.kafka.topic=ibm-bai-ingress
contentemitter.output.kafka.bootstrap.servers=${IBM_EVENT_STREAM_HOST}:{PORT}
contentemitter.output.kafka.security.protocol=SASL_SSL
contentemitter.output.kafka.ssl.truststore.location=/opt/ibm/wlp/usr/servers/defaultServer/configDropins/overrides/BAIForContent/es-cert.jks
contentemitter.output.kafka.ssl.truststore.password=${KAFKA_BROKERS_TRUSTSTORE_PASSWORD}
contentemitter.output.kafka.ssl.enabled.protocols=TLSv1.2
contentemitter.output.kafka.ssl.truststore.type=JKS
contentemitter.output.kafka.ssl.endpoint.identification.algorithm=HTTPS
contentemitter.output.kafka.sasl.mechanism=PLAIN
contentemitter.output.kafka.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="token" password="${IBM_EVENT_STREAMS_API_KEY}";