Connecting to Kafka using SSL with Kerberos authentication
Add keystore, truststore, and security protocol properties to the Case event emitter JSON file. The security protocol is SASL_SSL. The JAAS configuration uses the Kerberos keytab and principal.
Procedure
Add the following properties to the
output
section of the
CaseEventEmitter.json file that is passed to the
EnableCaseBAI.py configuration script.
- sasl.jaas.config
- The template is
com.ibm.security.auth.module.Krb5LoginModule required useKeytab=\"file:///path to the keytab file\" credsType=both principal=\"kafka/kafka server name@REALM\";
.- The useKeytab value is the full path to the Kerberos keytab file.
- The principal value is the Kerberos principal, for example
user/host@REALM. Here,
host
is the host of the center for key distribution andREALM
is the Kerberos REALM.
- sasl.kerberos.service.name
- The name of the Kerberos service used by Kafka. This name must match the principal name of the Kafka brokers.
- ssl.truststore.location
- The full path to a truststore retrieved from IBM Event Streams user interface. See step 3 of Retrieving the IBM Event Streams truststore.
- ssl.truststore.password
- The password to the truststore.
- ssl.keystore.location
- The full path to a keystore file.
- ssl.keystore.password
- The password that you used when you created the keystore.
- security.protocol
- The value is SASL_SSL.
- ssl.protocol
- The value is TLSv1.2.
- ssl.enabled.protocols
- The value is TLSv1.2.
- ssl.endpoint.identification.algorithm
- The value is HTTPS.
Example
"output" : {
"default" : {
"enable" : true,
"type" : "kafka",
"topic" : "ibm-bai-ingress",
"bootstrap.servers" : "kafka bootstrap server : port",
"security.protocol" : "SASL_SSL",
"ssl.truststore.location" : "/opt/truststore.jks",
"ssl.truststore.password" : "password",
"ssl.keystore.location" : "/opt/keystore.jks",
"ssl.keystore.password" : "password",
"ssl.protocol" : "TLSv1.2",
"ssl.enabled.protocols": "TLSv1.2",
"ssl.endpoint.identification.algorithm" : "HTTPS",
"sasl.kerberos.service.name" : "kafka",
"sasl.jaas.config" : "com.ibm.security.auth.module.Krb5LoginModule required useKeytab=\"file:////opt/krb5.keytab\" credsType=both principal=\"kafka/server1@MYREALM\";"
}
}