Connecting to Kafka using SSL with Kerberos authentication

Add keystore, truststore, and security protocol properties to the Case event emitter JSON file. The security protocol is SASL_SSL. The JAAS configuration uses the Kerberos keytab and principal.

Procedure

Add the following properties to the output section of the CaseEventEmitter.json file that is passed to the EnableCaseBAI.py configuration script.

sasl.jaas.config

The template is

com.ibm.security.auth.module.Krb5LoginModule required
useKeytab=\"file:///path to the keytab file\" credsType=both principal=\"kafka/kafka server
name@REALM\";

The useKeytab value is the full path to the Kerberos keytab file.
The principal value is the Kerberos principal, for example user/host@REALM. Here, host is the host of the center for key distribution and REALM is the Kerberos REALM.

sasl.kerberos.service.name

The name of the Kerberos service used by Kafka. This name must match the principal name of the Kafka brokers.

ssl.truststore.location

The full path to a truststore retrieved from IBM Event Streams user interface. See step 3 of Retrieving the IBM Event Streams truststore.

ssl.truststore.password

The password to the truststore.

ssl.keystore.location

The full path to a keystore file.

ssl.keystore.password

The password that you used when you created the keystore.

security.protocol

The value is SASL_SSL.

ssl.protocol

The value is TLSv1.2.

ssl.enabled.protocols

The value is TLSv1.2.

ssl.endpoint.identification.algorithm

The value is HTTPS.

Example

"output" : {
    "default" : {
       "enable" : true,        
       "type" : "kafka",
"topic" : "ibm-bai-ingress",
       "bootstrap.servers" : "kafka bootstrap server : port",
       "security.protocol" : "SASL_SSL",
       "ssl.truststore.location" : "/opt/truststore.jks",
        "ssl.truststore.password" : "password",
        "ssl.keystore.location" : "/opt/keystore.jks",
        "ssl.keystore.password" : "password",
        "ssl.protocol" : "TLSv1.2",
        "ssl.enabled.protocols": "TLSv1.2",
        "ssl.endpoint.identification.algorithm" : "HTTPS",
        "sasl.kerberos.service.name" : "kafka",
        "sasl.jaas.config" : "com.ibm.security.auth.module.Krb5LoginModule required useKeytab=\"file:////opt/krb5.keytab\" credsType=both principal=\"kafka/server1@MYREALM\";"
    }
  }