Configuring security credentials for connecting to Kafka

Use the mqsicredentials (or mqsisetdbparms) command to associate security credentials with a connection to a Kafka cluster, and configure the Kafka nodes to authenticate by using the required username and password.

Follow these steps to configure a connection to a secured Kafka cluster:

1. Use either the mqsicredentials or the mqsisetdbparms command to associate a username and password with a connection to a Kafka cluster:
   • Configure security credentials by using the mqsicredentials command, specifying the username (--username), password (--password), credential type (--credential-type), and credential name (--credential-name). Specify the credential type as kafka, and specify a credential name that matches the value of the Security identifier parameter specified in the node. Alternatively, you can use the default security identity specified by the --set-as-default parameter on the mqsicredentials command.
     The following example shows how to specify a username, password, and named Kafka security identity:

     mqsicredentials --create --work-dir workDir --credential-type kafka --credential-name myKafkaSecId --username myUsername --password myPassword

     The following example shows how to specify a username and password, and specifies that the default Kafka security identity for the integration server will be used:

     mqsicredentials --create --work-dir workDir --credential-type kafka --credential-name myKafkaSecId --username myUsername --password myPassword

     mqsicredentials --set-as-default --work-dir workDir --credential-type kafka --credential-name myKafkaSecId

     For more information, see mqsicredentials command.

   • Configure security credentials by using the mqsisetdbparms command, specifying the required username (-u), password (-p), and resource name (-n). The resource name is in the form kafka:: followed by the name of the security identity that is specified on the Kafka node; for example, kafka::myKafkaSecId. Alternatively, you can use the default security identity, by specifying a resource name of kafka::KAFKA or kafka::KAFKA::integrationServerName.
     The following example shows how to specify a username, password, and named Kafka security identity:

     mqsisetdbparms -w workDir -n kafka::myKafkaSecId -u myUsername -p myPassword

     The following example hows how to specify a username and password, and specifies that the default Kafka security identity for the integration server will be used:

     mqsisetdbparms -w workDir -n kafka::KAFKA::myIntegrationServer1 -u myUsername -p myPassword

     For more information, see mqsisetdbparms command.

2. In your message flow, set the following properties on the KafkaConsumer, KafkaRead, and KafkaProducer nodes:
   1. Set the Security protocol property to either SASL_PLAINTEXT or SASL_SSL.
      If you are using the Event Streams service on IBM Cloud, the Security protocol property must be set to SASL_SSL.
   2. If either SSL or SASL_SSL is specified by the Security protocol property, you must also specify the SSL protocol to be used.
      You can select one of the following values from the supplied list, or you can specify an alternative value:

      • TLSv1
      • TLSv1.1
      • TLSv1.2
   3. In the Security identifier property, specify the name of the security credential that you created in step 1. Alternatively, if you configured a default security identity in step 1 (for example, myKafkaSecId), you can leave the Security identifier property empty and the default security identity will be used.
   For more information about the Kafka nodes, see the following topics:

   • KafkaConsumer node
   • KafkaRead node
   • KafkaProducer node