Authenticating connections to a Kafka cluster by using SASL/SCRAM

You can configure KafkaConsumer, KafkaRead, and KafkaProducer nodes to authenticate with a Kafka cluster by using Salted Challenge Response Authentication Mechanism (SCRAM) or SASL/SCRAM.

Before you begin

Read the following topics:

About this task

Salted Challenge Response Authentication Mechanism (SCRAM), also known as SASL/SCRAM, is an SASL mechanism that performs password-based authentication between the client and server, and resolves some of the security concerns that are associated with SASL_PLAIN authentication.

To authenticate a connection between Kafka nodes and a Kafka cluster that uses SCRAM for authentication, you must configure the nodes to use a Kafka policy that is configured with the connection details.

Procedure

Follow these steps to enable Kafka nodes to authenticate a connection to a Kafka cluster by using SCRAM:

  1. Use either the mqsisetdbparms command or the mqsicredentials command to associate a username and password with a security identity.
    • Configure security credentials by using the mqsisetdbparms command, specifying the required username (-u), password (-p), and resource name (-n). The resource name is in the form kafka:: followed by the name of the security identity that is specified on the Kafka node; for example, kafka::myKafkaSecId.
      The following example shows how to specify a username, password, and named Kafka security identity:
      mqsisetdbparms -w workDir -n kafka::myKafkaSecId -u myUsername -p myPassword

      For more information, see mqsisetdbparms command.

    • Configure security credentials by using the mqsicredentials command, specifying the username (--username), password (--password), credential type (--credential-type), and credential name (--credential-name). Specify the credential type as kafka, and specify a credential name that matches the value of the Security identifier parameter specified in the node.
      The following example shows how to specify a username, password, and named Kafka security identity:
      mqsicredentials --create --work-dir workDir --credential-type kafka --credential-name myKafkaSecId --username myUsername --password myPassword

      For more information, see mqsicredentials command.

  2. Create a Kafka policy in a policy project by using the IBM App Connect Enterprise Toolkit, and set the following properties:
    1. Set the value of the Bootstrap servers property to the list of bootstrap servers for the Kafka cluster. You can specify a single hostname:portvalue or a comma-separated list of multiple hostname:port values.
    2. Set the Security protocol property to SASL_SSL.
    3. Set the Security mechanism property to either SCRAM-SHA-256 or SCRAM-SHA-512, as required by the Kafka cluster.
    4. Set the Security identity property to the name of the security identity that you created in step 1 (for example, myKafkaSecId).
    5. Set the SASL config property to org.apache.kafka.common.security.scram.ScramLoginModule required;

      This value specifies the SASL configuration to be used when connecting to the Kafka cluster.

    6. Optional: Set the SSL truststore location to the location of the truststore that contains the public or CA certificate for the Kafka cluster.
    7. Optional: Set the SSL truststore type to the type of truststore that is specified in the SSL truststore location property. Possible values are JKS and PKCS12.
    8. Optional: Set the SSL truststore security identity to specify the security identity used to access the truststore.
    For more information, see Kafka policy.
  3. On the Policy tab of the Kafka nodes, set the Policy property to the name of the policy created in step 1, in the form {PolicyProjectName}:PolicyName

    For more information about the Kafka nodes, see KafkaConsumer node, KafkaProducer node, and KafkaRead node.