You can configure KafkaConsumer, KafkaRead, and KafkaProducer nodes to authenticate with a Kafka cluster by using
Salted Challenge Response Authentication Mechanism (SCRAM) or SASL/SCRAM.
Before you begin
Read the following topics:
About this task
Salted Challenge Response Authentication Mechanism (SCRAM), also known as SASL/SCRAM, is
an SASL mechanism that performs password-based authentication between the client and server, and
resolves some of the security concerns that are associated with SASL_PLAIN authentication.To
authenticate a connection between Kafka nodes and a Kafka cluster that uses SCRAM for
authentication, you must configure the nodes to use a Kafka policy that is configured with the
connection details.
Procedure
Follow these steps to enable Kafka nodes to authenticate a connection to a Kafka
cluster by using SCRAM:
-
Use either the mqsisetdbparms command or the mqsicredentials command to associate a
username and password with a security identity.
- Configure security credentials by using the mqsisetdbparms command, specifying the required username
(-u), password (-p), and resource name
(-n). The resource name is in the form
kafka::
followed by the
name of the security identity that is specified on the Kafka node; for example,
kafka::myKafkaSecId
. The following example shows how to specify a username,
password, and named Kafka security
identity:
mqsisetdbparms -w workDir -n kafka::myKafkaSecId -u myUsername -p myPassword
For
more information, see mqsisetdbparms command.
- Configure security credentials by using the mqsicredentials command, specifying the username
(--username), password (--password), credential type
(--credential-type), and credential name
(--credential-name). Specify the credential type as
kafka
, and
specify a credential name that matches the value of the Security identifier
parameter specified in the node. The following example shows how to specify a username, password,
and named Kafka security
identity:
mqsicredentials --create --work-dir workDir --credential-type kafka --credential-name myKafkaSecId --username myUsername --password myPassword
For
more information, see mqsicredentials command.
-
Create a Kafka policy in a policy project by using the IBM App Connect
Enterprise Toolkit, and set the following properties:
-
Set the value of the Bootstrap servers property to the list of bootstrap
servers for the Kafka cluster. You can specify a single hostname:portvalue or a
comma-separated list of multiple hostname:port values.
-
Set the Security protocol property to
SASL_SSL
.
-
Set the Security mechanism property to either
SCRAM-SHA-256
or SCRAM-SHA-512
, as required by the Kafka
cluster.
-
Set the Security identity property to the name of the security identity
that you created in step 1 (for example,
myKafkaSecId
).
-
Set the SASL config property to
org.apache.kafka.common.security.scram.ScramLoginModule required;
This value specifies the SASL configuration to be used when connecting to the Kafka cluster.
- Optional:
Set the SSL truststore location to the location of the truststore that
contains the public or CA certificate for the Kafka cluster.
- Optional:
Set the SSL truststore type to the type of truststore that is specified in
the SSL truststore location property. Possible values are
JKS
and PKCS12
.
- Optional:
Set the SSL truststore security identity to specify the security identity
used to access the truststore.
-
On the Policy tab of the Kafka nodes, set the Policy property to the name of the policy created in step 1, in
the form
{PolicyProjectName}:PolicyName