In order to create SSL for Kafka, first certificates have to be generated.
- Stop Kafka, Web, CEP, and Domain.
- Run the following (Linux) commands in the VM.
keytool -keystore kafka.server.keystore.jks -alias localhost -keyalg RSA -validity 1000 -genkey -storepass nastel -keypass nastel -ext SAN=DNS:pittsburghtech.com,IP:172.16.31.152,IP:172.16.31.26,IP:172.16.31.151,IP:172.16.31.41
openssl req -new -x509 -keyout ca-key.key -out ca-cert.crt -days 1000
keytool -keystore kafka.server.truststore.jks -alias CARoot -importcert -file ca-cert.crt
keytool -keystore kafka.server.keystore.jks -alias localhost -certreq -file cert-file-server.csr -ext SAN=DNS:pittsburghtech.com,IP:172.16.31.152,IP:172.16.31.26,IP:172.16.31.151,IP:172.16.31.41
openssl x509 -req -CA ca-cert.crt -CAkey ca-key.key -in cert-file-server.csr -out cert-signed-server.crt -days 1000 -CAcreateserial -passin pass:nastel -extfile san.conf -extensions req_ext
keytool -keystore kafka.server.keystore.jks -alias CARoot -importcert -file ca-cert.crt
keytool -keystore kafka.server.keystore.jks -alias localhost -importcert -file cert-signed-server.crt
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.0 = pittsburghtech.com
IP.0 = 172.16.31.152
IP.1 = 172.16.31.26
IP172.16.31.151
- Create a directory called SSL_keys and move all the certificates into it.
- Place this directory in /opt/nastel/kafka/current/config.
- Make the following changes in server.properties file:
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This configuration file is intended for use in ZK-based mode, where Apache ZooKeeper is required.
# See kafka.server.KafkaConfig for additional details and defaults
#
############################# Server Basics #############################
# The id of the broker. This must be set to a unique integer for each broker.
broker.id=0
message.max.bytes=10485760
replica.fetch.max.bytes=10485760
############################# Socket Server Settings #############################
# The address the socket server listens on. If not configured, the host name will be equal to the value of
# java.net.InetAddress.getCanonicalHostName(), with PLAINTEXT listener name, and port 9092.
# FORMAT:
# listeners = listener_name://host_name:port
# EXAMPLE:
# listeners = PLAINTEXT://your.host.name:9092
listeners=PLAINTEXT://localhost:9092,SSL://localhost:9093
# Listener name, hostname and port the broker will advertise to clients.
# If not set, it uses the value for "listeners".
#advertised.listeners=PLAINTEXT://your.host.name:9092
advertised.listeners=PLAINTEXT://localhost:9092,SSL://localhost:9093
# Maps listener names to security protocols, the default is for them to be the same. See the config documentation for more details
#listener.security.protocol.map=PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL
listener.security.protocol.map=PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL
# The number of threads that the server uses for receiving requests from the network and sending responses to the network
num.network.threads=8
# The number of threads that the server uses for processing requests, which may include disk I/O
num.io.threads=16
# The send buffer (SO_SNDBUF) used by the socket server
socket.send.buffer.bytes=102400
# The receive buffer (SO_RCVBUF) used by the socket server
socket.receive.buffer.bytes=102400
# The maximum size of a request that the socket server will accept (protection against OOM)
socket.request.max.bytes=104857600
############################# Log Basics #############################
# A comma separated list of directories under which to store log files
log.dirs=/tmp/kafka-logs
# The default number of log partitions per topic. More partitions allow greater
# parallelism for consumption, but this will also result in more files across
# the brokers.
num.partitions=16
# The number of threads per data directory to be used for log recovery at startup and flushing at shutdown.
# This value is recommended to be increased for installations with data dirs located in RAID array.
num.recovery.threads.per.data.dir=1
############################# Internal Topic Settings #############################
# The replication factor for the group metadata internal topics "__consumer_offsets" and "__transaction_state"
# For anything other than development testing, a value greater than 1 is recommended to ensure availability such as 3.
offsets.topic.replication.factor=1
transaction.state.log.replication.factor=1
transaction.state.log.min.isr=1
############################# Log Flush Policy #############################
# Messages are immediately written to the filesystem but by default we only fsync() to sync
# the OS cache lazily. The following configurations control the flush of data to disk.
# There are a few important trade-offs here:
# 1. Durability: Unflushed data may be lost if you are not using replication.
# 2. Latency: Very large flush intervals may lead to latency spikes when the flush does occur as there will be a lot of data to flush.
# 3. Throughput: The flush is generally the most expensive operation, and a small flush interval may lead to excessive seeks.
# The settings below allow one to configure the flush policy to flush data after a period of time or
# every N messages (or both). This can be done globally and overridden on a per-topic basis.
# The number of messages to accept before forcing a flush of data to disk
#log.flush.interval.messages=10000
# The maximum amount of time a message can sit in a log before we force a flush
#log.flush.interval.ms=1000
############################# Log Retention Policy #############################
# The following configurations control the disposal of log segments. The policy can
# be set to delete segments after a period of time, or after a given size has accumulated.
# A segment will be deleted whenever *either* of these criteria are met. Deletion always happens
# from the end of the log.
# The minimum age of a log file to be eligible for deletion due to age
log.retention.hours=168
# A size-based retention policy for logs. Segments are pruned from the log unless the remaining
# segments drop below log.retention.bytes. Functions independently of log.retention.hours.
#log.retention.bytes=1073741824
# The maximum size of a log segment file. When this size is reached a new log segment will be created.
log.segment.bytes=1073741824
# The interval at which log segments are checked to see if they can be deleted according
# to the retention policies
log.retention.check.interval.ms=300000
############################# Zookeeper #############################
# Zookeeper connection string (see zookeeper docs for details).
# This is a comma separated host:port pairs, each corresponding to a zk
# server. e.g. "127.0.0.1:3000,127.0.0.1:3001,127.0.0.1:3002".
# You can also append an optional chroot string to the urls to specify the
# root directory for all kafka znodes.
zookeeper.connect=localhost:2181/xraykafka
# Timeout in ms for connecting to zookeeper
zookeeper.connection.timeout.ms=18000
############################# Group Coordinator Settings #############################
# The following configuration specifies the time, in milliseconds, that the GroupCoordinator will delay the initial consumer rebalance.
# The rebalance will be further delayed by the value of group.initial.rebalance.delay.ms as new members join the group, up to a maximum of max.poll.interval.ms.
# The default value for this is 3 seconds.
# We override this to 0 here as it makes for a better out-of-the-box experience for development and testing.
# However, in production environments the default value of 3 seconds is more suitable as this will help to avoid unnecessary, and potentially expensive, rebalances during application startup.
group.initial.rebalance.delay.ms=0
####################################### SSL Authentication #################################
ssl.keystore.location=/opt/meshiq/kafka/current/config/ssl_keys/kafka.server.keystore.jks
ssl.keystore.password=nastel
ssl.key.password=nastel
ssl.truststore.location=/opt/meshiq/kafka/current/config/ssl_keys/kafka.server.truststore.jks
ssl.truststore.password=nastel
ssl.client.auth=required
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
ssl.keystore.type=JKS
ssl.truststore.type=JKS
security.inter.broker.protocol=SSL
- Make changes in the global.properties file located in /opt/nastel/AutopilotM6.
property jkool.kafka.security.protocol=SSL
- Add the following lines, changing <uname> and <pwd> to the appropriate user and password:
propertyjkool.kafka.sasl.jaas.config=org.apache.kafka.common.security.plan.PlainLoginModule required username="uname" password="pwd";
property job.sched.kafka.sasl.jaas.config={jkool.kafka.sasl.jaas.config}
- Restart Kafka, Domain, CEP, and Web.
- After restarting services, open the server.log file and verify that the following lines are found in the log file:
with addresses: PLAINTEXT -> EndPoint(172.16.31.72,9092,PLAINTEXT),SSL -> EndPoint(172.16.31.72,9093,SSL)
- In order to check OpenSSL connectivity, run the following:
openssl s_client -debug -connect localhost:9093 -tls1
- Create a file called client-SSL.properties.
bootstrap.servers=localhost:9093
security.protocol=SSL
ssl.truststore.location=/opt/meshiq/kafka/current/config/ssl_keys/truststore/kafka.truststore.jks
ssl.truststore.password=nastel
ssl.keystore.location=/opt/meshiq/kafka/current/config/ssl_keys/ssl_keys/keystore/kafka.keystore.jks
ssl.keystore.password=nastel
ssl.key.password=nastel
- Go to /opt/nastel/current/kafka/bin and run the following commands:
kafka-console-producer.sh --broker-list localhost:9093 --topic test --producer.config client-ssl.properties
kafka-console-consumer.sh --bootstrap-server localhost:9093 --topic test --new-consumer --consumer.config client-ssl.properties
- Hence, SSL can be verified.