Configuring SSL

Important

Having a working understanding of the following topics will help in setting up a secured Control Center sucessfully.

Simply having a secured Kafka broker does not guarentee that the Control Center is secured and working. Each component communicating with a secured Control Center requires a specific config to be set by prefix. The prefixes confluent.controlcenter.streams., confluent.metrics.reporter., producer., consumer., and confluent.monitoring.interceptor. could conceiveably be configured (in different files of the Control Center stack) to secure the Control Center end to end. Not all confliguration settings may be required. For instance, if you have not enabled the metrics reporter for a Kafka broker, there is no need to configure security for it.

The control center supports SSL one and two way authentication and can be enabled for different communications. Some possible configurations are:

  • secured Client interceptors (Connect/Confluent/regular client) -> secured Control Center Broker
  • secured Kafka Broker -> secured Control Center Broker
  • secured Metrics Reporter + (un)secured Kafka Broker -> secured Control Center Broker

Kafka Brokers

If a Kafka broker has been set up to use SSL, the same configurations need to be set for the metrics reporter. In the link, a broker was set with the following configuration:

...
sasl.mechanism.inter.broker.protocol=SSL
ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
ssl.truststore.password=test1234
...

In order to secure the metrics reporter on the broker, the same values should be used with the prefix confluent.metrics.reporter.. In order to secure the stream monitoring interceptor on the broker, the same values should be used with the prefix confluent.monitoring.interceptor..

confluent.metrics.reporter.security.protocol=SSL
confluent.metrics.reporter.ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
confluent.metrics.reporter.ssl.keystore.password=test1234
confluent.metrics.reporter.ssl.key.password=test1234
confluent.metrics.reporter.ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
confluent.metrics.reporter.ssl.truststore.password=test1234

Note

These settings will work against a secured Control Center running on a non-secured broker

There are other configuration options in the settings for Authorization To learn more about overriding/setting configuration options for interceptors, go here. Any configuration for the interceptor is prefixed by confluent.metrics.reporter..

Note

With any of the config changes, a restart of the service is required. When restarting brokers, make sure each broker is available before restarting another.

Control Center

The Control Center needs to know that security is enabled. Internally, the Control Center uses Kafka Streams as a state store, so with a secured broker, they also need to be secured.

The following changes need to be made to the control-center.properties file:

security.protocol=SSL
ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
ssl.truststore.password=test1234

confluent.controlcenter.streams.security.protocol=SSL
confluent.controlcenter.streams.ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
confluent.controlcenter.streams.ssl.keystore.password=test1234
confluent.controlcenter.streams.ssl.key.password=test1234
confluent.controlcenter.streams.ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
confluent.controlcenter.streams.ssl.truststore.password=test1234

Note

For a more detailed explaination of configuring Kafka client interceptors, click here.

Connect

The modifications to distributed connect works very similarly from the confluent.metrics.reporter. The connect documentation has covers this throughly.

Complete Configuring Workers with Security and Configuring Connectors with Security. The Control Center uses both of those.

In addition to the generic Connect and producer/consumer changes, the monitoring interceptors should take the same configuration in the connect-distrubted.properties:

#### Monitoring producer interceptor ####
producer.confluent.monitoring.interceptor.security.protocol=SSL
producer.confluent.monitoring.interceptor.ssl.truststore.location=/var/private/ssl/kafka.client.truststore.jks
producer.confluent.monitoring.interceptor.ssl.truststore.password=test1234
producer.confluent.monitoring.interceptor.ssl.keystore.location=/var/private/ssl/kafka.source.keystore.jks
producer.confluent.monitoring.interceptor.ssl.keystore.password=connector1234
producer.confluent.monitoring.interceptor.ssl.key.password=connector1234

consumer.confluent.monitoring.interceptor.security.protocol=SSL
consumer.confluent.monitoring.interceptor.ssl.truststore.location=/var/private/ssl/kafka.client.truststore.jks
consumer.confluent.monitoring.interceptor.ssl.truststore.password=test1234
consumer.confluent.monitoring.interceptor.ssl.keystore.location=/var/private/ssl/kafka.source.keystore.jks
consumer.confluent.monitoring.interceptor.ssl.keystore.password=connector1234
consumer.confluent.monitoring.interceptor.ssl.key.password=connector1234