.. _controlcenter_security_ssl: Configure TLS for |c3-short| ----------------------------- You can configure TLS for |c3-short| so web access is secured through HTTPS. In addition, since the |c3-short| acts as a proxy server for other components, you can configure TLS for |c3-short| to secure its communication with other secured |cp| components. .. _controlcenter-ui-https: Configure TLS for |c3-short| as a server ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ HTTPS can be configured for web access to |c3|. To enable HTTPS, you must first add an HTTPS listener in the |c3-short| properties file using the ``confluent.controlcenter.rest.listeners`` parameter. You must also set the appropriate :ref:`TLS configuration options `. If you haven't already, you should :ref:`create TLS keys and certificates `. An example of the necessary additions to the appropriate :ref:`c3_properties_files` is shown below: .. sourcecode:: bash confluent.controlcenter.rest.listeners= confluent.controlcenter.rest.ssl.keystore.location= confluent.controlcenter.rest.ssl.keystore.password= confluent.controlcenter.rest.ssl.key.password= confluent.controlcenter.rest.ssl.truststore.location= confluent.controlcenter.rest.ssl.truststore.password= .. sourcecode:: bash curl -vvv -X GET --tlsv1.2 https://localhost:9022 #for cases when using a self-signed certificate curl -vvv -X GET --tlsv1.2 --cacert scripts/security/snakeoil-ca-1.crt https://localhost:9022 .. include:: ../../includes/cp-demo-tip.rst .. tip:: As a fallback mechanism, you can configure |c3-short| to check the JVM or operating system (OS) truststore. - To configure the default JVM truststore set the following property to true: ``confluent.controlcenter.use.default.jvm.truststore=true`` - To configure the default OS truststore set the following property to true: ``confluent.controlcenter.use.default.os.truststore=true`` .. _control_center_ssl_c3: .. include:: includes/ssl_c3.rst .. _control_center_ssl_proxy: Configure TLS for |c3-short| as a proxy server ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Confluent Control Center normally communicates with |cp| components using the HTTP protocol. You can enable HTTPS between the two components by securing them with TLS. There are a number of ways to configure TLS for communication between |c3-short| and other |cp| components. - Stores for each secured component: :ref:`Schema Registry`, :ref:`Connect `, and :ref:`ksqlDB`. - :ref:`A single proxy server store` - :ref:`Server store` (not recommended) .. note:: Regardless how you configure stores for |c3|, they will be checked in the following order: - |sr| store - |kconnect| store - |ksqldb| store - Proxy server store - Server store When you configure each component separately, each component requires a specific configuration to be set by its prefix. For example, for |sr| use the prefix: ``confluent.controlcenter.schema.registry``. The TLS truststore location is set as follows: .. code:: bash confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.location= Each component should be configured in their respective configuration files to secure |c3-short| end-to-end. Not all configuration settings may be required; consult the configuration reference for each component you are configuring. .. _controlcenter-ssl-sr: Configure TLS proxy server access to |sr| ***************************************** When |c3| connects to |sr| and |sr| has TLS enabled: - |sr| communicates with |ak| over the |ak| protocol, which is secured with TLS. - |c3-short| communicates with |ak| over the |ak| protocol, which is secured with TLS. - |c3-short| communicates with |sr| with the HTTPS protocol, which is secured with TLS. Essentially, |c3-short| functions as a proxy server to |sr|. To secure |c3-short| with HTTPS, configure |sr| to allow HTTPS as described in :ref:`schema_registry_http_https`. In addition, |c3-short| should include a trusted certificate to its truststore to connect to |sr| over HTTPS as described in :ref:`sr-https-additional`. Be sure to prefix the |c3-short| configuration attributes in ``control-center.properties`` with ``confluent.controlcenter.`` For example: .. code:: bash confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.location= confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.password= confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.location= confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.password= confluent.controlcenter.schema.registry.schema.registry.ssl.key.password= .. _controlcenter_ssl_connect: .. include:: includes/ssl_connect.rst .. _controlcenter-ssl-ksqldb: Configure TLS proxy server access to |ksqldb| ********************************************* |c3| normally communicates with |ksqldb| using the HTTP protocol. You can enable HTTPS between the two components by securing them with TLS. To configure |c3-short| to connect to |ksqldb| over HTTPS, refer to :ksqldb-docs:`Configure ksqlDB for HTTPS|operate-and-deploy/installation/server-config/security/#configure-ksqldb-for-https`. Ensure that |c3-short| has a certificate in its truststore that is trusted by |ksqldb| to communicate over HTTPS. The following parameters should be included in the ``control-center.properties`` file: .. code:: bash confluent.controlcenter.ksql.ksql.ssl.truststore.location= confluent.controlcenter.ksql.ksql.ssl.truststore.password= confluent.controlcenter.ksql.ksql.ssl.keystore.location= confluent.controlcenter.ksql.ksql.ssl.keystore.password= confluent.controlcenter.ksql.ksql.ssl.key.password= .. _c3-proxy-truststore: Configure a single proxy server store ************************************* As an alternative to configuring |c3-short| for each component, you can configure a single proxy server store. To configure a proxy store, set the following properties: .. code:: bash confluent.controlcenter.rest.proxy.ssl.truststore.location= confluent.controlcenter.rest.proxy.ssl.truststore.password= confluent.controlcenter.rest.proxy.ssl.keystore.location= confluent.controlcenter.rest.proxy.ssl.keystore.password= confluent.controlcenter.rest.proxy.ssl.key.password= .. _c3-server-truststore: Use the server store ******************** You can use the server store for proxy server TLS, although this is not recommended. If using the server TLS, |c3-short| uses the locations/passwords specified by :ref:`controlcenter-ui-https`. Related content ^^^^^^^^^^^^^^^ :ref:`kafka_ssl_authentication`