.. _mqtt_proxy-security-settings: Secure Communication for |mqtt| on |cp| ======================================= The following sections provide information about configuring communication settings. Between |mqtt| and MQTT clients ------------------------------- The following are available communication settings between |mqtt| and MQTT clients. **Security settings** The following modes are supported: * PLAINTEXT * SSL * TLS * SASL_PLAINTEXT * SASL_SSL * SASL_TLS These can be configured by setting the ``listeners.security.protocol`` property. By default, a non-authenticated and non-encrypted channel is used. .. csv-table:: :header: "``listeners.security.protocol``", "Authenticated", "Encrypted" :widths: 20, 10, 10 "PLAINTEXT", "No", "No" "SSL", "No", "Yes" "TLS", "No", "Yes" "SASL_PLAINTEXT", "Yes", "No" "SASL_SSL", "Yes", "Yes" "SASL_TLS", "Yes", "Yes" **Authentication settings** To configure and use authentication, you have to set ``listeners.security.protocol=SASL_PLAINTEXT``, ``listeners.security.protocol=SASL_SSL``, or ``listeners.security.protocol=SASL_TLS``. You can then pass a regular JAAS configuration file as a JVM option. For example: :: export KAFKA_MQTT_OPTS:" -Djava.security.auth.login.config=" |mqtt| ships with the default login module: ``io.confluent.mqtt.protocol.security.PropertyFileLoginModule``. This module authenticates users against a local properties file. It can be used for development testing, but should not be used in production environments. .. sourcecode:: bash # Sample JAAS file ConfluentKafkaMqtt { io.confluent.mqtt.protocol.security.PropertyFileLoginModule required file="/tmp/credentials.txt"; }; **Encryption settings** By default, encryption is disabled. To enable it, you have to set ``listeners.security.protocol=SSL``, ``listeners.security.protocol=SASL_SSL``, ``listeners.security.protocol=TLS``, or ``listeners.security.protocol=SASL_TLS``. You can then pass desired `org.apache.kafka.common.config.SslConfigs `__. For more details about setting up security, see the :ref:`security_tutorial`. In order to debug encryption issues, add this VM option: ``-Djavax.net.debug=all``. Between |mqtt| and |ak| ----------------------- The following are available communication settings between |mqtt| and |ak|. **Security settings** The following modes are supported: * PLAINTEXT * SSL * SASL_PLAINTEXT * SASL_SSL You can configure these by setting ``producer.security.protocol`` parameter. By default, a non-authenticated and non-encrypted channel is used. .. csv-table:: :header: "``producer.security.protocol``", "Authenticated", "Encrypted" :widths: 20, 10, 10 "PLAINTEXT", "No", "No" "SSL", "No", "Yes" "SASL_PLAINTEXT", "Yes", "No" "SASL_SSL", "Yes", "Yes" In addition to ``producer.security.protocol``, several other security properties need to be configured. Note that all properties prefixed with ``producer.*`` are propagated to the underlying producer created by the proxy (for writing to |ak|). The following shows an example of the ``SASL_SSL`` configuration properties: :: producer.security.protocol=SASL_SSL producer.ssl.truststore.location=/var/ssl/private/kafka.client.truststore.jks producer.ssl.truststore.password= producer.sasl.mechanism=PLAIN producer.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \ username="" \ password=""; * For more about producers and configuring producers, see :ref:`kafka_producer`. * For all producer configuration properties, see :ref:`cp-config-producer`. * For additional information about setting up security, see :ref:`security`.