Configure Encryption for Confluent Platform with Ansible Playbooks

Ansible Playbooks for Confluent Platform supports the PLAINTEXT (no encryption) and TLS encryption methods with PLAINTEXT being the default.

TLS encryption

Configure TLS for all components

To enable TLS encryption for all components, add the following in the hosts.yml file.

all:
  vars:
    ssl_enabled: true

Configure TLS for individual components

To selectively enable or disable TLS encryption for specific components, set the following settings to true or false in addition to the global ssl_enabled setting.

• zookeeper_ssl_enabled
• kafka_connect_ssl_enabled
• kafka_rest_ssl_enabled
• schema_registry_ssl_enabled
• control_center_ssl_enabled
• ksql_ssl_enabled

For example, if you want TLS enabled for all components except for Schema Registry, set:

all:
  vars:
    ssl_enabled: true
    schema_registry_ssl_enabled: false

By default, the certs for this configuration are self-signed. To deploy custom certificates, you can provide either custom certs or custom keystores and truststores.

Certificates

You can enable TLS encryption using one of the following.

• Self-signed certs: A Certificate Authority will be generated by the Ansible playbooks and used to sign the certs for each host.

  Use self-signed certificates only for test and development environments. Due to security concerns, self-signed certificates are not supported for production environments.

• Custom certs: You provide signed certs and keys for each host as well as the Certificate Authority Cert used to sign the certs.

• Custom keystores and truststores: You provide keystores and truststores for each host.

Use custom certs for TLS

To provide custom certs for each host, you need the Certificate Authority certificate, the signed certificates, and keys for each host on the Ansible control node.

Complete the following steps to update hosts.yml.

1. Specify that custom certs are provided.

   all:
     vars:
       ssl_custom_certs: true
   

2. Enter the path to the Certificate Authority Cert used to sign each host certificate.

   all:
     vars:
       ssl_ca_cert_filepath: "/tmp/certs/ca.crt"
   

3. Set the signed certificate path and key file path for each host.

   all:
     vars:
       ssl_signed_cert_filepath: "/tmp/certs/{{inventory_hostname}}-signed.crt"
       ssl_key_filepath: "/tmp/certs/{{inventory_hostname}}-key.pem"
   

   The variable {{inventory_hostname}} in the example shows that Ansible can read the hostnames set in the inventory file. For this reason, you can keep the inventory file shorter if you put the hostname in the filename for each signed certificate and key file.

   As an alternative, you can set the variables directly under a host. For example:

   schema_registry:
      hosts:
         ip-192-24-10-207.us-west.compute.internal:
            ssl_signed_cert_filepath: "/tmp/certs/192-24-10-207-signed.crt
            ssl_key_filepath: "/tmp/certs/192-24-10-207-key.pem
   

Use custom keystores and truststores for TLS

To provide custom keystores and truststores for each host, you need to have keystores and truststores (and their passwords) for each host on the Ansible control node and their passwords.

Complete the following steps to update hosts.yml.

1. Specify that custom keystores and truststores are provided.

   all:
     vars:
       ssl_provided_keystore_and_truststore: true
   

2. Provide the keystore and truststore filepaths and passwords.

   all:
     vars:
       ssl_keystore_filepath: "/tmp/certs/{{inventory_hostname}}-keystore.jks"
       ssl_keystore_key_password: mystorepassword
       ssl_keystore_store_password: mystorepassword
       ssl_truststore_filepath: "/tmp/certs/truststore.jks"
       ssl_truststore_password: truststorepass
   

   Using the {{inventory_hostname}} variable and setting the same password for each host, you can set these variable once in the hosts.yml file.

   As an alternative, you can set these variables under each host. For example:

   schema_registry:
     hosts:
       ip-192-24-10-207.us-west.compute.internal:
         ssl_keystore_filepath: "/tmp/certs/{{inventory_hostname}}-keystore.jks"
         ssl_keystore_key_password: mystorepassword
         ssl_keystore_store_password: mystorepassword
         ssl_truststore_filepath: "/tmp/certs/truststore.jks"
         ssl_truststore_password: truststorepass
   

Configure for FIPS

You can use Ansible to configure Confluent Platform Federal Information Processing Standard (FIPS) operational readiness. This feature is supported with Confluent Server, but not for standard Kafka deployments.

The following are requirements when configuring Ansible Playbooks for Confluent Platform for FIPS:

• FIPS-enabled RHEL 7 System
• Random number generator service running
• Java 8 (Java 11 is not supported.)
• When using ssl_custom_certs, ssl_signed_cert_filepath must be the path to the certificate chain. Using a single signed cert alone will not work.
• All listeners must have ssl_enabled: true set.

To configure FIPS operational readiness with Confluent Server, set the following for in the hosts.yml file:

all:
   vars:
     fips_enabled: true
     ssl_enabled: true

Next step

• Configure Authentication for Confluent Platform with Ansible Playbooks.
• Configure Authorization for Confluent Platform with Ansible Playbooks.
• Advanced Confluent Platform Configurations with Ansible Playbooks.
• Install Confluent Platform with Ansible Playbooks.