Manage Data in Transit with TLS on Confluent Cloud

Confluent Cloud uses the Transport Layer Security (TLS) protocol to provide secure communication channels between clients and servers, protecting sensitive data during transmission across networks.

For more information about TLS, see:

• Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (NIST Special Publication 800-52 Revision 2)
• The Transport Layer Security (TLS) Protocol Version 1.3 (RFC 8446)

TLS on Confluent Cloud

All connections with data in transit to and from Confluent Cloud are encrypted using TLS. Confluent Cloud services other than Kafka clusters prefer TLS 1.3 for all services, with a fallback to TLS 1.2.

Kafka clusters on Confluent Cloud use TLS 1.2 by default. For Dedicated clusters, you can optionally enable TLS 1.3 by following the steps in Enable TLS 1.3 on Dedicated Clusters. Currently, other Confluent Cloud cluster types do not support TLS 1.3 and will be updated to support TLS 1.3 in the future.

Enable TLS 1.3 on Dedicated Clusters

By default, all Kafka clusters on Confluent Cloud use TLS 1.2. For Dedicated clusters, you can enable TLS 1.3 by updating the Kafka broker configuration property for the cluster. For details, see Manage TLS protocols.

For best practices on migrating to TLS 1.3, see Migrate to TLS 1.3 on Dedicated Clusters.

Verify TLS protocols

You can quickly verify that your Dedicated cluster is using TLS 1.3 using the Confluent CLI.

To verify that your Dedicated cluster is using TLS 1.3, use the following confluent kafka cluster configuration describe command:

confluent kafka cluster configuration describe \
  --cluster <cluster-id>

Copy

For example, to verify that your Dedicated cluster lkc-abc123 is using TLS 1.3, you can use the following command:

confluent kafka cluster configuration describe \
  --cluster lkc-abc123

Copy

The output should be similar to the following:

+-----------+-----------------------+
| Name      | ssl.enabled.protocols |
| Value     | TLSv1.3               |
| Read-Only | true                  |
+-----------+-----------------------+

Copy

If the ssl.enabled.protocols property is set to TLSv1.3, then your Dedicated cluster only uses TLS 1.3. To include TLS 1.2, you can update the property to TLSv1.3,TLSv1.2.

For details on using the confluent kafka cluster configuration describe command, see confluent kafka cluster configuration describe.

Migrate to TLS 1.3 on Dedicated Clusters

By default, Kafka clusters use TLS 1.2. You can update a Dedicated cluster to use TLS 1.3 by following these recommended steps:

1. Update the Kafka broker configuration for your Dedicated cluster to use both TLS 1.3 and TLS 1.2 (ssl.enabled.protocols=TLSv1.3,TLSv1.2). After you update the broker configuration, clients that are configured to use TLS 1.3 automatically use TLS 1.3. For details, see Enable TLS 1.3 on Dedicated Clusters.

   You can verify that the Kafka cluster is using TLS 1.3 by running the confluent kafka cluster configuration describe command. For details, see Verify TLS protocols.

2. Ensure that all Kafka clients connecting to the Kafka cluster are configured to use TLS 1.3.

   • Java clients: Set ssl.enabled.protocols=TLSv1.3,TLSv1.2 For Java clients version 2.6.0 or later (Confluent Platform 6.0.0 or later), this is the default behavior. Note that Java clients older than v. 3.0.2/3.1.1 might experience performance degradation when using TLS 1.3. For details, see Brokers disconnect intermittently with TLS1.3 (KAFKA-13418).
   • Other clients: Check the documentation for your client library to determine how to configure it to use TLS 1.3.

3. Verify all applications are healthy and processing data using TLS 1.3.

4. After confirming that all client applications are able to successfully use TLS 1.3 without any issues, you can optionally update the configuration to use only TLS 1.3 (ssl.enabled.protocols=TLSv1.3). This disables TLS 1.2 on the brokers. For details, see Enable TLS 1.3 on Dedicated Clusters.

   Important

   Follow a slow roll out as there are older client libraries that don’t behave well with TLS 1.3. By initially using both TLS 1.2 and TLS 1.3, you can confirm that it works well with TLS 1.3 on the client-side before disabling TLS 1.2.

5. Verify again that all applications are healthy and processing data now that TLS 1.2 is disabled on the brokers. For details, see Verify TLS protocols.