Configuration Reference for Schema Registry Clients on Confluent Cloud

This section contains configuration options for clients to Schema Registry. You can add these configurations as properties to producer and consumer client configuration files or on the command line for testing.

For examples of these options in use, see Avro, Protobuf, and JSON Schema in Formats, Serializers, and Deserializers for Schema Registry on Confluent Cloud.

schema.registry.url

Comma-separated list of URLs for Schema Registry instances.

  • Type: list
  • Default: null
  • Importance: high

basic.auth.credentials.source

Specify how to pick the credentials for Basic authentication header. The supported values are URL, USER_INFO, and SASL_INHERIT.

  • Type: string
  • Default: “STATIC_TOKEN”
  • Importance: medium

URL - The user information is configured as part of the schema.registry.url configuration in the form of http://<username>:<password>@sr-host:<sr-port>

USER_INFO - The user information is configured using the below configuration.

basic.auth.user.info

Specify the user information for Basic authentication in the form of {username}:{password}.

  • Type: password
  • Default: “”
  • Importance: medium

SASL_INHERIT - Inherit the settings used by the Kafka client to communicate with the broker using SASL SCRAM or SASL PLAIN.

An example of using a credentials file to authenticate a consumer to Schema Registry is in Print schema IDs with command line consumer utilities.

For more examples and details on credentials files on both Confluent Cloud and Confluent Platform, see the Prerequisites sections in each of the “Test Drives” for the different schema formats:

basic.auth.user.info

Specifies the user info for basic authentication in the form of user:password.

  • Type: string
  • Default: “”
  • Importance: high

http.connect.timeout.ms

Specifies the HTTP connection timeout in milliseconds for the Schema Registry client. The default is 60000 milliseconds (60 seconds).

  • Type: int
  • Default: 60000
  • Valid Values: [0,…]
  • Importance: low

http.read.timeout.ms

Specifies the HTTP read timeout in milliseconds for the Schema Registry client.

  • Type: int
  • Default: 60000
  • Valid Values: [0,…]
  • Importance: low

bearer.auth.token

Specifies the bearer token to be used for authentication.

  • Type: password
  • Default: “”
  • Importance: medium

proxy.host

The hostname or address of the proxy server that will be used to connect to Schema Registry instances.

  • Type: string
  • Default: “”
  • Importance: low

proxy.port

The port number of the proxy server that will be used to connect to the Schema Registry instances.

  • Type: int
  • Default: “-1”
  • Importance: low

bearer.auth.credentials.source

Specifies how to pick the credentials for bearer authentication.

  • Type: string
  • Default: “OAUTHBEARER”
  • Importance: medium

bearer.auth.issuer.endpoint.url

The HTTP(S)-based URL for the OAuth/OIDC identity provider which issues access tokens.

  • Type: string
  • Default: “null”
  • Importance: medium

bearer.auth.client.id

Client ID used to obtain client credentials grant from OAuth/OIDC identity provider.

  • Type: string
  • Default: “null”
  • Importance: medium

bearer.auth.client.secret

The client secret used to obtain client credentials grant from OAuth/OIDC identity provider.

  • Type: password
  • Default: “null”
  • Importance: medium

bearer.auth.scope

The access token scope used to obtain client credentials grant from OAuth/OIDC identity provider.

  • Type: string
  • Default: “null”
  • Importance: medium

bearer.auth.scope.claim.name

The OAuth claim for the scope is often named “scope”, but this optional setting can provider a different name for the scope included in the JWT payload’s claims if the OAuth/OIDC provider uses a different name for that claim.

  • Type: string
  • Default: “scope”
  • Importance: low

bearer.auth.sub.claim.name

The OAuth claim for the subject is often named “sub”, but this optional setting can provide a different name to use for the subject included in the JWT payload’s claims if the OAuth/OIDC provider uses a different name for that claim.

  • Type: string
  • Default: “sub”
  • Importance: low

bearer.auth.logical.cluster

An additional property that can be added in the request header to identify the logical cluster.

  • Type: string
  • Default: “null”
  • Importance: low

bearer.auth.identity.pool.id

Additional property that can be added in the request header to identify the principal ID for authorization.

  • Type: string
  • Default: “null”
  • Importance: medium

bearer.auth.cache.expiry.buffer.seconds

The amount of buffer time between expiration times of the OAuth token and corresponding cache which holds the token. Ideally you would want to get a new token before the current one expires. Legal values are between 0 and 3600 (1 hour); a default value of 300 (5 minutes) is used if no value is specified. This value is ignored if it exceeds the remaining lifetime of a token from the moment it is retrieved into Schema Registry.

  • Type: short
  • Default: “300”
  • Valid Values: [0, 3600]
  • Importance: low

bearer.auth.custom.provider.class

Custom class that will provide the token credential. Needs to implement the io.confluent.kafka.schemaregistry.client.security.bearerauth.BearerAuthCredentialProvider interface.

  • Type: string
  • Default: “null”
  • Importance: medium

ssl.protocol

The SSL protocol used to generate the SSLContext. The default is TLSv1.3 when running with Java 11 or later, or``TLSv1.2`` otherwise. This value should be fine for most use cases. Allowed values in recent JVMs are TLSv1.2 and TLSv1.3. TLS, TLSv1.1, SSL, SSLv2 and SSLv3 may be supported in older JVMs, but their usage is discouraged due to known security vulnerabilities. With the default value for this configuration and ssl.enabled.protocols, clients will downgrade to TLSv1.2 if the server does not support TLSv1.3. If this configuration is set to TLSv1.2, clients will not use TLSv1.3 even if it is one of the values in ssl.enabled.protocols and the server only supports TLSv1.3.

  • Type: string
  • Default: “TLSv1”
  • Importance: medium

ssl.provider

The name of the security provider used for SSL connections. Default value is the default security provider of the Java Virtual Machine (JVM).

  • Type: string
  • Default: “null”
  • Importance: medium

ssl.cipher.suites

A list of cipher suites. This is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol. By default, all the available cipher suites are supported.

  • Type: list
  • Default: “null”
  • Importance: low

ssl.enabled.protocols

The comma-separated list of protocols enabled for SSL connections. The default value is TLSv1.2,TLSv1.3 when running with Java 11 or later, TLSv1.2 otherwise. With the default value for Java 11 (TLSv1.2,TLSv1.3), clients and servers prefer TLSv1.3 if both support it, and fall back to TLSv1.2 otherwise (assuming both support at least TLSv1.2). To learn more, see ssl.protocol.

  • Type: list
  • Default: “TLSv1.2, TLSv1.3”
  • Importance: medium

ssl.keystore.type

The file format of the key store file. This is optional for client. The values currently supported by the default ssl.engine.factory.class are [JKS, PKCS12, PEM].

  • Type: string
  • Default: “JKS”
  • Importance: medium

ssl.keystore.key

Private key in the format specified by ssl.keystore.type. Default SSL engine factory supports only PEM format with PKCS#8 keys. If the key is encrypted, the key password must be specified using ssl.key.password.

ssl.keystore.certificate.chain

Certificate chain in the format specified by ssl.keystore.type. Default SSL engine factory supports only PEM format with a list of X.509 certificates

  • Type: password
  • Default: “null”
  • Importance: high

ssl.truststore.certificates

Trusted certificates in the format specified by ssl.truststore.type. Default SSL engine factory supports only PEM format with X.509 certificates.

  • Type: password
  • Default: “null”
  • Importance: high

ssl.keystore.location

The location of the key store file. This is optional for client and can be used for two-way authentication for client.

  • Type: string
  • Default: “null”
  • Importance: high

ssl.keystore.password

The store password for the key store file. This is optional for client and only needed if ssl.keystore.location is configured. Key store password is not supported for PEM format.

  • Type: password
  • Default: “null”
  • Importance: high

ssl.key.password

The password of the private key in the key store file or the PEM key specified in ssl.keystore.key.

  • Type: password
  • Default: “”
  • Importance: high

ssl.truststore.type

The file format of the trust store file. The values currently supported by the default ssl.engine.factory.class are [JKS, PKCS12, PEM].

  • Type: string
  • Default: “JKS”
  • Importance: medium

ssl.truststore.location

The location of the trust store file.

  • Type: string
  • Default: “null”
  • Importance: high

ssl.truststore.password

The password for the trust store file. If a password is not set, trust store file configured will still be used, but integrity checking is disabled. Trust store password is not supported for PEM format.

  • Type: password
  • Default: “null”
  • Importance: high

ssl.keymanager.algorithm

The algorithm used by key manager factory for SSL connections. The default value is the key manager factory algorithm configured for the JVM.

  • Type: string
  • Default: The trust manager factory algorithm configured for the Java Virtual Machine.
  • Importance: low

ssl.trustmanager.algorithm

The algorithm used by trust manager factory for SSL connections. Default value is the trust manager factory algorithm configured for the JVM.

  • Type: string
  • Default: The trust manager factory algorithm configured for the Java Virtual Machine.
  • Importance: low

ssl.endpoint.identification.algorithm

The endpoint identification algorithm to validate server hostname using server certificate.

  • Type: string
  • Default: “HTTPS”
  • Importance: low

ssl.secure.random.implementation

The SecureRandom PRNG implementation to use for SSL cryptography operations.

  • Type: string
  • Default: “null”
  • Importance: low

ssl.engine.factory.class

The class of type org.apache.kafka.common.security.auth.SslEngineFactory to provide SSLEngine objects. The default value is org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.

  • Type: class
  • Default: “null”
  • Importance: low