Configuring SSL

Important

Having an understanding of the following topics will help in successfully securing Control Center:

Simply having a secured Kafka broker does not guarantee that Control Center is secured and working properly. Each component that communicates with a secured Control Center instance requires a specific configuration to be set by its prefix. Prefixes such as confluent.controlcenter.streams., confluent.metrics.reporter., producer., consumer., and confluent.monitoring.interceptor. could conceivably be configured in different files of the Confluent Platform stack to secure Control Center end-to-end. Not all configuration settings may be required; consult the configuration references for each component you are configuring.

Control Center supports SSL one- and two-way authentication and can be enabled for different communications. Some possible configurations are:

  • secured Client interceptors (Connect/Confluent/regular client) -> secured Control Center Broker
  • secured Kafka Broker -> secured Control Center Broker
  • secured Metrics Reporter + secured Kafka Broker -> secured Control Center Broker

Kafka Brokers

If an Apache Kafka® broker has been set up to use SSL, the same configurations need to be set for the metrics reporter. In the aforementioned link, a broker was set with the following configuration:

...
sasl.mechanism.inter.broker.protocol=SSL
ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
ssl.truststore.password=test1234
...

To secure the metrics reporter on the broker, use the same values with the prefix confluent.metrics.reporter.. To secure the stream monitoring interceptor on the broker, use the same values with the prefix confluent.monitoring.interceptor..

confluent.metrics.reporter.security.protocol=SSL
confluent.metrics.reporter.ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
confluent.metrics.reporter.ssl.keystore.password=test1234
confluent.metrics.reporter.ssl.key.password=test1234
confluent.metrics.reporter.ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
confluent.metrics.reporter.ssl.truststore.password=test1234

There are other configuration options in the settings for Authorization. To learn more about overriding/setting configuration options for interceptors, see Enabling Interceptors. Any configuration for the interceptor is prefixed by confluent.metrics.reporter..

Note

With any of the configuration changes, a restart of the service is required. When restarting brokers, make sure each broker is available before restarting another.

Control Center Kafka Streams

Control Center needs to know when security is enabled for any other component. Internally, Control Center uses Kafka Streams as a state store, so with a secured broker, Kafka Streams also need to be secured.

The following changes need to be made to the control-center.properties file as appropriate for the environment:

security.protocol=SSL
ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
ssl.truststore.password=test1234

confluent.controlcenter.streams.security.protocol=SSL
confluent.controlcenter.streams.ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
confluent.controlcenter.streams.ssl.keystore.password=test1234
confluent.controlcenter.streams.ssl.key.password=test1234
confluent.controlcenter.streams.ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
confluent.controlcenter.streams.ssl.truststore.password=test1234

Note

For a detailed explanation of configuring Apache Kafka® client interceptors, see Enabling Interceptors.

Connect

The modifications to distributed connect works very similarly to the confluent.metrics.reporter. The connect documentation covers this thoroughly.

Complete Configuring Workers with Security and Configuring Connectors with Security. Control Center uses both of those.

In addition to the generic Connect and producer/consumer changes, the monitoring interceptors should take the same configuration in connect-distributed.properties:

#### Monitoring producer interceptor ####
producer.confluent.monitoring.interceptor.security.protocol=SSL
producer.confluent.monitoring.interceptor.ssl.truststore.location=/var/private/ssl/kafka.client.truststore.jks
producer.confluent.monitoring.interceptor.ssl.truststore.password=test1234
producer.confluent.monitoring.interceptor.ssl.keystore.location=/var/private/ssl/kafka.source.keystore.jks
producer.confluent.monitoring.interceptor.ssl.keystore.password=connector1234
producer.confluent.monitoring.interceptor.ssl.key.password=connector1234

consumer.confluent.monitoring.interceptor.security.protocol=SSL
consumer.confluent.monitoring.interceptor.ssl.truststore.location=/var/private/ssl/kafka.client.truststore.jks
consumer.confluent.monitoring.interceptor.ssl.truststore.password=test1234
consumer.confluent.monitoring.interceptor.ssl.keystore.location=/var/private/ssl/kafka.source.keystore.jks
consumer.confluent.monitoring.interceptor.ssl.keystore.password=connector1234
consumer.confluent.monitoring.interceptor.ssl.key.password=connector1234