Important

You are viewing documentation for an older version of Confluent Platform. For the latest, click here.

Configuring SSL

Important

Having a working understanding of the following topics will help in setting up a secured Control Center successfully.

Simply having a secured Kafka broker does not guarantee that the Control Center is secured and working. Each component communicating with a secured Control Center requires a specific config to be set by prefix. The prefixes confluent.controlcenter.streams., confluent.metrics.reporter., producer., consumer., and confluent.monitoring.interceptor. could conceivably be configured (in different files of the Control Center stack) to secure the Control Center end to end. Not all configuration settings may be required.

The Control Center supports SSL one and two way authentication and can be enabled for different communications. Some possible configurations are:

  • secured Client interceptors (Connect/Confluent/regular client) -> secured Control Center Broker
  • secured Kafka Broker -> secured Control Center Broker
  • secured Metrics Reporter + (un)secured Kafka Broker -> secured Control Center Broker

Kafka Brokers

If a Apache Kafka® broker has been set up to use SSL, the same configurations need to be set for the metrics reporter. In the link, a broker was set with the following configuration:

...
sasl.mechanism.inter.broker.protocol=SSL
ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
ssl.truststore.password=test1234
...

In order to secure the metrics reporter on the broker, the same values should be used with the prefix confluent.metrics.reporter.. In order to secure the stream monitoring interceptor on the broker, the same values should be used with the prefix confluent.monitoring.interceptor..

confluent.metrics.reporter.security.protocol=SSL
confluent.metrics.reporter.ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
confluent.metrics.reporter.ssl.keystore.password=test1234
confluent.metrics.reporter.ssl.key.password=test1234
confluent.metrics.reporter.ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
confluent.metrics.reporter.ssl.truststore.password=test1234

Note

These settings will work against a secured Control Center running on a non-secured broker

There are other configuration options in the settings for Authorization To learn more about overriding/setting configuration options for interceptors, go here. Any configuration for the interceptor is prefixed by confluent.metrics.reporter..

Note

With any of the config changes, a restart of the service is required. When restarting brokers, make sure each broker is available before restarting another.

Control Center

The Control Center needs to know that security is enabled. Internally, the Control Center uses Kafka Streams as a state store, so with a secured broker, they also need to be secured.

The following changes need to be made to the control-center.properties file:

security.protocol=SSL
ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
ssl.truststore.password=test1234

confluent.controlcenter.streams.security.protocol=SSL
confluent.controlcenter.streams.ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
confluent.controlcenter.streams.ssl.keystore.password=test1234
confluent.controlcenter.streams.ssl.key.password=test1234
confluent.controlcenter.streams.ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
confluent.controlcenter.streams.ssl.truststore.password=test1234

Note

For a more detailed explanation of configuring Apache Kafka® client interceptors, click here.

Connect

The modifications to distributed connect works very similarly from the confluent.metrics.reporter. The connect documentation covers this thoroughly.

Complete Configuring Workers with Security and Configuring Connectors with Security. The Control Center uses both of those.

In addition to the generic Connect and producer/consumer changes, the monitoring interceptors should take the same configuration in the connect-distrubted.properties:

#### Monitoring producer interceptor ####
producer.confluent.monitoring.interceptor.security.protocol=SSL
producer.confluent.monitoring.interceptor.ssl.truststore.location=/var/private/ssl/kafka.client.truststore.jks
producer.confluent.monitoring.interceptor.ssl.truststore.password=test1234
producer.confluent.monitoring.interceptor.ssl.keystore.location=/var/private/ssl/kafka.source.keystore.jks
producer.confluent.monitoring.interceptor.ssl.keystore.password=connector1234
producer.confluent.monitoring.interceptor.ssl.key.password=connector1234

consumer.confluent.monitoring.interceptor.security.protocol=SSL
consumer.confluent.monitoring.interceptor.ssl.truststore.location=/var/private/ssl/kafka.client.truststore.jks
consumer.confluent.monitoring.interceptor.ssl.truststore.password=test1234
consumer.confluent.monitoring.interceptor.ssl.keystore.location=/var/private/ssl/kafka.source.keystore.jks
consumer.confluent.monitoring.interceptor.ssl.keystore.password=connector1234
consumer.confluent.monitoring.interceptor.ssl.key.password=connector1234