.. _controlcenter_security_ssl: Configuring SSL --------------- .. important:: An understanding of the following topics will help in successfully securing |c3-short|: - An |ak-tm| broker set up using :ref:`the existing SSL documentation`. - Familiarity with :ref:`Authorization Settings `. - Locations of the properties files for |ak| brokers, Connect producers and consumers, and |c3-short|. Simply having a secured |ak| broker does not guarantee that |c3-short| is secured and working properly. Each component that communicates with a secured |c3-short| instance requires a specific configuration to be set by its prefix. Prefixes such as ``confluent.controlcenter.streams.``, ``confluent.metrics.reporter.``, ``producer.``, ``consumer.``, and ``confluent.monitoring.interceptor.`` could conceivably be configured in different files of the |cp| stack to secure |c3-short| end-to-end. Not all configuration settings may be required; consult the configuration references for each component you are configuring. |c3-short| supports SSL one- and two-way authentication and can be enabled for different communications. Some possible configurations are: - secured Client interceptors (Connect/Confluent/regular client) -> secured |c3-short| Broker - secured |ak| Broker -> secured |c3-short| Broker - secured Metrics Reporter + secured |ak| Broker -> secured |c3-short| Broker .. _controlcenter_ssl_broker: .. include:: includes/ssl_broker.rst .. _control_center_ssl_c3: .. include:: includes/ssl_c3.rst .. _controlcenter_ssl_connect: .. include:: includes/ssl_connect.rst .. _controlcenter-ssl-ksqldb: |ksqldb| ^^^^^^^^ |c3| communicates with |ksqldb| using the HTTP protocol, which can be secured with SSL (also known as HTTPS). To configure |c3-short| to connect to |ksqldb| over HTTPS, refer to :ksqldb-docs:`Configure ksqlDB for https|operate-and-deploy/installation/server-config/security/#configure-ksqldb-for-https`. Ensure that |c3-short| has a certificate in its truststore that is trusted by |ksqldb| to communicate over HTTPS. .. _controlcenter-ssl-sr: |sr| ^^^^ When |c3| connects to |sr| and |sr| has SSL enabled: - |sr| communicates with |ak| over the |ak| protocol, which is secured with SSL. - |c3-short| communicates with |ak| over the |ak| protocol, which is secured with SSL. - |c3-short| communicates with |sr| over the HTTP protocol (also known as HTTPS), which is secured with SSL . Essentially, |c3-short| functions as an HTTPS client to |sr|. To secure |c3-short| with HTTPS, configure |sr| to allow HTTPS as described in :ref:`schema_registry_http_https`. In addition, |c3-short| should include a trusted certificate to its truststore to connect to |sr| over HTTPS as described in :ref:`sr-https-additional`. Be sure to prefix the |c3-short| configuration attributes in ``control-center.properties`` with ``confluent.controlcenter.`` For example: :: confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.location=/etc/kafka/secrets/kafka.client.truststore.jks confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.password= confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.location=/etc/kafka/secrets/kafka.client.keystore.jks confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.password= confluent.controlcenter.schema.registry.schema.registry.ssl.key.password= .. Note:: Since the |c3-short| is a client for many different components, its client prefix includes the component, in this case |sr|: ``confluent.controlcenter.schema.registry``. With the exception of ``confluent.controlcenter.schema.registry.url``, the use of additional |sr| configurations are formatted with the ``confluent.controlcenter.schema.registry`` prefix plus the |sr| configuration suffix. For example, the SSL truststore location is set as follows: .. code:: bash confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.location= The repetition of ``schema.registry`` in these configurations is intentional. See also, :ref:`How to configure clients to Schema Registry` in the :ref:`schemaregistry_security`.