Configuring SSL¶
Important
An understanding of the following topics will help in successfully securing Control Center:
- An Apache Kafka® broker set up using the existing SSL documentation.
- Familiarity with Authorization Settings.
- Locations of the properties files for Kafka brokers, Connect producers and consumers, and Control Center.
Simply having a secured Kafka broker does not guarantee that Control Center is
secured and working properly. Each component that communicates with a secured
Control Center instance requires a specific configuration to be set by its prefix.
Prefixes such as confluent.controlcenter.streams.
,
confluent.metrics.reporter.
, producer.
, consumer.
, and
confluent.monitoring.interceptor.
could conceivably be configured in
different files of the Confluent Platform stack to secure Control Center end-to-end. Not all
configuration settings may be required; consult the configuration references for
each component you are configuring.
Control Center supports SSL one- and two-way authentication and can be enabled for different communications. Some possible configurations are:
- secured Client interceptors (Connect/Confluent/regular client) -> secured Control Center Broker
- secured Kafka Broker -> secured Control Center Broker
- secured Metrics Reporter + secured Kafka Broker -> secured Control Center Broker
Kafka Brokers¶
If an Apache Kafka® broker has been set up to use SSL, the same configurations need to be set for the metrics reporter. In the aforementioned link, a broker was set with the following configuration:
...
ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
ssl.truststore.password=test1234
...
To secure the metrics reporter on the broker, use the same values with the prefix confluent.metrics.reporter.
.
To secure the stream monitoring interceptor on the broker, use the same values with the prefix confluent.monitoring.interceptor.
.
confluent.metrics.reporter.security.protocol=SSL
confluent.metrics.reporter.ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
confluent.metrics.reporter.ssl.keystore.password=test1234
confluent.metrics.reporter.ssl.key.password=test1234
confluent.metrics.reporter.ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
confluent.metrics.reporter.ssl.truststore.password=test1234
There are other configuration options in the settings for Authorization. To learn more about overriding/setting configuration options for interceptors, see Enabling Interceptors.
Any configuration for the interceptor is prefixed by confluent.metrics.reporter.
.
Note
With any of the configuration changes, a restart of the service is required. When restarting brokers, make sure each broker is available before restarting another.
Control Center Kafka Streams¶
Control Center needs to know when security is enabled for any other component. Internally, Control Center uses Kafka Streams as a state store, so with a secured broker, Kafka Streams also need to be secured.
The following changes need to be made to the control-center.properties
file as appropriate for the
environment:
confluent.controlcenter.streams.security.protocol=SSL
confluent.controlcenter.streams.ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
confluent.controlcenter.streams.ssl.keystore.password=test1234
confluent.controlcenter.streams.ssl.key.password=test1234
confluent.controlcenter.streams.ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
confluent.controlcenter.streams.ssl.truststore.password=test1234
Note
For a detailed explanation of configuring Apache Kafka® client interceptors, see Enabling Interceptors.
Connect¶
This section describes how to configure Connect worker interceptors with SSL and how to configure Control Center to communicate with Connect over HTTPS.
Configuring Connect Worker Interceptors with SSL¶
The modifications to distributed connect works very similarly to the confluent.metrics.reporter
.
The connect documentation covers this thoroughly.
Configuring Control Center to communicate with Connect over HTTPS¶
Confluent Control Center communicates with Connect using the HTTP protocol, which can be secured with SSL (also known as HTTPS). Make sure that Control Center has a certificate in its truststore that is trusted by Connect to communicate over HTTPS. The following variables are required in Control Center for HTTPS communication with Connect:
# HTTP and HTTPS to Control Center UI
CONTROL_CENTER_REST_LISTENERS: "<http://0.0.0.0:9021,https://0.0.0.0:9022">
CONTROL_CENTER_REST_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.control-center.truststore.jks
CONTROL_CENTER_REST_SSL_TRUSTSTORE_PASSWORD: confluent
CONTROL_CENTER_REST_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.control-center.keystore.jks
CONTROL_CENTER_REST_SSL_KEYSTORE_PASSWORD: confluent
CONTROL_CENTER_REST_SSL_KEY_PASSWORD: confluent
For additional information about accessing Connect over HTTPS, refer to Configuring the Connect REST API for HTTP or HTTPS.
ksqlDB¶
Confluent Control Center communicates with ksqlDB using the HTTP protocol, which can be secured with SSL (also known as HTTPS). To configure Control Center to connect to ksqlDB over HTTPS, refer to Configure ksqlDB for https.
Ensure that Control Center has a certificate in its truststore that is trusted by
ksqlDB to communicate over HTTPS. The following parameters should be included in the control-center.properties
file:
confluent.controlcenter.ksql.ksql.ssl.truststore.location=<truststore-location>
confluent.controlcenter.ksql.ksql.ssl.truststore.password=<password>
confluent.controlcenter.ksql.ksql.ssl.keystore.location=<keystore-location>
confluent.controlcenter.ksql.ksql.ssl.keystore.password=<password>
confluent.controlcenter.ksql.ksql.ssl.key.password=<password>
Schema Registry¶
When Confluent Control Center connects to Schema Registry and Schema Registry has SSL enabled:
- Schema Registry communicates with Kafka over the Kafka protocol, which is secured with SSL.
- Control Center communicates with Kafka over the Kafka protocol, which is secured with SSL.
- Control Center communicates with Schema Registry over the HTTP protocol (also known as HTTPS), which is secured with SSL .
Essentially, Control Center functions as an HTTPS client to Schema Registry. To secure Control Center with HTTPS, configure Schema Registry to allow HTTPS as described in Configuring the REST API for HTTP or HTTPS.
In addition, Control Center should include a trusted certificate to its truststore to connect to Schema Registry over HTTPS as described in Additional configurations for HTTPS.
Be sure to prefix the Control Center configuration attributes in control-center.properties
with confluent.controlcenter.
For example:
confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.location=/etc/kafka/secrets/kafka.client.truststore.jks
confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.password=<password>
confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.location=/etc/kafka/secrets/kafka.client.keystore.jks
confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.password=<password>
confluent.controlcenter.schema.registry.schema.registry.ssl.key.password=<password>
Note
Since the Control Center is a client for many different components, its client prefix includes the component, in this case Schema Registry: confluent.controlcenter.schema.registry
.
With the exception of confluent.controlcenter.schema.registry.url
, the use of additional Schema Registry configurations are formatted with the
confluent.controlcenter.schema.registry
prefix plus the Schema Registry configuration suffix. For example, the SSL truststore location is set as follows:
confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.location=<value>
The repetition of schema.registry
in these configurations is intentional.
See also, How to configure clients to Schema Registry in the Schema Registry Security Overview.