All security configurations used to connect to the source cluster can be configured on
the cluster link when the link is created. Each link is associated with exactly
one link credential that will be used for authentication of connections to the
source cluster using that link. Different cluster links on the same cluster may
use different security credentials. The link credential must be granted
appropriate permissions on the source cluster.
The following example shows how to configure SASL_SSL with GSSAPI as the SASL
mechanism for the cluster link to talk to the source cluster. You can set
these configurations using a
config-file, as described in the section on
how to set properties on a cluster link.
sasl.kerberos.service.name=kafka sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required \
Cluster Linking configurations should include client-side SSL and SASL/GSSAPI configuration options for
connections to the source cluster in this scenario.
For details on creating SSL key and trust stores, see Encrypt and Authenticate with TLS. For details on
SASL/GSSAPI, see Configuring GSSAPI. Brokers must be configured with
password.encoder.secret for encrypting
sensitive link configurations when security is enabled. See also, Updating Password Configurations Dynamically.
To configure cluster links to use other SASL mechanisms, include client-side
security configurations for that mechanism. See Authentication with SASL using JAAS for other
supported mechanisms. To use two-way SSL authentication with SSL as the security
protocol, a key store should also be configured for the link. See
Encrypt and Authenticate with TLS for details.
The cluster links use source credentials configured on the link to communicate
with the source cluster. These credentials must be valid in order for the link to function.