Configuring SSL

Important

An understanding of the following topics will help in successfully securing Control Center:

Simply having a secured Kafka broker does not guarantee that Control Center is secured and working properly. Each component that communicates with a secured Control Center instance requires a specific configuration to be set by its prefix. Prefixes such as confluent.controlcenter.streams., confluent.metrics.reporter., producer., consumer., and confluent.monitoring.interceptor. could conceivably be configured in different files of the Confluent Platform stack to secure Control Center end-to-end. Not all configuration settings may be required; consult the configuration references for each component you are configuring.

Control Center supports SSL one- and two-way authentication and can be enabled for different communications. Some possible configurations are:

  • secured Client interceptors (Connect/Confluent/regular client) -> secured Control Center Broker
  • secured Kafka Broker -> secured Control Center Broker
  • secured Metrics Reporter + secured Kafka Broker -> secured Control Center Broker

Kafka Brokers

If an Apache Kafka® broker has been set up to use TLS, the same configurations need to be set for the metrics reporter. In the aforementioned link, a broker was set with the following configuration:

...
ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
ssl.truststore.password=test1234
...

To secure the metrics reporter on the broker, use the same values with the prefix confluent.metrics.reporter.. To secure the stream monitoring interceptor on the broker, use the same values with the prefix confluent.monitoring.interceptor..

confluent.metrics.reporter.security.protocol=SSL
confluent.metrics.reporter.ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
confluent.metrics.reporter.ssl.keystore.password=test1234
confluent.metrics.reporter.ssl.key.password=test1234
confluent.metrics.reporter.ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
confluent.metrics.reporter.ssl.truststore.password=test1234

There are other configuration options in the settings for Authorization. To learn more about overriding/setting configuration options for interceptors, see Enabling Interceptors.

Any configuration for the interceptor is prefixed by confluent.metrics.reporter..

Note

With any of the configuration changes, a restart of the service is required. When restarting brokers, make sure each broker is available before restarting another.

Control Center Kafka Streams

Control Center needs to know when security is enabled for any other component. Internally, Control Center uses Kafka Streams as a state store, so with a secured broker, Kafka Streams also need to be secured.

The following changes need to be made to the control-center.properties file as appropriate for the environment:

confluent.controlcenter.streams.security.protocol=SSL
confluent.controlcenter.streams.ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
confluent.controlcenter.streams.ssl.keystore.password=test1234
confluent.controlcenter.streams.ssl.key.password=test1234
confluent.controlcenter.streams.ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
confluent.controlcenter.streams.ssl.truststore.password=test1234

Note

For a detailed explanation of configuring Apache Kafka® client interceptors, see Enabling Interceptors.

Connect

This section describes how to configure Connect worker interceptors with SSL and how to configure Control Center to communicate with Connect over HTTPS.

Configuring Connect Worker Interceptors with SSL

The modifications to distributed connect works very similarly to the confluent.metrics.reporter. The connect documentation covers this thoroughly.

Configuring Control Center to communicate with Connect over HTTPS

Confluent Control Center communicates with Connect using the HTTP protocol, which can be secured with SSL (also known as HTTPS). Make sure that Control Center has a certificate in its truststore that is trusted by Connect to communicate over HTTPS. The following variables are required in Control Center for HTTPS communication with Connect:

# HTTP and HTTPS to Control Center UI
CONTROL_CENTER_REST_LISTENERS: "<http://0.0.0.0:9021,https://0.0.0.0:9022">
CONTROL_CENTER_REST_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.control-center.truststore.jks
CONTROL_CENTER_REST_SSL_TRUSTSTORE_PASSWORD: confluent
CONTROL_CENTER_REST_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.control-center.keystore.jks
CONTROL_CENTER_REST_SSL_KEYSTORE_PASSWORD: confluent
CONTROL_CENTER_REST_SSL_KEY_PASSWORD: confluent

For additional information about accessing Connect over HTTPS, refer to Configuring the Connect REST API for HTTP or HTTPS.

ksqlDB

Confluent Control Center communicates with ksqlDB using the HTTP protocol, which can be secured with SSL (also known as HTTPS). To configure Control Center to connect to ksqlDB over HTTPS, refer to Configure ksqlDB for https.

Ensure that Control Center has a certificate in its truststore that is trusted by ksqlDB to communicate over HTTPS. The following parameters should be included in the control-center.properties file:

confluent.controlcenter.ksql.ksql.ssl.truststore.location=<truststore-location>
confluent.controlcenter.ksql.ksql.ssl.truststore.password=<password>
confluent.controlcenter.ksql.ksql.ssl.keystore.location=<keystore-location>
confluent.controlcenter.ksql.ksql.ssl.keystore.password=<password>
confluent.controlcenter.ksql.ksql.ssl.key.password=<password>

Schema Registry

When Confluent Control Center connects to Schema Registry and Schema Registry has SSL enabled:

  • Schema Registry communicates with Kafka over the Kafka protocol, which is secured with SSL.
  • Control Center communicates with Kafka over the Kafka protocol, which is secured with SSL.
  • Control Center communicates with Schema Registry over the HTTP protocol (also known as HTTPS), which is secured with SSL .

Essentially, Control Center functions as an HTTPS client to Schema Registry. To secure Control Center with HTTPS, configure Schema Registry to allow HTTPS as described in Configuring the REST API for HTTP or HTTPS.

In addition, Control Center should include a trusted certificate to its truststore to connect to Schema Registry over HTTPS as described in Additional configurations for HTTPS.

Be sure to prefix the Control Center configuration attributes in control-center.properties with confluent.controlcenter. For example:

confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.location=/etc/kafka/secrets/kafka.client.truststore.jks
confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.password=<password>
confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.location=/etc/kafka/secrets/kafka.client.keystore.jks
confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.password=<password>
confluent.controlcenter.schema.registry.schema.registry.ssl.key.password=<password>

Note

Since the Control Center is a client for many different components, its client prefix includes the component, in this case Schema Registry: confluent.controlcenter.schema.registry. With the exception of confluent.controlcenter.schema.registry.url, the use of additional Schema Registry configurations are formatted with the confluent.controlcenter.schema.registry prefix plus the Schema Registry configuration suffix. For example, the SSL truststore location is set as follows:

confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.location=<value>

The repetition of schema.registry in these configurations is intentional.

See also, How to configure clients to Schema Registry in the Schema Registry Security Overview.