Configure TLS for Control Center¶
You can configure TLS for Control Center so web access is secured through HTTPS. In addition, since the Control Center acts as a proxy server for other components, you can configure TLS for Control Center to secure its communication with other secured Confluent Platform components.
Configure TLS for Control Center as a server¶
HTTPS can be configured for web access to Confluent Control Center. To enable HTTPS, you must first add
an HTTPS listener in the Control Center properties file using
the confluent.controlcenter.rest.listeners
parameter. You must also set the
appropriate TLS configuration options. If you haven’t already,
you should create TLS keys and certificates.
An example of the necessary additions to the appropriate Customize Control Center With a Properties File is shown below:
confluent.controlcenter.rest.listeners=<listener-url>
confluent.controlcenter.rest.ssl.keystore.location=<keystore-location>
confluent.controlcenter.rest.ssl.keystore.password=<password>
confluent.controlcenter.rest.ssl.key.password=<key-password>
confluent.controlcenter.rest.ssl.truststore.location=<truststore-location>
confluent.controlcenter.rest.ssl.truststore.password=<password>
curl -vvv -X GET --tlsv1.2 https://localhost:9022
#for cases when using a self-signed certificate
curl -vvv -X GET --tlsv1.2 --cacert scripts/security/snakeoil-ca-1.crt https://localhost:9022
See also
For an example that shows how to set Docker environment variables for Confluent Platform running in ZooKeeper mode, see the Confluent Platform demo. Refer to the demo’s docker-compose.yml file for a configuration reference.
Tip
As a fallback mechanism, you can configure Control Center to check the JVM or operating system (OS) truststore.
To configure the default JVM truststore set the following property to true:
confluent.controlcenter.use.default.jvm.truststore=true
To configure the default OS truststore set the following property to true:
confluent.controlcenter.use.default.os.truststore=true
Configure TLS for Kafka Streams¶
Control Center needs to know when security is enabled for any other component. Internally, Control Center uses Kafka Streams as a state store, so with a secured broker, Kafka Streams also need to be secured.
The following changes need to be made to the control-center.properties
file as appropriate for the
environment:
confluent.controlcenter.streams.security.protocol=SSL
confluent.controlcenter.streams.ssl.keystore.location=<keystore-location>
confluent.controlcenter.streams.ssl.keystore.password=<password>
confluent.controlcenter.streams.ssl.key.password=<password>
confluent.controlcenter.streams.ssl.truststore.location=<truststore-location>
confluent.controlcenter.streams.ssl.truststore.password=<password>
Note
For a detailed explanation of configuring Apache Kafka® client interceptors, see Enabling Interceptors.
Configure TLS for Control Center as a proxy server¶
Confluent Control Center normally communicates with Confluent Platform components using the HTTP protocol. You can enable HTTPS between the two components by securing them with TLS.
There are a number of ways to configure TLS for communication between Control Center and other Confluent Platform components.
- Stores for each secured component: Schema Registry, Connect, and ksqlDB.
- A single proxy server store
- Server store (not recommended)
Note
Regardless how you configure stores for Confluent Control Center, they will be checked in the following order:
- Schema Registry store
- Connect store
- ksqlDB store
- Proxy server store
- Server store
When you configure each component separately, each component requires a specific configuration
to be set by its prefix. For example, for Schema Registry use the prefix: confluent.controlcenter.schema.registry
.
The TLS truststore location is set as follows:
confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.location=<value>
Each component should be configured in their respective configuration files to secure Control Center end-to-end.
Not all configuration settings may be required; consult the configuration reference for each component you are configuring.
Configure TLS proxy server access to Schema Registry¶
When Confluent Control Center connects to Schema Registry and Schema Registry has TLS enabled:
- Schema Registry communicates with Kafka over the Kafka protocol, which is secured with TLS.
- Control Center communicates with Kafka over the Kafka protocol, which is secured with TLS.
- Control Center communicates with Schema Registry with the HTTPS protocol, which is secured with TLS.
Essentially, Control Center functions as a proxy server to Schema Registry. To secure Control Center with HTTPS, configure Schema Registry to allow HTTPS as described in Configuring the REST API for HTTP or HTTPS.
In addition, Control Center should include a trusted certificate to its truststore to connect to Schema Registry over HTTPS as described in Additional configurations for HTTPS.
Be sure to prefix the Control Center configuration attributes in control-center.properties
with confluent.controlcenter.
For example:
confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.location=<truststore-location>
confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.password=<password>
confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.location=<keystore-location>
confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.password=<password>
confluent.controlcenter.schema.registry.schema.registry.ssl.key.password=<password>
Configure TLS proxy server access to Connect¶
Confluent Control Center normally communicates with Connect using the HTTP protocol. You can enable HTTPS between the two components by securing them with SSL/TLS. Make sure that Control Center has a certificate in its truststore that is trusted by Connect to communicate over HTTPS. Set the following properties to enable Control Center for HTTPS communication with Connect:
confluent.controlcenter.connect.connect.ssl.truststore.location=<truststore-location>
confluent.controlcenter.connect.connect.ssl.truststore.password=<password>
confluent.controlcenter.connect.connect.ssl.keystore.location=<keystore-location>
confluent.controlcenter.connect.connect.ssl.keystore.password=<password>
confluent.controlcenter.connect.connect.ssl.key.password=<password>
For additional information about accessing Connect over HTTPS, refer to Configuring the Connect REST API for HTTP or HTTPS.
Configure TLS proxy server access to ksqlDB¶
Confluent Control Center normally communicates with ksqlDB using the HTTP protocol. You can enable HTTPS between the two components by securing them with TLS. To configure Control Center to connect to ksqlDB over HTTPS, refer to Configure ksqlDB for HTTPS.
Ensure that Control Center has a certificate in its truststore that is trusted by
ksqlDB to communicate over HTTPS. The following parameters should be included in the control-center.properties
file:
confluent.controlcenter.ksql.ksql.ssl.truststore.location=<truststore-location>
confluent.controlcenter.ksql.ksql.ssl.truststore.password=<password>
confluent.controlcenter.ksql.ksql.ssl.keystore.location=<keystore-location>
confluent.controlcenter.ksql.ksql.ssl.keystore.password=<password>
confluent.controlcenter.ksql.ksql.ssl.key.password=<password>
Configure a single proxy server store¶
As an alternative to configuring Control Center for each component, you can configure a single proxy server store.
To configure a proxy store, set the following properties:
confluent.controlcenter.rest.proxy.ssl.truststore.location=<truststore-location>
confluent.controlcenter.rest.proxy.ssl.truststore.password=<password>
confluent.controlcenter.rest.proxy.ssl.keystore.location=<keystore-location>
confluent.controlcenter.rest.proxy.ssl.keystore.password=<password>
confluent.controlcenter.rest.proxy.ssl.key.password=<password>
Use the server store¶
You can use the server store for proxy server TLS, although this is not recommended.
If using the server TLS, Control Center uses the locations/passwords specified by Configure TLS for Control Center as a server.