Secure Communication for MQTT Proxy on Confluent Platform¶
The following sections provide information about configuring communication settings.
Between MQTT Proxy and MQTT clients¶
The following are available communication settings between MQTT Proxy and MQTT clients.
Security settings
The following modes are supported:
- PLAINTEXT
- SSL
- TLS
- SASL_PLAINTEXT
- SASL_SSL
- SASL_TLS
These can be configured by setting the listeners.security.protocol
property. By default, a non-authenticated and non-encrypted channel is used.
listeners.security.protocol |
Authenticated | Encrypted |
---|---|---|
PLAINTEXT | No | No |
SSL | No | Yes |
TLS | No | Yes |
SASL_PLAINTEXT | Yes | No |
SASL_SSL | Yes | Yes |
SASL_TLS | Yes | Yes |
Authentication settings
To configure and use authentication, you have to set listeners.security.protocol=SASL_PLAINTEXT
, listeners.security.protocol=SASL_SSL
, or listeners.security.protocol=SASL_TLS
. You can then pass a regular JAAS configuration file as a JVM option. For example:
export KAFKA_MQTT_OPTS:" -Djava.security.auth.login.config=<path/to/JAAS-config-file>"
MQTT Proxy ships with the default login module: io.confluent.mqtt.protocol.security.PropertyFileLoginModule
. This module
authenticates users against a local properties file. It can be used for
development testing, but should not be used in production environments.
# Sample JAAS file
ConfluentKafkaMqtt {
io.confluent.mqtt.protocol.security.PropertyFileLoginModule required
file="/tmp/credentials.txt";
};
The format of the properties file, credentials.txt
in the above example, is:
username=password
Encryption settings
By default, encryption is disabled. To enable it, you have to set
listeners.security.protocol=SSL
, listeners.security.protocol=SASL_SSL
,
listeners.security.protocol=TLS
, or
listeners.security.protocol=SASL_TLS
. You can then pass desired org.apache.kafka.common.config.SslConfigs. For more details about setting up
security, see the Enable Security for a ZooKeeper-Based Cluster in Confluent Platform. In order to debug encryption issues,
add this VM option: -Djavax.net.debug=all
.
Between MQTT Proxy and Kafka¶
The following are available communication settings between MQTT Proxy and Kafka.
Security settings
The following modes are supported:
- PLAINTEXT
- SSL
- SASL_PLAINTEXT
- SASL_SSL
You can configure these by setting producer.security.protocol
parameter. By default, a non-authenticated and non-encrypted channel is used.
producer.security.protocol |
Authenticated | Encrypted |
---|---|---|
PLAINTEXT | No | No |
SSL | No | Yes |
SASL_PLAINTEXT | Yes | No |
SASL_SSL | Yes | Yes |
In addition to producer.security.protocol
, several other security properties need to be configured. Note that all properties prefixed with producer.*
are propagated to the underlying producer created by the proxy (for writing to Kafka). The following shows an example of the SASL_SSL
configuration properties:
producer.security.protocol=SASL_SSL
producer.ssl.truststore.location=/var/ssl/private/kafka.client.truststore.jks
producer.ssl.truststore.password=<password>
producer.sasl.mechanism=PLAIN
producer.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
username="<username>" \
password="<password>";
- For more about producers and configuring producers, see Kafka Producer.
- For all producer configuration properties, see Kafka Producer Configuration Reference for Confluent Platform.
- For additional information about setting up security, see Secure Confluent Platform.