Configure Truststores for TLS Handshake with Identity Providers

When OAuth is enabled for your Confluent Platform service, the TLS handshake with your identity provider is required to verify the identity of the identity provider. This is achieved using a truststore for each of your Confluent Platform services, which includes the TLS certificate of your identity provider and is configured with the location and password properties.

Whether your identity provider uses self-signed TLS certificates or certificates signed by a public Certificate Authority, you need to download the certificate and import it to the truststore for your Confluent Platform service. Follow the steps below to configure the truststore for your Confluent Platform service.

Step 1 - Download the identity provider TLS certificate

Use the following openssl command to download the certificate of your identity provider, replacing <idp-url> with your actual identity provider URL.

openssl s_client -showcerts \
  -connect <idp-url> </dev/null 2>/dev/null|openssl x509 \
  -outform PEM >oktacertfile.pem
Copy

Step 2 - Import the identity provider TLS certificate to the truststore

You can use the following keytool command to import the certificate to the truststore for your Confluent Platform service. Replace the placeholder values with your actual configuration values.

keytool -import -alias <idp-alias> -file <idp-certfile>.pem \
  -storetype JKS \
  -keystore <idp-keystore-path> \
  -storepass <idp-keystore-password> \
  -noprompt
Copy

You must restart the corresponding Confluent Platform service for it to reload the truststore.

Step 3 - Configure the truststore in your Confluent Platform service

For each of your Confluent Platform services, configure the truststore with the ssl.truststore.location and ssl.truststore.password properties. Replace the placeholder values with your actual configuration values.

Kafka broker

listener.name.external.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
  ssl.truststore.location="<path_to_kafka_broker.jks>" \
  ssl.truststore.password="<kafka_broker_truststore_password>";
Copy

Metadata Service (MDS)

confluent.metadata.ssl.truststore.location=<path_to_kafka_broker.jks>
confluent.metadata.ssl.truststore.password=<kafka_broker_truststore_password>
Copy

Confluent Schema Registry

ssl.truststore.location=<path_to_schema_registry.jks>
ssl.truststore.password=<schema_registry_truststore_password>
Copy

Confluent REST Proxy

Embedded

confluent.http.server.ssl.truststore.location=<path_to_kafka_broker.jks>
confluent.http.server.ssl.truststore.password=<kafka_broker_truststore_password>
Copy

Standalone

client.ssl.truststore.location=<path_to_kafka_rest_truststore.jks>
client.ssl.truststore.password=<kafka_rest_truststore_password>
Copy

Kafka Connect

ssl.truststore.location=<path_to_kafka_connect.truststore>.jks
ssl.truststore.password=<kafka_connect_truststore_password>
Copy

Confluent Control Center

As a Kafka client

confluent.controlcenter.kafka.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
  clientId="<client-id>" \
  ssl.truststore.location="<path_to_control_center_truststore.jks>" \
  ssl.truststore.password="<control_center_truststore_password>" \
  clientSecret="<client-secret>" \
  scope="<scope>";
Copy

As a REST client

confluent.controlcenter.rest.ssl.truststore.location=<path_to_control_center_truststore.jks>
confluent.controlcenter.rest.ssl.truststore.password=<control_center_truststore_password>
Copy

As a Connect client

confluent.controlcenter.connect.<connect-cluster>.ssl.truststore.location=<path_to_control_center_truststore.jks>
confluent.controlcenter.connect.<ccnnect-cluster>.ssl.truststore.password=<control_center_truststore_password>
Copy

Configure Confluent Platform services for hostname verification

When using a custom TLS context (truststore), hostname verification in TLS certificates is disabled by default. The behavior is inherited from rest-utils. For uniformity with Confluent Platform, the prefixed configuration property must be set, replacing <service> with the actual Confluent Platform service that you are configuring:

confluent.<service>.ssl.endpoint.identification.algorithm=https
Copy

For example, for Metadata Service (MDS), you need to set the following property:

confluent.metadata.server.ssl.endpoint.identification.algorithm=https
Copy

If you need to disable the property (for example, when using AWS DNS), delete the configuration property or explicitly set it to blank or empty.