Configure TLS/SSL for Control Center¶
You can configure TLS/SSL for Control Center so web access is secured through HTTPS. In addition, since the Control Center acts as a proxy server for other components, you can configure TLS/SSL for Control Center to secure its communication with other secured Confluent Platform components.
Configure TLS/SSL for Control Center as a server¶
HTTPS can be configured for web access to Confluent Control Center. To enable HTTPS, you must first add
an HTTPS listener in the Control Center properties file using
confluent.controlcenter.rest.listeners parameter. You must also set the
appropriate TLS/SSL configuration options. If you haven’t already,
you should create TLS/SSL keys and certificates.
An example of the necessary additions to the appropriate Control Center Properties File is shown below:
confluent.controlcenter.rest.listeners=<listener-url> confluent.controlcenter.rest.ssl.keystore.location=<keystore-location> confluent.controlcenter.rest.ssl.keystore.password=<password> confluent.controlcenter.rest.ssl.key.password=<key-password> confluent.controlcenter.rest.ssl.truststore.location=<truststore-location> confluent.controlcenter.rest.ssl.truststore.password=<password>
curl -vvv -X GET --tlsv1.2 https://localhost:9022 #for cases when using a self-signed certificate curl -vvv -X GET --tlsv1.2 --cacert scripts/security/snakeoil-ca-1.crt https://localhost:9022
For an example that shows this in action, see the Confluent Platform demo. Refer to the demo’s docker-compose.yml file for a configuration reference.
As a fallback mechanism, you can configure Control Center to check the JVM or operating system (OS) truststore.
To configure the default JVM truststore set the following property to true:
To configure the default OS truststore set the following property to true:
Configure TLS/SSL for Kafka Streams¶
Control Center needs to know when security is enabled for any other component. Internally, Control Center uses Kafka Streams as a state store, so with a secured broker, Kafka Streams also need to be secured.
The following changes need to be made to the
control-center.properties file as appropriate for the
confluent.controlcenter.streams.security.protocol=SSL confluent.controlcenter.streams.ssl.keystore.location=<keystore-location> confluent.controlcenter.streams.ssl.keystore.password=<password> confluent.controlcenter.streams.ssl.key.password=<password> confluent.controlcenter.streams.ssl.truststore.location=<truststore-location> confluent.controlcenter.streams.ssl.truststore.password=<password>
For a detailed explanation of configuring Apache Kafka® client interceptors, see Enabling Interceptors.
Configure TLS/SSL for Control Center as a proxy server¶
Confluent Control Center normally communicates with Confluent Platform components using the HTTP protocol. You can enable HTTPS between the two components by securing them with TLS/SSL.
There are a number of ways to configure TLS/SSL for communication between Control Center and other Confluent Platform components.
- Stores for each secured component: Schema Registry, Connect, and ksqlDB.
- A single proxy server store
- Server store (not recommended)
Regardless how you configure stores for Confluent Control Center, they will be checked in the following order:
- Schema Registry store
- Connect store
- ksqlDB store
- Proxy server store
- Server store
When you configure each component separately, each component requires a specific configuration
to be set by its prefix. For example, for Schema Registry use the prefix:
The TLS/SSL truststore location is set as follows:
Each component should be configured in their respective configuration files to secure Control Center end-to-end.
Not all configuration settings may be required; consult the configuration reference for each component you are configuring.
Configure TLS/SSL proxy server access to Schema Registry¶
When Confluent Control Center connects to Schema Registry and Schema Registry has TLS/SSL enabled:
- Schema Registry communicates with Kafka over the Kafka protocol, which is secured with TLS/SSL.
- Control Center communicates with Kafka over the Kafka protocol, which is secured with TLS/SSL.
- Control Center communicates with Schema Registry with the HTTPS protocol, which is secured with TLS/SSL.
Essentially, Control Center functions as a proxy server to Schema Registry. To secure Control Center with HTTPS, configure Schema Registry to allow HTTPS as described in Configuring the REST API for HTTP or HTTPS.
In addition, Control Center should include a trusted certificate to its truststore to connect to Schema Registry over HTTPS as described in Additional configurations for HTTPS.
Be sure to prefix the Control Center configuration attributes in
confluent.controlcenter. For example:
confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.location=<truststore-location> confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.password=<password> confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.location=<keystore-location> confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.password=<password> confluent.controlcenter.schema.registry.schema.registry.ssl.key.password=<password>
Configure TLS/SSL proxy server access to Connect¶
Confluent Control Center normally communicates with Connect using the HTTP protocol. You can enable HTTPS between the two components by securing them with SSL/TLS. Make sure that Control Center has a certificate in its truststore that is trusted by Connect to communicate over HTTPS. Set the following properties to enable Control Center for HTTPS communication with Connect:
confluent.controlcenter.connect.connect.ssl.truststore.location=<truststore-location> confluent.controlcenter.connect.connect.ssl.truststore.password=<password> confluent.controlcenter.connect.connect.ssl.keystore.location=<keystore-location> confluent.controlcenter.connect.connect.ssl.keystore.password=<password> confluent.controlcenter.connect.connect.ssl.key.password=<password>
For additional information about accessing Connect over HTTPS, refer to Configuring the Connect REST API for HTTP or HTTPS.
Configure TLS/SSL proxy server access to ksqlDB¶
Confluent Control Center normally communicates with ksqlDB using the HTTP protocol. You can enable HTTPS between the two components by securing them with TLS/SSL. To configure Control Center to connect to ksqlDB over HTTPS, refer to Configure ksqlDB for HTTPS.
Ensure that Control Center has a certificate in its truststore that is trusted by
ksqlDB to communicate over HTTPS. The following parameters should be included in the
confluent.controlcenter.ksql.ksql.ssl.truststore.location=<truststore-location> confluent.controlcenter.ksql.ksql.ssl.truststore.password=<password> confluent.controlcenter.ksql.ksql.ssl.keystore.location=<keystore-location> confluent.controlcenter.ksql.ksql.ssl.keystore.password=<password> confluent.controlcenter.ksql.ksql.ssl.key.password=<password>
Configure a single proxy server store¶
As an alternative to configuring Control Center for each component, you can configure a single proxy server store.
To configure a proxy store, set the following properties:
confluent.controlcenter.rest.proxy.ssl.truststore.location=<truststore-location> confluent.controlcenter.rest.proxy.ssl.truststore.password=<password> confluent.controlcenter.rest.proxy.ssl.keystore.location=<keystore-location> confluent.controlcenter.rest.proxy.ssl.keystore.password=<password> confluent.controlcenter.rest.proxy.ssl.key.password=<password>
Use the server store¶
You can use the server store for proxy server TLS/SSL, although this is not recommended.
If using the server TLS/SSL, Control Center uses the locations/passwords specified by Configure TLS/SSL for Control Center as a server.