Configure TLS for Control Center on Confluent Platform

You can configure TLS for Control Center so web access is secured through HTTPS. In addition, since the Control Center acts as a proxy server for other components, you can configure TLS for Control Center to secure its communication with other secured Confluent Platform components.

Configure TLS for Control Center as a server

HTTPS can be configured for web access to Confluent Control Center. To enable HTTPS, you must first add an HTTPS listener in the Control Center properties file using the confluent.controlcenter.rest.listeners parameter. You must also set the appropriate TLS configuration options. If you haven’t already, you should create TLS keys and certificates.

An example of the necessary additions to the appropriate Control Center Configuration Examples for Confluent Platform is shown below:

confluent.controlcenter.rest.listeners=<listener-url>
confluent.controlcenter.rest.ssl.keystore.location=<keystore-location>
confluent.controlcenter.rest.ssl.keystore.password=<password>
confluent.controlcenter.rest.ssl.key.password=<key-password>
confluent.controlcenter.rest.ssl.truststore.location=<truststore-location>
confluent.controlcenter.rest.ssl.truststore.password=<password>
curl -vvv -X GET --tlsv1.2 https://localhost:9022
#for cases when using a self-signed certificate
curl -vvv -X GET --tlsv1.2 --cacert scripts/security/snakeoil-ca-1.crt https://localhost:9022

See also

For an example that shows how to set Docker environment variables for Confluent Platform running in ZooKeeper mode, see the Confluent Platform demo. Refer to the demo’s docker-compose.yml file for a configuration reference.

Tip

As a fallback mechanism, you can configure Control Center to check the JVM or operating system (OS) truststore.

  • To configure the default JVM truststore set the following property to true:

    confluent.controlcenter.use.default.jvm.truststore=true

  • To configure the default OS truststore set the following property to true:

    confluent.controlcenter.use.default.os.truststore=true

Configure TLS for Kafka Streams

Control Center needs to know when security is enabled for any other component. Internally, Control Center uses Kafka Streams as a state store, so with a secured broker, Kafka Streams also need to be secured.

The following changes need to be made to the control-center.properties file as appropriate for the environment:

confluent.controlcenter.streams.security.protocol=SSL
confluent.controlcenter.streams.ssl.keystore.location=<keystore-location>
confluent.controlcenter.streams.ssl.keystore.password=<password>
confluent.controlcenter.streams.ssl.key.password=<password>
confluent.controlcenter.streams.ssl.truststore.location=<truststore-location>
confluent.controlcenter.streams.ssl.truststore.password=<password>

Note

For a detailed explanation of configuring Apache Kafka® client interceptors, see Enabling Interceptors.

Configure TLS for Control Center as a proxy server

Confluent Control Center normally communicates with Confluent Platform components using the HTTP protocol. You can enable HTTPS between the two components by securing them with TLS.

There are a number of ways to configure TLS for communication between Control Center and other Confluent Platform components.

Note

Regardless how you configure stores for Confluent Control Center, they will be checked in the following order:

  • Schema Registry store
  • Connect store
  • ksqlDB store
  • Proxy server store
  • Server store

When you configure each component separately, each component requires a specific configuration to be set by its prefix. For example, for Schema Registry use the prefix: confluent.controlcenter.schema.registry.

The TLS truststore location is set as follows:

confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.location=<value>

Each component should be configured in their respective configuration files to secure Control Center end-to-end.

Not all configuration settings may be required; consult the configuration reference for each component you are configuring.

Configure TLS proxy server access to Schema Registry

When Confluent Control Center connects to Schema Registry and Schema Registry has TLS enabled:

  • Schema Registry communicates with Kafka over the Kafka protocol, which is secured with TLS.
  • Control Center communicates with Kafka over the Kafka protocol, which is secured with TLS.
  • Control Center communicates with Schema Registry with the HTTPS protocol, which is secured with TLS.

Essentially, Control Center functions as a proxy server to Schema Registry. To secure Control Center with HTTPS, configure Schema Registry to allow HTTPS as described in Configuring the REST API for HTTP or HTTPS.

In addition, Control Center should include a trusted certificate to its truststore to connect to Schema Registry over HTTPS as described in Additional configurations for HTTPS.

Be sure to prefix the Control Center configuration attributes in control-center.properties with confluent.controlcenter. For example:

confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.location=<truststore-location>
confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.password=<password>
confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.location=<keystore-location>
confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.password=<password>
confluent.controlcenter.schema.registry.schema.registry.ssl.key.password=<password>

Configure TLS proxy server access to Connect

Confluent Control Center normally communicates with Connect using the HTTP protocol. You can enable HTTPS between the two components by securing them with SSL/TLS. Make sure that Control Center has a certificate in its truststore that is trusted by Connect to communicate over HTTPS. Set the following properties to enable Control Center for HTTPS communication with Connect:

confluent.controlcenter.connect.connect.ssl.truststore.location=<truststore-location>
confluent.controlcenter.connect.connect.ssl.truststore.password=<password>
confluent.controlcenter.connect.connect.ssl.keystore.location=<keystore-location>
confluent.controlcenter.connect.connect.ssl.keystore.password=<password>
confluent.controlcenter.connect.connect.ssl.key.password=<password>

For additional information about accessing Connect over HTTPS, refer to Configuring the Connect REST API for HTTP or HTTPS.

Configure TLS proxy server access to ksqlDB

Confluent Control Center normally communicates with ksqlDB using the HTTP protocol. You can enable HTTPS between the two components by securing them with TLS. To configure Control Center to connect to ksqlDB over HTTPS, refer to Configure ksqlDB for HTTPS.

Ensure that Control Center has a certificate in its truststore that is trusted by ksqlDB to communicate over HTTPS. The following parameters should be included in the control-center.properties file:

confluent.controlcenter.ksql.ksql.ssl.truststore.location=<truststore-location>
confluent.controlcenter.ksql.ksql.ssl.truststore.password=<password>
confluent.controlcenter.ksql.ksql.ssl.keystore.location=<keystore-location>
confluent.controlcenter.ksql.ksql.ssl.keystore.password=<password>
confluent.controlcenter.ksql.ksql.ssl.key.password=<password>

Configure a single proxy server store

As an alternative to configuring Control Center for each component, you can configure a single proxy server store.

To configure a proxy store, set the following properties:

confluent.controlcenter.rest.proxy.ssl.truststore.location=<truststore-location>
confluent.controlcenter.rest.proxy.ssl.truststore.password=<password>
confluent.controlcenter.rest.proxy.ssl.keystore.location=<keystore-location>
confluent.controlcenter.rest.proxy.ssl.keystore.password=<password>
confluent.controlcenter.rest.proxy.ssl.key.password=<password>

Use the server store

You can use the server store for proxy server TLS, although this is not recommended.

If using the server TLS, Control Center uses the locations/passwords specified by Configure TLS for Control Center as a server.