Secure Communication for MQTT Proxy on Confluent Platform

The following sections provide information about configuring communication settings.

Between MQTT Proxy and MQTT clients

The following are available communication settings between MQTT Proxy and MQTT clients.

Security settings

The following modes are supported:

  • PLAINTEXT
  • SSL
  • TLS
  • SASL_PLAINTEXT
  • SASL_SSL
  • SASL_TLS

These can be configured by setting the listeners.security.protocol property. By default, a non-authenticated and non-encrypted channel is used.

listeners.security.protocol Authenticated Encrypted
PLAINTEXT No No
SSL No Yes
TLS No Yes
SASL_PLAINTEXT Yes No
SASL_SSL Yes Yes
SASL_TLS Yes Yes

Authentication settings

To configure and use authentication, you have to set listeners.security.protocol=SASL_PLAINTEXT, listeners.security.protocol=SASL_SSL, or listeners.security.protocol=SASL_TLS. You can then pass a regular JAAS configuration file as a JVM option. For example:

export KAFKA_MQTT_OPTS:" -Djava.security.auth.login.config=<path/to/JAAS-config-file>"

MQTT Proxy ships with the default login module: io.confluent.mqtt.protocol.security.PropertyFileLoginModule. This module authenticates users against a local properties file. It can be used for development testing, but should not be used in production environments.

# Sample JAAS file

ConfluentKafkaMqtt {
  io.confluent.mqtt.protocol.security.PropertyFileLoginModule required
  file="/tmp/credentials.txt";
};

The format of the properties file, credentials.txt in the above example, is:

username=password

Encryption settings

By default, encryption is disabled. To enable it, you have to set listeners.security.protocol=SSL, listeners.security.protocol=SASL_SSL, listeners.security.protocol=TLS, or listeners.security.protocol=SASL_TLS. You can then pass desired org.apache.kafka.common.config.SslConfigs. For more details about setting up security, see the Enable Security for a ZooKeeper-Based Cluster in Confluent Platform. In order to debug encryption issues, add this VM option: -Djavax.net.debug=all.

Between MQTT Proxy and Kafka

The following are available communication settings between MQTT Proxy and Kafka.

Security settings

The following modes are supported:

  • PLAINTEXT
  • SSL
  • SASL_PLAINTEXT
  • SASL_SSL

You can configure these by setting producer.security.protocol parameter. By default, a non-authenticated and non-encrypted channel is used.

producer.security.protocol Authenticated Encrypted
PLAINTEXT No No
SSL No Yes
SASL_PLAINTEXT Yes No
SASL_SSL Yes Yes

In addition to producer.security.protocol, several other security properties need to be configured. Note that all properties prefixed with producer.* are propagated to the underlying producer created by the proxy (for writing to Kafka). The following shows an example of the SASL_SSL configuration properties:

producer.security.protocol=SASL_SSL
producer.ssl.truststore.location=/var/ssl/private/kafka.client.truststore.jks
producer.ssl.truststore.password=<password>
producer.sasl.mechanism=PLAIN
producer.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
  username="<username>" \
  password="<password>";