Configure Truststores for TLS Handshake with Identity Providers

When OAuth is enabled for your Confluent Platform service, the TLS handshake with your identity provider is required to verify the identity of the identity provider. This is achieved using a truststore for each of your Confluent Platform services, which includes the TLS certificate of your identity provider and is configured with the location and password properties.

Whether your identity provider uses self-signed TLS certificates or certificates signed by a public Certificate Authority, you need to download the certificate and import it to the truststore for your Confluent Platform service. Follow the steps below to configure the truststore for your Confluent Platform service.

Step 1 - Download the identity provider TLS certificate

Use the following openssl command to download the certificate of your identity provider, replacing <idp-url> with your actual identity provider URL.

openssl s_client -showcerts \
  -connect <idp-url> </dev/null 2>/dev/null|openssl x509 \
  -outform PEM >oktacertfile.pem

Step 2 - Import the identity provider TLS certificate to the truststore

You can use the following keytool command to import the certificate to the truststore for your Confluent Platform service. Replace the placeholder values with your actual configuration values.

keytool -import -alias <idp-alias> -file <idp-certfile>.pem \
  -storetype JKS \
  -keystore <idp-keystore-path> \
  -storepass <idp-keystore-password> \
  -noprompt

You must restart the corresponding Confluent Platform service for it to reload the truststore.

Step 3 - Configure the truststore in your Confluent Platform service

For each of your Confluent Platform services, configure the truststore with the ssl.truststore.location and ssl.truststore.password properties. Replace the placeholder values with your actual configuration values.

Kafka broker

listener.name.external.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
  ssl.truststore.location="<path_to_kafka_broker.jks>" \
  ssl.truststore.password="<kafka_broker_truststore_password>";

Metadata Service (MDS)

confluent.metadata.ssl.truststore.location=<path_to_kafka_broker.jks>
confluent.metadata.ssl.truststore.password=<kafka_broker_truststore_password>

Confluent Schema Registry

ssl.truststore.location=<path_to_schema_registry.jks>
ssl.truststore.password=<schema_registry_truststore_password>

Confluent REST Proxy

Embedded

confluent.http.server.ssl.truststore.location=<path_to_kafka_broker.jks>
confluent.http.server.ssl.truststore.password=<kafka_broker_truststore_password>

Standalone

client.ssl.truststore.location=<path_to_kafka_rest_truststore.jks>
client.ssl.truststore.password=<kafka_rest_truststore_password>

Kafka Connect

ssl.truststore.location=<path_to_kafka_connect.truststore>.jks
ssl.truststore.password=<kafka_connect_truststore_password>

Confluent Control Center

As a Kafka client

confluent.controlcenter.kafka.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
  clientId="<client-id>" \
  ssl.truststore.location="<path_to_control_center_truststore.jks>" \
  ssl.truststore.password="<control_center_truststore_password>" \
  clientSecret="<client-secret>" \
  scope="<scope>";

As a REST client

confluent.controlcenter.rest.ssl.truststore.location=<path_to_control_center_truststore.jks>
confluent.controlcenter.rest.ssl.truststore.password=<control_center_truststore_password>

As a Connect client

confluent.controlcenter.connect.<connect-cluster>.ssl.truststore.location=<path_to_control_center_truststore.jks>
confluent.controlcenter.connect.<ccnnect-cluster>.ssl.truststore.password=<control_center_truststore_password>

Configure Confluent Platform services for hostname verification

When using a custom TLS context (truststore), hostname verification in TLS certificates is disabled by default. The behavior is inherited from rest-utils. For uniformity with Confluent Platform, the prefixed configuration property must be set, replacing <service> with the actual Confluent Platform service that you are configuring:

confluent.<service>.ssl.endpoint.identification.algorithm=https

For example, for Metadata Service (MDS), you need to set the following property:

confluent.metadata.server.ssl.endpoint.identification.algorithm=https

If you need to disable the property (for example, when using AWS DNS), delete the configuration property or explicitly set it to blank or empty.

Related content

• Use OAuth/OIDC for Authentication in Confluent Platform
• Use SASL/OAUTHBEARER Authentication between Confluent Server Brokers and Kafka Clients in Confluent Platform