Updated on 2024-04-07 GMT+08:00

Configuring Mutual SSL Authentication

Scenario

Mutual SSL authentication verifies the certificates of both the client and server during communication. This ensures that both parties involved in the communication are trusted.

Enable mutual SSL authentication to achieve high security.

To use mutual SSL authentication, contact background support personnel to enable it for you.

Enabling or disabling mutual SSL authentication will restart the instance. Exercise caution.

Prerequisites

  • A Linux server is available.
  • Kafka SASL_SSL has been enabled for the instance.

Overall Procedure

Figure 1 Overall procedure for configuring mutual SSL authentication

Step 1: Generate Certificates for the Client to Verify the Server

  1. Log in to the Linux server and run the following command to generate a keystore for the server.keystore.jks certificate:

    keytool -genkey -keystore server.keystore.jks -alias localhost -validity 3650 -keyalg RSA

    Enter a keystore password as prompted. The password must meet the following requirements:

    • Contains 8 to 32 characters.
    • Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
    • Cannot be a weak password. To check whether a password is weak, enter it in 6.

    Enter the information about the certificate owner as prompted, such as the name, company, and city.

  2. Run the following command to generate a CA:

    openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650

    Enter a PEM password as prompted.

    Enter the information about the certificate owner as prompted.

  3. Run the following command to export the certificate from the server.keystore.jks file generated in 1 and name the certificate server.crt:

    keytool -keystore server.keystore.jks -alias localhost -certreq -file server.crt

    Enter a keystore password as prompted.

  4. Run the following command to use the CA private key to sign server.crt and name the signed certificate server-signed.crt:

    openssl x509 -req -CA ca-cert -CAkey ca-key -in server.crt -out server-signed.crt -days 3650 -CAcreateserial

    Enter the PEM password set in 2 as prompted.

  5. Run the following command to import the CA certificate and server-signed.crt to the keystore:

    keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
    keytool -keystore server.keystore.jks -alias localhost -import -file server-signed.crt

    Enter a keystore password as prompted.

  6. Run the following command to enable the client to trust the server certificate:

    keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert

    Enter a password for client.truststore.jks as prompted. The password must meet the following requirements:

    • Contains 8 to 32 characters.
    • Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
    • Cannot be a weak password. To check whether a password is weak, enter it in 6.

  7. Export the client.truststore.jks and server.keystore.jks certificates to the local PC.

Step 2: Generate Certificates for the Server to Verify the Client

  1. Log in to the Linux server and run the following command to generate a keystore for the client.keystore.jks certificate:

    keytool -genkey -keystore client.keystore.jks -alias localhost -validity 3650 -keyalg RSA

    Enter a keystore password as prompted. The password must meet the following requirements:

    • Contains 8 to 32 characters.
    • Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
    • Cannot be a weak password. To check whether a password is weak, enter it in 6.

    Enter the information about the certificate owner as prompted, such as the name, company, and city.

  2. Run the following command to generate a CA:

    openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650

    Enter a PEM password as prompted.

    Enter the information about the certificate owner as prompted.

  3. Run the following command to export the certificate from the client.keystore.jks file generated in 1 and name the certificate client.crt:

    keytool -keystore client.keystore.jks -alias localhost -certreq -file client.crt

    Enter a keystore password as prompted.

  4. Run the following command to use the CA private key to sign client.crt and name the signed certificate client-signed.crt:

    openssl x509 -req -CA ca-cert -CAkey ca-key -in client.crt -out client-signed.crt -days 3650 -CAcreateserial

    Enter the PEM password set in 2 as prompted.

  5. Run the following command to import the CA certificate and client-signed.crt to the keystore:

    keytool -keystore client.keystore.jks -alias CARoot -import -file ca-cert
    keytool -keystore client.keystore.jks -alias localhost -import -file client-signed.crt

    Enter a keystore password as prompted.

  6. Run the following command to enable the server to trust the client certificate:

    keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert

    Enter a password for server.truststore.jks as prompted.

    The password must meet the following requirements:

    • Contains 8 to 32 characters.
    • Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
    • Cannot be a weak password. To check whether a password is weak, enter it in 6.

  7. Export the server.truststore.jks and client.keystore.jks certificates to the local PC.

Step 3: Enable Mutual SSL Authentication.

  1. Log in to the management console.
  2. Click in the upper left corner to select a region.

    Select the same region as your application service.

  3. Click and choose Application > Distributed Message Service for Kafka to open the console of DMS for Kafka.
  4. Click the desired Kafka instance.
  5. In the Connection area, click next to Mutual SSL Authentication.
  6. In the displayed Mutual SSL Authentication dialog box, set the parameters by referring to Table 1.

    Figure 2 Enabling mutual SSL authentication
    Table 1 Parameters for enabling mutual SSL authentication

    Parameter

    Description

    Key Password

    Enter the password of server.keystore.jks.

    Keystore Password

    Enter the password of server.keystore.jks.

    Keystore File

    Import the server.keystore.jks certificate.

    Truststore Password

    Enter the password of server.truststore.jks.

    Truststore File

    Import the server.truststore.jks certificate.

    Enabling mutual SSL authentication will restart the instance. Exercise caution.

  7. Click OK.

Step 4: Modifying Client Configuration Files

After enabling mutual SSL authentication, modify the server certificate configuration and add the client certificate configurations in the consumer.properties and producer.properties files on the client.

security.protocol=SSL
ssl.truststore.location=/opt/kafka_2.12-2.7.2/config/client.truststore.jks
ssl.truststore.password=dms@kafka
ssl.endpoint.identification.algorithm=
# Add the following client certificate configurations:
ssl.keystore.location=/var/private/ssl/kafka/client.keystore.jks
ssl.keystore.password=txxx3
ssl.key.password=txxx3 
  • security.protocol: certificate protocol type. When enabling mutual SSL authentication, set this parameter to SSL.
  • ssl.truststore.location: path for storing the client.truststore.jks certificate.
  • ssl.truststore.password: password of client.truststore.jks.
  • ssl.endpoint.identification.algorithm: whether to verify the certificate domain name. This parameter must be left blank, which indicates disabling domain name verification.
  • ssl.keystore.location: path for storing the client.keystore.jks certificate.
  • ssl.keystore.password: password of client.keystore.jks.
  • ssl.key.password: password of client.keystore.jks.

Disabling Mutual SSL Authentication

  1. Log in to the management console.
  2. Click in the upper left corner to select a region.

    Select the same region as your application service.

  3. Click and choose Application > Distributed Message Service for Kafka to open the console of DMS for Kafka.
  4. Click the desired Kafka instance.
  5. In the Connection area, click next to Mutual SSL Authentication.

    Disabling mutual SSL authentication will restart the instance. Exercise caution.

  6. After disabling mutual SSL authentication, modify the server certificate protocol and delete the client certificate configurations in the consumer.properties and producer.properties files on the client.

    security.protocol=SASL_SSL
    ssl.truststore.location=/opt/kafka_2.12-2.7.2/config/client.truststore.jks
    ssl.truststore.password=dms@kafka
    ssl.endpoint.identification.algorithm=
    # Delete the following client certificate configurations:
    ssl.keystore.location=/var/private/ssl/kafka.client.keystore.jks
    ssl.keystore.password=txxx3
    ssl.key.password=txxx3 

    security.protocol: certificate protocol type. When disabling mutual SSL authentication, set this parameter to SASL_SSL. You do not need to change the values of ssl.truststore.location, ssl.truststore.password, and ssl.endpoint.identification.algorithm.