Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Configuring Mutual SSL Authentication for Kafka

Updated on 2025-02-14 GMT+08:00

Mutual SSL authentication verifies the certificates of both the client and server during communication. This ensures that both parties involved in the communication are trusted.

Enable mutual SSL authentication to achieve high security.

To use mutual SSL authentication, contact background support personnel to enable it for you.

Figure 1 shows the overall procedure for configuring mutual SSL authentication.

Figure 1 Overall procedure for configuring mutual SSL authentication

Notes and Constraints

Configuring mutual SSL authentication will restart the instance. Exercise caution.

Prerequisites

  • A Linux server is available. The server must install Java Development Kit 1.8.111 or later and JAVA_HOME and PATH environment variables are configured.
  • Kafka SASL_SSL has been enabled for the instance.

Step 1: Generate Certificates for the Client to Verify the Server

  1. Log in to the Linux server and run the following command to generate a keystore for the server.keystore.jks certificate:

    keytool -genkey -keystore server.keystore.jks -alias localhost -validity 3650 -keyalg RSA

    Enter the keystore password as prompted and record the password for later use.

    The password must meet the following requirements:

    • Contains 8 to 32 characters.
    • Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
    • Cannot be a weak password. To check whether a password is weak, enter it in 7.

    Enter the information about the certificate owner as prompted, such as the name, company, organization, city, and country or region.

    [root@ecs-kafka ~]# keytool -genkey -keystore server.keystore.jks -alias localhost -validity 3650 -keyalg RSA
    Enter keystore password:  
    Re-enter new password: 
    What is your first and last name?
      [Unknown]:  Tom
    What is the name of your organizational unit?
      [Unknown]:  test
    What is the name of your organization?
      [Unknown]:  test01
    What is the name of your City or Locality?
      [Unknown]:  nj
    What is the name of your State or Province?
      [Unknown]:  js
    What is the two-letter country code for this unit?
      [Unknown]:  xx
    Is CN=Tom, OU=test, O=test01, L=nj, ST=js, C=xx correct?
      [no]:  y

  2. Run the following command to generate a CA:

    openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650

    Enter the PEM password as prompted and record the password for later use.

    The password must meet the following requirements: 4 to 1024 characters.

    Enter the information about the certificate owner as prompted, such as the country or region, city, organization, company, name, and email.

    [root@ecs-kafka ~]# openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650
    Generating a RSA private key
    ............................................................................................................................................+++++
    ..........+++++
    writing new private key to 'ca-key'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    You are about to be asked to enter information that will be incorporated into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:xx
    State or Province Name (full name) []:js
    Locality Name (eg, city) [Default City]:nj
    Organization Name (eg, company) [Default Company Ltd]:test01
    Organizational Unit Name (eg, section) []:test
    Common Name (eg, your name or your server's hostname) []:Tom 
    Email Address []:xx
    [root@ecs-kafka ~]#

  3. Run the following command to export the certificate from the server.keystore.jks file generated in 1 and name the certificate server.crt:

    keytool -keystore server.keystore.jks -alias localhost -certreq -file server.crt

    Enter the keystore password in 1 as prompted.

  4. Run the following command to use the CA private key to sign server.crt and name the signed certificate server-signed.crt:

    openssl x509 -req -CA ca-cert -CAkey ca-key -in server.crt -out server-signed.crt -days 3650 -CAcreateserial

    Enter the PEM password set in 2 as prompted.

  5. Run the following command to import the CA certificate and server-signed.crt to the keystore:

    keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
    keytool -keystore server.keystore.jks -alias localhost -import -file server-signed.crt

    Enter the keystore password in 1 as prompted.

    Enter y when the following information is displayed:
    Trust this certificate?

  6. Run the following command to enable the client to trust the server certificate:

    keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert

    Enter the password of client.truststore.jks as required and record the password for later use.

    The password must meet the following requirements:

    • Contains 8 to 32 characters.
    • Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
    • Cannot be a weak password. To check whether a password is weak, enter it in 7.
    Enter y when the following information is displayed:
    Trust this certificate?

  7. Export the client.truststore.jks and server.keystore.jks certificates to the local PC.

    The server.keystore.jks file is used to replace the keystore file in the later step Enable Mutual SSL Authentication. client.truststore.jks is required to be stored on the client. Record the storage path and it is the value of ssl.truststore.location in the configuration file used by the client to connect to the Kafka instance.

Step 2: Generate Certificates for the Server to Verify the Client

  1. Log in to the Linux server and run the following command to generate a keystore for the client.keystore.jks certificate:

    keytool -genkey -keystore client.keystore.jks -alias localhost -validity 3650 -keyalg RSA

    Enter the keystore password as prompted and record the password for later use.

    The password must meet the following requirements:

    • Contains 8 to 32 characters.
    • Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
    • Cannot be a weak password. To check whether a password is weak, enter it in 7.

    Enter the information about the certificate owner as prompted, such as the name, company, organization, city, and country or region.

    [root@ecs-kafka ~]# keytool -genkey -keystore client.keystore.jks -alias localhost -validity 3650 -keyalg RSA
    Enter keystore password:  
    Re-enter new password: 
    What is your first and last name?
      [Unknown]:  Tom
    What is the name of your organizational unit?
      [Unknown]:  test
    What is the name of your organization?
      [Unknown]:  test01
    What is the name of your City or Locality?
      [Unknown]:  nj
    What is the name of your State or Province?
      [Unknown]:  js
    What is the two-letter country code for this unit?
      [Unknown]:  xx
    Is CN=Tom, OU=test, O=test01, L=nj, ST=js, C=xx correct?
      [no]:  y

  2. Run the following command to generate a CA:

    openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650

    Enter the PEM password as prompted and record the password for later use.

    The password must meet the following requirements: 4 to 1024 characters.

    Enter the information about the certificate owner as prompted, such as the country or region, city, organization, company, name, and email.

    [root@ecs-kafka ~]# openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650
    Generating a RSA private key
    ............................................................................................................................................+++++
    ..........+++++
    writing new private key to 'ca-key'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    You are about to be asked to enter information that will be incorporated into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:xx
    State or Province Name (full name) []:js
    Locality Name (eg, city) [Default City]:nj
    Organization Name (eg, company) [Default Company Ltd]:test01
    Organizational Unit Name (eg, section) []:test
    Common Name (eg, your name or your server's hostname) []:Tom 
    Email Address []:xx
    [root@ecs-kafka ~]#

  3. Run the following command to export the certificate from the client.keystore.jks file generated in 1 and name the certificate client.crt:

    keytool -keystore client.keystore.jks -alias localhost -certreq -file client.crt

    Enter the keystore password in 1 as prompted.

  4. Run the following command to use the CA private key to sign client.crt and name the signed certificate client-signed.crt:

    openssl x509 -req -CA ca-cert -CAkey ca-key -in client.crt -out client-signed.crt -days 3650 -CAcreateserial

    Enter the PEM password set in 2 as prompted.

  5. Run the following command to import the CA certificate and client-signed.crt to the keystore:

    keytool -keystore client.keystore.jks -alias CARoot -import -file ca-cert
    keytool -keystore client.keystore.jks -alias localhost -import -file client-signed.crt

    Enter the keystore password in 1 as prompted.

    Enter y when the following information is displayed:
    Trust this certificate?

  6. Run the following command to enable the server to trust the client certificate:

    keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert

    Enter the password of server.truststore.jks as prompted and record the password for later use.

    The password must meet the following requirements:

    • Contains 8 to 32 characters.
    • Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
    • Cannot be a weak password. To check whether a password is weak, enter it in 7.
    Enter y when the following information is displayed:
    Trust this certificate?

  7. Export the server.truststore.jks and client.keystore.jks certificates to the local PC.

    The server.truststore.jks file is used to replace the truststore file in the later step Enable Mutual SSL Authentication. client.keystore.jks is required to be stored on the client. Record the storage path and it is the value of ssl.keystore.location in the configuration file used by the client to connect to the Kafka instance.

Step 3: Enable Mutual SSL Authentication

  1. Log in to the console.
  2. Click in the upper left corner to select the region where your instance is located.
  3. Click and choose Middleware > Distributed Message Service for Kafka to open the console of DMS for Kafka.
  4. In the navigation pane, choose Kafka Instances.
  5. Click the desired Kafka instance to go to the instance details page.
  6. In the Connection area, click next to Mutual SSL Authentication.
  7. In the displayed Mutual SSL Authentication dialog box, set the parameters by referring to Table 1.

    Enabling mutual SSL authentication will restart the instance. Exercise caution.
    Figure 2 Enabling mutual SSL authentication
    Table 1 Parameters for enabling mutual SSL authentication

    Parameter

    Description

    Key Password

    Enter the password of server.keystore.jks.

    Keystore Password

    Enter the password of server.keystore.jks.

    Keystore File

    Import the server.keystore.jks certificate.

    Truststore Password

    Enter the password of server.truststore.jks.

    Truststore File

    Import the server.truststore.jks certificate.

  8. Click OK.

Step 4: Modifying Client Configuration Files

After enabling mutual SSL authentication, modify the server certificate configuration and add the client certificate configurations in the consumer.properties and producer.properties files on the client.

security.protocol=SSL
ssl.truststore.location=/opt/kafka_2.12-2.7.2/config/client.truststore.jks
ssl.truststore.password=dms@kafka
ssl.endpoint.identification.algorithm=
# Add the following client certificate configurations:
ssl.keystore.location=/var/private/ssl/kafka/client.keystore.jks
ssl.keystore.password=txxx3
ssl.key.password=txxx3 

Disabling Mutual SSL Authentication

  1. Log in to the console.
  2. Click in the upper left corner to select the region where your instance is located.
  3. Click and choose Middleware > Distributed Message Service for Kafka to open the console of DMS for Kafka.
  4. In the navigation pane, choose Kafka Instances.
  5. Click the desired Kafka instance.
  6. In the Connection area, click next to Mutual SSL Authentication.

    Disabling mutual SSL authentication will restart the instance. Exercise caution.

  7. After disabling mutual SSL authentication, modify the server certificate protocol and delete the client certificate configurations in the consumer.properties and producer.properties files on the client.

    security.protocol=SASL_SSL
    ssl.truststore.location=/opt/kafka_2.12-2.7.2/config/client.truststore.jks
    ssl.truststore.password=dms@kafka
    ssl.endpoint.identification.algorithm=
    # Delete the following client certificate configurations:
    ssl.keystore.location=/var/private/ssl/kafka.client.keystore.jks
    ssl.keystore.password=txxx3
    ssl.key.password=txxx3 

    security.protocol: certificate protocol type. When disabling mutual SSL authentication, set this parameter to SASL_SSL. You do not need to change the values of ssl.truststore.location, ssl.truststore.password, and ssl.endpoint.identification.algorithm.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback