Help Center/ Distributed Message Service for Kafka/ User Guide/ Connecting to an Instance/ Configuring Kafka Access Control/ Configuring Mutual SSL Authentication for Kafka

Updated on 2024-10-25 GMT+08:00

View PDF

Configuring Mutual SSL Authentication for Kafka

Mutual SSL authentication verifies the certificates of both the client and server during communication. This ensures that both parties involved in the communication are trusted.

Enable mutual SSL authentication to achieve high security.

To use mutual SSL authentication, contact background support personnel to enable it for you.

Enabling or disabling mutual SSL authentication will restart the instance. Exercise caution.

Figure 1 shows the overall procedure for configuring mutual SSL authentication.

Figure 1 Overall procedure for configuring mutual SSL authentication

Prerequisites

A Linux server is available. The server must install Java Development Kit 1.8.111 or later and JAVA_HOME and PATH environment variables are configured.
Kafka SASL_SSL has been enabled for the instance.

Step 1: Generate Certificates for the Client to Verify the Server

Log in to the Linux server and run the following command to generate a keystore for the server.keystore.jks certificate:

keytool -genkey -keystore server.keystore.jks -alias localhost -validity 3650 -keyalg RSA

Enter the keystore password as prompted and record the password for later use.

The password must meet the following requirements:

Contains 8 to 32 characters.
Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
Cannot be a weak password. To check whether a password is weak, enter it in 6.

Enter the information about the certificate owner as prompted, such as the name, company, organization, city, and country or region.

[root@ecs-kafka ~]# keytool -genkey -keystore server.keystore.jks -alias localhost -validity 3650 -keyalg RSA
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  Tom
What is the name of your organizational unit?
  [Unknown]:  test
What is the name of your organization?
  [Unknown]:  test01
What is the name of your City or Locality?
  [Unknown]:  nj
What is the name of your State or Province?
  [Unknown]:  js
What is the two-letter country code for this unit?
  [Unknown]:  xx
Is CN=Tom, OU=test, O=test01, L=nj, ST=js, C=xx correct?
  [no]:  y

Run the following command to generate a CA:

openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650

Enter the PEM password as prompted and record the password for later use.

The password must meet the following requirements: 4 to 1024 characters.

Enter the information about the certificate owner as prompted, such as the country or region, city, organization, company, name, and email.

[root@ecs-kafka ~]# openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650
Generating a RSA private key
............................................................................................................................................+++++
..........+++++
writing new private key to 'ca-key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:xx
State or Province Name (full name) []:js
Locality Name (eg, city) [Default City]:nj
Organization Name (eg, company) [Default Company Ltd]:test01
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:Tom 
Email Address []:xx
[root@ecs-kafka ~]#

Run the following command to export the certificate from the server.keystore.jks file generated in 1 and name the certificate server.crt:
```
keytool -keystore server.keystore.jks -alias localhost -certreq -file server.crt
```
Enter the keystore password in 1 as prompted.
Run the following command to use the CA private key to sign server.crt and name the signed certificate server-signed.crt:
```
openssl x509 -req -CA ca-cert -CAkey ca-key -in server.crt -out server-signed.crt -days 3650 -CAcreateserial
```
Enter the PEM password in 2 as prompted.
Run the following command to import the CA certificate and server-signed.crt to the keystore:
```
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore server.keystore.jks -alias localhost -import -file server-signed.crt
```
Enter the keystore password in 1 as prompted.
Enter y when the following information is displayed:
```
Trust this certificate?
```
Run the following command to enable the client to trust the server certificate:
```
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
```
Enter the password of client.truststore.jks as required and record the password for later use.

The password must meet the following requirements:
- Contains 8 to 32 characters.
- Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
- Cannot be a weak password. To check whether a password is weak, enter it in 6.
Enter y when the following information is displayed:
```
Trust this certificate?
```
Export the client.truststore.jks and server.keystore.jks certificates to the local PC.

The server.keystore.jks file is used to replace the keystore file in the later step Enable Mutual SSL Authentication. client.truststore.jks is required to be stored on the client. Record the storage path and it is the value of ssl.truststore.location in the configuration file used by the client to connect to the Kafka instance.

Step 2: Generate Certificates for the Server to Verify the Client

Log in to the Linux server and run the following command to generate a keystore for the client.keystore.jks certificate:

keytool -genkey -keystore client.keystore.jks -alias localhost -validity 3650 -keyalg RSA

Enter the keystore password as prompted and record the password for later use.

The password must meet the following requirements:

Contains 8 to 32 characters.
Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
Cannot be a weak password. To check whether a password is weak, enter it in 6.

Enter the information about the certificate owner as prompted, such as the name, company, organization, city, and country or region.

[root@ecs-kafka ~]# keytool -genkey -keystore client.keystore.jks -alias localhost -validity 3650 -keyalg RSA
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  Tom
What is the name of your organizational unit?
  [Unknown]:  test
What is the name of your organization?
  [Unknown]:  test01
What is the name of your City or Locality?
  [Unknown]:  nj
What is the name of your State or Province?
  [Unknown]:  js
What is the two-letter country code for this unit?
  [Unknown]:  xx
Is CN=Tom, OU=test, O=test01, L=nj, ST=js, C=xx correct?
  [no]:  y

Run the following command to generate a CA:

openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650

Enter the PEM password as prompted and record the password for later use.

The password must meet the following requirements: 4 to 1024 characters.

Enter the information about the certificate owner as prompted, such as the country or region, city, organization, company, name, and email.

[root@ecs-kafka ~]# openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650
Generating a RSA private key
............................................................................................................................................+++++
..........+++++
writing new private key to 'ca-key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:xx
State or Province Name (full name) []:js
Locality Name (eg, city) [Default City]:nj
Organization Name (eg, company) [Default Company Ltd]:test01
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:Tom 
Email Address []:xx
[root@ecs-kafka ~]#

Run the following command to export the certificate from the client.keystore.jks file generated in 1 and name the certificate client.crt:
```
keytool -keystore client.keystore.jks -alias localhost -certreq -file client.crt
```
Enter the keystore password in 1 as prompted.
Run the following command to use the CA private key to sign client.crt and name the signed certificate client-signed.crt:
```
openssl x509 -req -CA ca-cert -CAkey ca-key -in client.crt -out client-signed.crt -days 3650 -CAcreateserial
```
Enter the PEM password set in 2 as prompted.
Run the following command to import the CA certificate and client-signed.crt to the keystore:
```
keytool -keystore client.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore client.keystore.jks -alias localhost -import -file client-signed.crt
```
Enter the keystore password in 1 as prompted.
Enter y when the following information is displayed:
```
Trust this certificate?
```
Run the following command to enable the server to trust the client certificate:
```
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
```
Enter the password of server.truststore.jks as prompted and record the password for later use.

The password must meet the following requirements:
- Contains 8 to 32 characters.
- Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
- Cannot be a weak password. To check whether a password is weak, enter it in 6.
Enter y when the following information is displayed:
```
Trust this certificate?
```
Export the server.truststore.jks and client.keystore.jks certificates to the local PC.

The server.truststore.jks file is used to replace the truststore file in the later step Enable Mutual SSL Authentication. client.keystore.jks is required to be stored on the client. Record the storage path and it is the value of ssl.keystore.location in the configuration file used by the client to connect to the Kafka instance.

Step 3: Enable Mutual SSL Authentication

Log in to the console.
Click in the upper left corner to select a region.

Select the same region as your application service.
Click and choose Middleware > Distributed Message Service for Kafka to open the console of DMS for Kafka.
Click the desired Kafka instance.
In the Connection area, click next to Mutual SSL Authentication.

In the displayed Mutual SSL Authentication dialog box, set the parameters by referring to Table 1.

Figure 2 Enabling mutual SSL authentication

**Table 1** Parameters for enabling mutual SSL authentication
Parameter	Description
Key Password	Enter the password of server.keystore.jks.
Keystore Password	Enter the password of server.keystore.jks.
Keystore File	Import the server.keystore.jks certificate.
Truststore Password	Enter the password of server.truststore.jks.
Truststore File	Import the server.truststore.jks certificate.

Enabling mutual SSL authentication will restart the instance. Exercise caution.

Click OK.

Step 4: Modifying Client Configuration Files

After enabling mutual SSL authentication, modify the server certificate configuration and add the client certificate configurations in the consumer.properties and producer.properties files on the client.

security.protocol=SSL
ssl.truststore.location=/opt/kafka_2.12-2.7.2/config/client.truststore.jks
ssl.truststore.password=dms@kafka
ssl.endpoint.identification.algorithm=
# Add the following client certificate configurations:
ssl.keystore.location=/var/private/ssl/kafka/client.keystore.jks
ssl.keystore.password=txxx3
ssl.key.password=txxx3

security.protocol: certificate protocol type. When enabling mutual SSL authentication, set this parameter to SSL.
ssl.truststore.location: path for storing the client.truststore.jks certificate.
ssl.truststore.password: password of client.truststore.jks.
ssl.endpoint.identification.algorithm: whether to verify the certificate domain name. This parameter must be left blank, which indicates disabling domain name verification.
ssl.keystore.location: path for storing the client.keystore.jks certificate.
ssl.keystore.password: password of client.keystore.jks.
ssl.key.password: password of client.keystore.jks.

Disabling Mutual SSL Authentication

Log in to the console.
Click in the upper left corner to select a region.

Select the same region as your application service.
Click and choose Middleware > Distributed Message Service for Kafka to open the console of DMS for Kafka.
Click the desired Kafka instance.
In the Connection area, click next to Mutual SSL Authentication.

Disabling mutual SSL authentication will restart the instance. Exercise caution.
After disabling mutual SSL authentication, modify the server certificate protocol and delete the client certificate configurations in the consumer.properties and producer.properties files on the client.
```
security.protocol=SASL_SSL
ssl.truststore.location=/opt/kafka_2.12-2.7.2/config/client.truststore.jks
ssl.truststore.password=dms@kafka
ssl.endpoint.identification.algorithm=
# Delete the following client certificate configurations:
ssl.keystore.location=/var/private/ssl/kafka.client.keystore.jks
ssl.keystore.password=txxx3
ssl.key.password=txxx3 
```
security.protocol: certificate protocol type. When disabling mutual SSL authentication, set this parameter to SASL_SSL. You do not need to change the values of ssl.truststore.location, ssl.truststore.password, and ssl.endpoint.identification.algorithm.