Updated on 2024-10-25 GMT+08:00

Configuring Mutual SSL Authentication for Kafka

Mutual SSL authentication verifies the certificates of both the client and server during communication. This ensures that both parties involved in the communication are trusted.

Enable mutual SSL authentication to achieve high security.

To use mutual SSL authentication, contact background support personnel to enable it for you.

Enabling or disabling mutual SSL authentication will restart the instance. Exercise caution.

Figure 1 shows the overall procedure for configuring mutual SSL authentication.

Figure 1 Overall procedure for configuring mutual SSL authentication

Prerequisites

  • A Linux server is available. The server must install Java Development Kit 1.8.111 or later and JAVA_HOME and PATH environment variables are configured.
  • Kafka SASL_SSL has been enabled for the instance.

Step 1: Generate Certificates for the Client to Verify the Server

  1. Log in to the Linux server and run the following command to generate a keystore for the server.keystore.jks certificate:

    keytool -genkey -keystore server.keystore.jks -alias localhost -validity 3650 -keyalg RSA

    Enter the keystore password as prompted and record the password for later use.

    The password must meet the following requirements:

    • Contains 8 to 32 characters.
    • Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
    • Cannot be a weak password. To check whether a password is weak, enter it in 6.

    Enter the information about the certificate owner as prompted, such as the name, company, organization, city, and country or region.

    [root@ecs-kafka ~]# keytool -genkey -keystore server.keystore.jks -alias localhost -validity 3650 -keyalg RSA
    Enter keystore password:  
    Re-enter new password: 
    What is your first and last name?
      [Unknown]:  Tom
    What is the name of your organizational unit?
      [Unknown]:  test
    What is the name of your organization?
      [Unknown]:  test01
    What is the name of your City or Locality?
      [Unknown]:  nj
    What is the name of your State or Province?
      [Unknown]:  js
    What is the two-letter country code for this unit?
      [Unknown]:  xx
    Is CN=Tom, OU=test, O=test01, L=nj, ST=js, C=xx correct?
      [no]:  y

  2. Run the following command to generate a CA:

    openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650

    Enter the PEM password as prompted and record the password for later use.

    The password must meet the following requirements: 4 to 1024 characters.

    Enter the information about the certificate owner as prompted, such as the country or region, city, organization, company, name, and email.

    [root@ecs-kafka ~]# openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650
    Generating a RSA private key
    ............................................................................................................................................+++++
    ..........+++++
    writing new private key to 'ca-key'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:xx
    State or Province Name (full name) []:js
    Locality Name (eg, city) [Default City]:nj
    Organization Name (eg, company) [Default Company Ltd]:test01
    Organizational Unit Name (eg, section) []:test
    Common Name (eg, your name or your server's hostname) []:Tom 
    Email Address []:xx
    [root@ecs-kafka ~]#

  3. Run the following command to export the certificate from the server.keystore.jks file generated in 1 and name the certificate server.crt:

    keytool -keystore server.keystore.jks -alias localhost -certreq -file server.crt

    Enter the keystore password in 1 as prompted.

  4. Run the following command to use the CA private key to sign server.crt and name the signed certificate server-signed.crt:

    openssl x509 -req -CA ca-cert -CAkey ca-key -in server.crt -out server-signed.crt -days 3650 -CAcreateserial

    Enter the PEM password in 2 as prompted.

  5. Run the following command to import the CA certificate and server-signed.crt to the keystore:

    keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
    keytool -keystore server.keystore.jks -alias localhost -import -file server-signed.crt

    Enter the keystore password in 1 as prompted.

    Enter y when the following information is displayed:
    Trust this certificate?

  6. Run the following command to enable the client to trust the server certificate:

    keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert

    Enter the password of client.truststore.jks as required and record the password for later use.

    The password must meet the following requirements:

    • Contains 8 to 32 characters.
    • Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
    • Cannot be a weak password. To check whether a password is weak, enter it in 6.
    Enter y when the following information is displayed:
    Trust this certificate?

  7. Export the client.truststore.jks and server.keystore.jks certificates to the local PC.

    The server.keystore.jks file is used to replace the keystore file in the later step Enable Mutual SSL Authentication. client.truststore.jks is required to be stored on the client. Record the storage path and it is the value of ssl.truststore.location in the configuration file used by the client to connect to the Kafka instance.

Step 2: Generate Certificates for the Server to Verify the Client

  1. Log in to the Linux server and run the following command to generate a keystore for the client.keystore.jks certificate:

    keytool -genkey -keystore client.keystore.jks -alias localhost -validity 3650 -keyalg RSA

    Enter the keystore password as prompted and record the password for later use.

    The password must meet the following requirements:

    • Contains 8 to 32 characters.
    • Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
    • Cannot be a weak password. To check whether a password is weak, enter it in 6.

    Enter the information about the certificate owner as prompted, such as the name, company, organization, city, and country or region.

    [root@ecs-kafka ~]# keytool -genkey -keystore client.keystore.jks -alias localhost -validity 3650 -keyalg RSA
    Enter keystore password:  
    Re-enter new password: 
    What is your first and last name?
      [Unknown]:  Tom
    What is the name of your organizational unit?
      [Unknown]:  test
    What is the name of your organization?
      [Unknown]:  test01
    What is the name of your City or Locality?
      [Unknown]:  nj
    What is the name of your State or Province?
      [Unknown]:  js
    What is the two-letter country code for this unit?
      [Unknown]:  xx
    Is CN=Tom, OU=test, O=test01, L=nj, ST=js, C=xx correct?
      [no]:  y

  2. Run the following command to generate a CA:

    openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650

    Enter the PEM password as prompted and record the password for later use.

    The password must meet the following requirements: 4 to 1024 characters.

    Enter the information about the certificate owner as prompted, such as the country or region, city, organization, company, name, and email.

    [root@ecs-kafka ~]# openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650
    Generating a RSA private key
    ............................................................................................................................................+++++
    ..........+++++
    writing new private key to 'ca-key'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:xx
    State or Province Name (full name) []:js
    Locality Name (eg, city) [Default City]:nj
    Organization Name (eg, company) [Default Company Ltd]:test01
    Organizational Unit Name (eg, section) []:test
    Common Name (eg, your name or your server's hostname) []:Tom 
    Email Address []:xx
    [root@ecs-kafka ~]#

  3. Run the following command to export the certificate from the client.keystore.jks file generated in 1 and name the certificate client.crt:

    keytool -keystore client.keystore.jks -alias localhost -certreq -file client.crt

    Enter the keystore password in 1 as prompted.

  4. Run the following command to use the CA private key to sign client.crt and name the signed certificate client-signed.crt:

    openssl x509 -req -CA ca-cert -CAkey ca-key -in client.crt -out client-signed.crt -days 3650 -CAcreateserial

    Enter the PEM password set in 2 as prompted.

  5. Run the following command to import the CA certificate and client-signed.crt to the keystore:

    keytool -keystore client.keystore.jks -alias CARoot -import -file ca-cert
    keytool -keystore client.keystore.jks -alias localhost -import -file client-signed.crt

    Enter the keystore password in 1 as prompted.

    Enter y when the following information is displayed:
    Trust this certificate?

  6. Run the following command to enable the server to trust the client certificate:

    keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert

    Enter the password of server.truststore.jks as prompted and record the password for later use.

    The password must meet the following requirements:

    • Contains 8 to 32 characters.
    • Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
    • Cannot be a weak password. To check whether a password is weak, enter it in 6.
    Enter y when the following information is displayed:
    Trust this certificate?

  7. Export the server.truststore.jks and client.keystore.jks certificates to the local PC.

    The server.truststore.jks file is used to replace the truststore file in the later step Enable Mutual SSL Authentication. client.keystore.jks is required to be stored on the client. Record the storage path and it is the value of ssl.keystore.location in the configuration file used by the client to connect to the Kafka instance.

Step 3: Enable Mutual SSL Authentication

  1. Log in to the console.
  2. Click in the upper left corner to select a region.

    Select the same region as your application service.

  3. Click and choose Middleware > Distributed Message Service for Kafka to open the console of DMS for Kafka.
  4. Click the desired Kafka instance.
  5. In the Connection area, click next to Mutual SSL Authentication.
  6. In the displayed Mutual SSL Authentication dialog box, set the parameters by referring to Table 1.

    Figure 2 Enabling mutual SSL authentication
    Table 1 Parameters for enabling mutual SSL authentication

    Parameter

    Description

    Key Password

    Enter the password of server.keystore.jks.

    Keystore Password

    Enter the password of server.keystore.jks.

    Keystore File

    Import the server.keystore.jks certificate.

    Truststore Password

    Enter the password of server.truststore.jks.

    Truststore File

    Import the server.truststore.jks certificate.

    Enabling mutual SSL authentication will restart the instance. Exercise caution.

  7. Click OK.

Step 4: Modifying Client Configuration Files

After enabling mutual SSL authentication, modify the server certificate configuration and add the client certificate configurations in the consumer.properties and producer.properties files on the client.

security.protocol=SSL
ssl.truststore.location=/opt/kafka_2.12-2.7.2/config/client.truststore.jks
ssl.truststore.password=dms@kafka
ssl.endpoint.identification.algorithm=
# Add the following client certificate configurations:
ssl.keystore.location=/var/private/ssl/kafka/client.keystore.jks
ssl.keystore.password=txxx3
ssl.key.password=txxx3 

Disabling Mutual SSL Authentication

  1. Log in to the console.
  2. Click in the upper left corner to select a region.

    Select the same region as your application service.

  3. Click and choose Middleware > Distributed Message Service for Kafka to open the console of DMS for Kafka.
  4. Click the desired Kafka instance.
  5. In the Connection area, click next to Mutual SSL Authentication.

    Disabling mutual SSL authentication will restart the instance. Exercise caution.

  6. After disabling mutual SSL authentication, modify the server certificate protocol and delete the client certificate configurations in the consumer.properties and producer.properties files on the client.

    security.protocol=SASL_SSL
    ssl.truststore.location=/opt/kafka_2.12-2.7.2/config/client.truststore.jks
    ssl.truststore.password=dms@kafka
    ssl.endpoint.identification.algorithm=
    # Delete the following client certificate configurations:
    ssl.keystore.location=/var/private/ssl/kafka.client.keystore.jks
    ssl.keystore.password=txxx3
    ssl.key.password=txxx3 

    security.protocol: certificate protocol type. When disabling mutual SSL authentication, set this parameter to SASL_SSL. You do not need to change the values of ssl.truststore.location, ssl.truststore.password, and ssl.endpoint.identification.algorithm.