Configuring Mutual SSL Authentication for Kafka
Mutual SSL authentication verifies the certificates of both the client and server during communication. This ensures that both parties involved in the communication are trusted.
Enable mutual SSL authentication to achieve high security.
To use mutual SSL authentication, contact background support personnel to enable it for you.
Enabling or disabling mutual SSL authentication will restart the instance. Exercise caution.
Figure 1 shows the overall procedure for configuring mutual SSL authentication.
Prerequisites
- A Linux server is available. The server must install Java Development Kit 1.8.111 or later and JAVA_HOME and PATH environment variables are configured.
- Kafka SASL_SSL has been enabled for the instance.
Step 1: Generate Certificates for the Client to Verify the Server
- Log in to the Linux server and run the following command to generate a keystore for the server.keystore.jks certificate:
keytool -genkey -keystore server.keystore.jks -alias localhost -validity 3650 -keyalg RSA
Enter the keystore password as prompted and record the password for later use.
The password must meet the following requirements:
- Contains 8 to 32 characters.
- Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
- Cannot be a weak password. To check whether a password is weak, enter it in 6.
Enter the information about the certificate owner as prompted, such as the name, company, organization, city, and country or region.
[root@ecs-kafka ~]# keytool -genkey -keystore server.keystore.jks -alias localhost -validity 3650 -keyalg RSA Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: Tom What is the name of your organizational unit? [Unknown]: test What is the name of your organization? [Unknown]: test01 What is the name of your City or Locality? [Unknown]: nj What is the name of your State or Province? [Unknown]: js What is the two-letter country code for this unit? [Unknown]: xx Is CN=Tom, OU=test, O=test01, L=nj, ST=js, C=xx correct? [no]: y
- Run the following command to generate a CA:
openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650
Enter the PEM password as prompted and record the password for later use.
The password must meet the following requirements: 4 to 1024 characters.
Enter the information about the certificate owner as prompted, such as the country or region, city, organization, company, name, and email.
[root@ecs-kafka ~]# openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650 Generating a RSA private key ............................................................................................................................................+++++ ..........+++++ writing new private key to 'ca-key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:xx State or Province Name (full name) []:js Locality Name (eg, city) [Default City]:nj Organization Name (eg, company) [Default Company Ltd]:test01 Organizational Unit Name (eg, section) []:test Common Name (eg, your name or your server's hostname) []:Tom Email Address []:xx [root@ecs-kafka ~]#
- Run the following command to export the certificate from the server.keystore.jks file generated in 1 and name the certificate server.crt:
keytool -keystore server.keystore.jks -alias localhost -certreq -file server.crt
Enter the keystore password in 1 as prompted.
- Run the following command to use the CA private key to sign server.crt and name the signed certificate server-signed.crt:
openssl x509 -req -CA ca-cert -CAkey ca-key -in server.crt -out server-signed.crt -days 3650 -CAcreateserial
Enter the PEM password in 2 as prompted.
- Run the following command to import the CA certificate and server-signed.crt to the keystore:
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert keytool -keystore server.keystore.jks -alias localhost -import -file server-signed.crt
Enter the keystore password in 1 as prompted.
Enter y when the following information is displayed:Trust this certificate?
- Run the following command to enable the client to trust the server certificate:
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
Enter the password of client.truststore.jks as required and record the password for later use.
The password must meet the following requirements:
- Contains 8 to 32 characters.
- Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
- Cannot be a weak password. To check whether a password is weak, enter it in 6.
Enter y when the following information is displayed:Trust this certificate?
- Export the client.truststore.jks and server.keystore.jks certificates to the local PC.
The server.keystore.jks file is used to replace the keystore file in the later step Enable Mutual SSL Authentication. client.truststore.jks is required to be stored on the client. Record the storage path and it is the value of ssl.truststore.location in the configuration file used by the client to connect to the Kafka instance.
Step 2: Generate Certificates for the Server to Verify the Client
- Log in to the Linux server and run the following command to generate a keystore for the client.keystore.jks certificate:
keytool -genkey -keystore client.keystore.jks -alias localhost -validity 3650 -keyalg RSA
Enter the keystore password as prompted and record the password for later use.
The password must meet the following requirements:
- Contains 8 to 32 characters.
- Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
- Cannot be a weak password. To check whether a password is weak, enter it in 6.
Enter the information about the certificate owner as prompted, such as the name, company, organization, city, and country or region.
[root@ecs-kafka ~]# keytool -genkey -keystore client.keystore.jks -alias localhost -validity 3650 -keyalg RSA Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: Tom What is the name of your organizational unit? [Unknown]: test What is the name of your organization? [Unknown]: test01 What is the name of your City or Locality? [Unknown]: nj What is the name of your State or Province? [Unknown]: js What is the two-letter country code for this unit? [Unknown]: xx Is CN=Tom, OU=test, O=test01, L=nj, ST=js, C=xx correct? [no]: y
- Run the following command to generate a CA:
openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650
Enter the PEM password as prompted and record the password for later use.
The password must meet the following requirements: 4 to 1024 characters.
Enter the information about the certificate owner as prompted, such as the country or region, city, organization, company, name, and email.
[root@ecs-kafka ~]# openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650 Generating a RSA private key ............................................................................................................................................+++++ ..........+++++ writing new private key to 'ca-key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:xx State or Province Name (full name) []:js Locality Name (eg, city) [Default City]:nj Organization Name (eg, company) [Default Company Ltd]:test01 Organizational Unit Name (eg, section) []:test Common Name (eg, your name or your server's hostname) []:Tom Email Address []:xx [root@ecs-kafka ~]#
- Run the following command to export the certificate from the client.keystore.jks file generated in 1 and name the certificate client.crt:
keytool -keystore client.keystore.jks -alias localhost -certreq -file client.crt
Enter the keystore password in 1 as prompted.
- Run the following command to use the CA private key to sign client.crt and name the signed certificate client-signed.crt:
openssl x509 -req -CA ca-cert -CAkey ca-key -in client.crt -out client-signed.crt -days 3650 -CAcreateserial
Enter the PEM password set in 2 as prompted.
- Run the following command to import the CA certificate and client-signed.crt to the keystore:
keytool -keystore client.keystore.jks -alias CARoot -import -file ca-cert keytool -keystore client.keystore.jks -alias localhost -import -file client-signed.crt
Enter the keystore password in 1 as prompted.
Enter y when the following information is displayed:Trust this certificate?
- Run the following command to enable the server to trust the client certificate:
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
Enter the password of server.truststore.jks as prompted and record the password for later use.
The password must meet the following requirements:
- Contains 8 to 32 characters.
- Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
- Cannot be a weak password. To check whether a password is weak, enter it in 6.
Enter y when the following information is displayed:Trust this certificate?
- Export the server.truststore.jks and client.keystore.jks certificates to the local PC.
The server.truststore.jks file is used to replace the truststore file in the later step Enable Mutual SSL Authentication. client.keystore.jks is required to be stored on the client. Record the storage path and it is the value of ssl.keystore.location in the configuration file used by the client to connect to the Kafka instance.
Step 3: Enable Mutual SSL Authentication
- Log in to the console.
- Click in the upper left corner to select a region.
Select the same region as your application service.
- Click and choose Middleware > Distributed Message Service for Kafka to open the console of DMS for Kafka.
- Click the desired Kafka instance.
- In the Connection area, click next to Mutual SSL Authentication.
- In the displayed Mutual SSL Authentication dialog box, set the parameters by referring to Table 1.
Figure 2 Enabling mutual SSL authentication
Table 1 Parameters for enabling mutual SSL authentication Parameter
Description
Key Password
Enter the password of server.keystore.jks.
Keystore Password
Enter the password of server.keystore.jks.
Keystore File
Import the server.keystore.jks certificate.
Truststore Password
Enter the password of server.truststore.jks.
Truststore File
Import the server.truststore.jks certificate.
Enabling mutual SSL authentication will restart the instance. Exercise caution.
- Click OK.
Step 4: Modifying Client Configuration Files
After enabling mutual SSL authentication, modify the server certificate configuration and add the client certificate configurations in the consumer.properties and producer.properties files on the client.
security.protocol=SSL ssl.truststore.location=/opt/kafka_2.12-2.7.2/config/client.truststore.jks ssl.truststore.password=dms@kafka ssl.endpoint.identification.algorithm= # Add the following client certificate configurations: ssl.keystore.location=/var/private/ssl/kafka/client.keystore.jks ssl.keystore.password=txxx3 ssl.key.password=txxx3
- security.protocol: certificate protocol type. When enabling mutual SSL authentication, set this parameter to SSL.
- ssl.truststore.location: path for storing the client.truststore.jks certificate.
- ssl.truststore.password: password of client.truststore.jks.
- ssl.endpoint.identification.algorithm: whether to verify the certificate domain name. This parameter must be left blank, which indicates disabling domain name verification.
- ssl.keystore.location: path for storing the client.keystore.jks certificate.
- ssl.keystore.password: password of client.keystore.jks.
- ssl.key.password: password of client.keystore.jks.
Disabling Mutual SSL Authentication
- Log in to the console.
- Click in the upper left corner to select a region.
Select the same region as your application service.
- Click and choose Middleware > Distributed Message Service for Kafka to open the console of DMS for Kafka.
- Click the desired Kafka instance.
- In the Connection area, click next to Mutual SSL Authentication.
Disabling mutual SSL authentication will restart the instance. Exercise caution.
- After disabling mutual SSL authentication, modify the server certificate protocol and delete the client certificate configurations in the consumer.properties and producer.properties files on the client.
security.protocol=SASL_SSL ssl.truststore.location=/opt/kafka_2.12-2.7.2/config/client.truststore.jks ssl.truststore.password=dms@kafka ssl.endpoint.identification.algorithm= # Delete the following client certificate configurations: ssl.keystore.location=/var/private/ssl/kafka.client.keystore.jks ssl.keystore.password=txxx3 ssl.key.password=txxx3
security.protocol: certificate protocol type. When disabling mutual SSL authentication, set this parameter to SASL_SSL. You do not need to change the values of ssl.truststore.location, ssl.truststore.password, and ssl.endpoint.identification.algorithm.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot