You must specify certain configuration properties when your Kafka data load operation accesses a secured Confluent Schema Registry service. GPSS exposes these properties in the AVRO_OPTION:
block of the version 2 Kafka load configuration file, and the avro:
block of the version 3 (beta) Kafka load configuration file.
You can specify the following version 2 configuration properties to identify the certificates and keys required to access an SSL-secured schema registry service:
NoteThe version 3 configuration property names are lowercase.
1.0
; you can specify 1.0
, 1.1
, 1.2
, or 1.3
.The schema registry's ssl.client.auth
property controls client authentication requirements for the service:
ssl.client.auth=false
for the registry, you need only specify the SCHEMA_CA_ON_GPDB
.ssl.client.auth=true
for the registry, you must also specify SCHEMA_CERT_ON_GPDB
and SCHEMA_KEY_ON_GPDB
in addition to the SCHEMA_CA_ON_GPDB
.All certificate and key files must reside in the specified location on all Greenplum Database segment hosts.
Be sure to also specify the SCHEMA_MIN_TLS_VERSION
if the default value of 1.0
is not sufficient for your requirements.
Take the following into consideration when you use GPSS to access an SSL-secured Kafka schema registry:
SCHEMA_REGISTRY_ADDRESS
, GPSS supports specifying only a single set of SSL certificate and key properties. GPSS uses the specified (same) CA, certificate, and key regardless of the registry accessed.