This section describes the configuration of Kafka SASL_SSL authentication.

Procedure

  1. Add/Update the below files in /KAFKA_HOME/config directory.
    1. server.properties
      listeners=SASL_SSL://<ip-address>:9092
      advertised.listeners=SASL_SSL://<ip-address>:9092
      
      sasl.enabled.mechanisms=PLAIN
      sasl.mechanism.inter.broker.protocol=PLAIN
      security.inter.broker.protocol=SASL_PLAINTEXT
      ssl.endpoint.identification.algorithm=HTTPS
      
      authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
      
      allow.everyone.if.no.acl.found=true
      
      auto.create.topics.enable=false
      
      ssl.keystore.location=/KAFKA_HOME/config/server.keystore.jks
      ssl.keystore.password=<password>
      ssl.key.password=<password>
      ssl.truststore.location=/KAFKA_HOME/config/server.truststore.jks
      ssl.truststore.password=<password>
      
      ssl.client.auth=required
      ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
      ssl.keystore.type=JKS
      ssl.truststore.type=JKS
      ssl.secure.random.implementation=SHA1PRNG
    2. zookeeper.properties
      authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
      requireClientAuthScheme=sasl
    3. consumer.properties
      sasl.mechanism=PLAIN
      security.protocol=SASL_SSL
      sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
         username="admin" \
         password="admin-secret";
      
      ssl.truststore.location=/KAFKA_HOME/config/client.truststore.jks
      ssl.truststore.password=<password>
    4. Generating SSL certificates.

      Create the certificates in /KAFKA_HOME/config

      keytool -keystore server.keystore.jks -alias <alias> -validity 365 -genkey -keyalg RSA -ext SAN=DNS:<hostname>,DNS:<fqdn>,DNS:localhost,IP:<IP-ADDRESS>,IP:127.0.0.1
      
      openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 -subj '/CN=<fqdn>'   -extensions san   -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[san]'; echo 'subjectAltName = DNS:localhost, IP:127.0.0.1, DNS:<hostname>, IP:<ip-address>')
      
      keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
      
      keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
      
      keytool -keystore server.keystore.jks -alias <fqdn> -certreq -file cert-file -ext SAN=DNS:<hostname>,DNS:localhost,IP:<ip-address >,IP:127.0.0.1
      
      openssl x509 -req  -extfile <(printf "subjectAltName = DNS:localhost, IP:127.0.0.1, DNS:<fqdn>, IP:<ip-address>") -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:<password>
      
      keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
       
      keytool -keystore server.keystore.jks -alias <alias> -import -file cert-signed.
    5. zookeeper_jaas.conf
      Server {
              org.apache.zookeeper.server.auth.DigestLoginModule required
              user_super="admin-secret"
              user_kafka="kafka-secret";
       };
      
    6. kafka_server_jaas.conf
      KafkaServer {
          org.apache.kafka.common.security.plain.PlainLoginModule required
          username="admin"
          password="admin-secret"
          user_admin="admin-secret";
       };
      
      Client {
          org.apache.zookeeper.server.auth.DigestLoginModule required
          username="kafka"
          password="kafka-secret";
       };
      
  2. Add the zookeeper_jaas.conf file to the environment variable KAFKA_OPTS before starting zookeeper.
    $ export KAFKA_OPTS="-Djava.security.auth.login.config=/KAFKA_HOME/config/zookeeper_jaas.conf"
    $ bin/zookeeper-server-start.sh -daemon config/zookeeper.properties
    
  3. Add the kafka_server_jaas.conf file to the environment variable KAFKA_OPTS before starting kafka server.
    $ export KAFKA_OPTS="-Djava.security.auth.login.config=/KAFKA_HOME/config/kafka_server_jaas.conf"
    bin/kafka-server-start.sh -daemon config/server.properties
    
  4. Configuring the producer
    1. producer.properties
      sasl.mechanism=PLAIN
      security.protocol=SASL_SSL
      sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
         username="admin" \
         password="admin-secret";
      ssl.truststore.location=/KAFKA_HOME/config/client.truststore.jks
      ssl.truststore.password=<password>
      
  5. kafka_client_jaas.conf
    Note: Console operations [for testing purpose only]
    KafkaClient {
      org.apache.kafka.common.security.plain.PlainLoginModule required
      username="admin"
      password="admin-secret";
    };
    Client {
    org.apache.zookeeper.server.auth.DigestLoginModule required
      username="kafka"
      password="kafka-secret";
    };
    $ export KAFKA_OPTS="-Djava.security.auth.login.config=/KAFKA_HOME/config/kafka_client_jaas.conf"
    $ ./bin/kafka-console-consumer.sh --bootstrap-server <fqdn/hostname/ip-address>:9092 --topic test_topic --from-beginning --consumer.config config/consumer.properties
    
    $ export KAFKA_OPTS="-Djava.security.auth.login.config=/KAFKA_HOME/config/kafka_client_jaas.conf"
    $ ./bin/kafka-console-producer.sh  --broker-list <fqdn/hostname/ip-address>:9092 --topic test_topic  --producer.config config/producer.properties