This section explains procedure for enabling TLS with Scram authentication for Edge Kafka .

To enable TLS communication between Kafka Edge and Domain Managers, in the VMware Telco Cloud Service Assurance Kubernetes Cluster, execute the following commands.

Procedure

  1. Login to the deployer VM from where the VMware Telco Cloud Service Assurance Kubernetes Cluster was deployed and export the Kubernetes Cluster configuration file using the following command: 
    export KUBECONFIG=<Path to the kubernetes configuration file including the filename>
  2. Command to fetch the Kafka Edge Certificate and Password: 
    export CLUSTER_NAME=edge
kubectl get secret $CLUSTER_NAME-cluster-ca-cert -o jsonpath='{.data.ca\.crt}' | base64 --decode > ca.crt
kubectl get secret $CLUSTER_NAME-cluster-ca-cert -o jsonpath='{.data.ca\.password}' | base64 --decode > ca.password
  3. Command to fetch the Kafka Edge Scram Password: 
    export USER_NAME=kafka-scram-sha-512-client-credentials
export SCRAM_PASSWORD_FILE_PATH=user-scram.password
kubectl get secret $USER_NAME -o jsonpath='{.data.password}' | base64 --decode > $SCRAM_PASSWORD_FILE_PATH
export SCRAM_PASSWORD=`cat $SCRAM_PASSWORD_FILE_PATH`
  4. Copy the Kafka Edge TLS certificate and password files from Step1 and the Kafka Edge Scram Password file from Step 2, to the system where Domain Manager is deployed.
  5. Install the Kafka edge certificate in Domain Manager: 
    export CERT_FILE_PATH=ca.crt
export CERT_PASSWORD_FILE_PATH=ca.password
export KEYSTORE_LOCATION=cacerts
export PASSWORD=`cat $CERT_PASSWORD_FILE_PATH`
export CA_CERT_ALIAS=strimzi-kafka-cert
keytool -noprompt -importcert -alias $CA_CERT_ALIAS -file $CERT_FILE_PATH -keystore $KEYSTORE_LOCATION -keypass $PASSWORD -storepass $PASSWORD
  6. Create a directory under Smarts/local/conf called as certs and paste files under the directory cacerts.
  7. Modify the /etc/hosts file where the Domain Manager Servers are running to update the IP address to Kafka Service mapping:
    <IPAddress of Edge Kafka> kafka-edge.
    Note: For identifying the Kafka IP address, please refer the → link.
  8. Kafka TLS authentication related information:
    1. Kafka Scram user name : kafka-scram-sha-512-client-credentials.
    2. SCRAM_PASSWORD : Contains Kafka Scram password.
    3. */smarts/local/conf/cacerts : Kafka trust store location in domain manager servers (For example: /opt/InCharge/ESM/smarts/local/conf/cacerts).
    4. PASSWORD : Contains Trust Store password.
    Note: Delete the following password files after configuring Kafka TLS information in the VMware Telco Cloud Service Assurance user interface domain settings.
    • ca.password
    • user-scram.password