This section explains procedure for enabling TLS with Scram authentication for Edge Kafka .

To enable TLS communication between Kafka Edge and Domain Managers, in the VMware Telco Cloud Service Assurance Kubernetes Cluster, execute the following commands.


  1. Login to the deployer VM from where the VMware Telco Cloud Service Assurance Kubernetes Cluster was deployed and export the Kubernetes Cluster configuration file using the following command:
    export KUBECONFIG=<Path to the kubernetes configuration file including the filename>
  2. Command to fetch the Kafka Edge Certificate and Password:
    export CLUSTER_NAME=edge
    kubectl get secret $CLUSTER_NAME-cluster-ca-cert -o jsonpath='{\.crt}' | base64 --decode > ca.crt
    kubectl get secret $CLUSTER_NAME-cluster-ca-cert -o jsonpath='{\.password}' | base64 --decode > ca.password
  3. Command to fetch the Kafka Edge Scram Password:
    export USER_NAME=kafka-scram-sha-512-client-credentials
    export SCRAM_PASSWORD_FILE_PATH=user-scram.password
    kubectl get secret $USER_NAME -o jsonpath='{.data.password}' | base64 --decode > $SCRAM_PASSWORD_FILE_PATH
  4. Copy the Kafka Edge TLS certificate and password files from Step1 and the Kafka Edge Scram Password file from Step 2, to the system where Domain Manager is deployed.
  5. Install the Kafka edge certificate in Domain Manager:
    export CERT_FILE_PATH=ca.crt
    export CERT_PASSWORD_FILE_PATH=ca.password
    export KEYSTORE_LOCATION=cacerts
    export CA_CERT_ALIAS=strimzi-kafka-cert
    keytool -noprompt -importcert -alias $CA_CERT_ALIAS -file $CERT_FILE_PATH -keystore $KEYSTORE_LOCATION -keypass $PASSWORD -storepass $PASSWORD
  6. Create a directory under Smarts/local/conf called as certs and paste files under the directory cacerts.
  7. Modify the /etc/hosts file where the Domain Manager Servers are running to update the IP address to Kafka Service mapping:
    <IPAddress of Edge Kafka> kafka-edge.
    Note: For identifying the Kafka IP address, please refer the → link.
  8. Kafka TLS authentication related information:
    1. Kafka Scram user name : kafka-scram-sha-512-client-credentials.
    2. SCRAM_PASSWORD : Contains Kafka Scram password.
    3. */smarts/local/conf/cacerts : Kafka trust store location in domain manager servers (For example: /opt/InCharge/ESM/smarts/local/conf/cacerts).
    4. PASSWORD : Contains Trust Store password.
    Note: Delete the following password files after configuring Kafka TLS information in the VMware Telco Cloud Service Assurance user interface domain settings.
    • ca.password
    • user-scram.password