This section explains procedure for enabling TLS with Scram authentication for the Edge Kafka.
To enable TLS communication between Kafka Edge and Domain Managers, in the VMware Telco Cloud Service Assurance Kubernetes Cluster, execute the following commands.
Procedure
- Login to the deployer VM from where the VMware Telco Cloud Service Assurance Kubernetes Cluster was deployed and export the Kubernetes Cluster configuration file using the following command:
export KUBECONFIG=<Path to the kubernetes configuration file including the filename>
- Command to fetch the Kafka Edge Certificate and Password:
export CLUSTER_NAME=edge kubectl get secret $CLUSTER_NAME-cluster-ca-cert -n kafka-edge -o jsonpath='{.data.ca\.crt}' | base64 --decode > ca.crt kubectl get secret $CLUSTER_NAME-cluster-ca-cert -n kafka-edge -o jsonpath='{.data.ca\.password}' | base64 --decode > ca.password
- Command to fetch the Kafka Edge Scram Password:
export USER_NAME=kafka-scram-sha-512-client-credentials export SCRAM_PASSWORD_FILE_PATH=user-scram.password kubectl get secret $USER_NAME -n kafka-edge -o jsonpath='{.data.password}' | base64 --decode > $SCRAM_PASSWORD_FILE_PATH export SCRAM_PASSWORD=`cat $SCRAM_PASSWORD_FILE_PATH`
- Copy the Kafka Edge TLS certificate and password files from Step1 and the Kafka Edge Scram Password file from Step 2, to the system where Domain Manager is deployed.
- Install the Kafka edge certificate in Domain Manager. The following snippet creates a keystore file cacerts.
export CERT_FILE_PATH=ca.crt export CERT_PASSWORD_FILE_PATH=ca.password export KEYSTORE_LOCATION=cacerts export PASSWORD=`cat $CERT_PASSWORD_FILE_PATH` export CA_CERT_ALIAS=strimzi-kafka-cert keytool -noprompt -importcert -alias $CA_CERT_ALIAS -file $CERT_FILE_PATH -keystore $KEYSTORE_LOCATION -keypass $PASSWORD -storepass $PASSWORD
- Create a directory called
certs
under opt/InCharge/SAM/smarts/local/conf/. Move the keystore filecacerts
under the cert directory.Note: The path of the keystore file needs to be provided while configuring Kafka Access Settings. It is not mandatory to store the keystore file under opt/InCharge/SAM/smarts/local/conf/. It can be any location on the system where Domain Manager is running. - Modify the /etc/hosts file where the Domain Manager Servers are running to update the IP address to Kafka Service mapping:
For TKG deployment,
< Virtual IP address of the VMware Tanzu Kubernetes Grid workload cluster> kafka-edge
.For AKS deployment,< Kafka Edge IP> kafka-edge
.For VM Based On-Prem Demo deployment,<Control Node VM IP> kafka-edge
Note: For identifying the Kafka IP address, see Identify Data Collection Framework and Kafka IP Address and Port Numbers. - Kafka TLS authentication related information:
- Kafka Scram user name : kafka-scram-sha-512-client-credentials.
- SCRAM_PASSWORD : Contains Kafka Scram password.
- */smarts/local/conf/cacerts : Kafka trust store location in domain manager servers (For example: /opt/InCharge/SAM/smarts/local/conf/cacerts).
- PASSWORD : Contains Trust Store password.
Note: Delete the following password files after configuring Kafka TLS information in the VMware Telco Cloud Service Assurance user interface domain settings.- ca.password
- user-scram.password