This section explains procedure for enabling TLS with Scram authentication for the Edge Kafka.

To enable TLS communication between Kafka Edge and Domain Managers, in the VMware Telco Cloud Service Assurance Kubernetes Cluster, execute the following commands.

Note: The below procedure of manually generating the TLS certs for Edge Kafka is applicable only for Cisco ACI and VIMS feature.

Procedure

  1. Login to the deployer VM from where the VMware Telco Cloud Service Assurance Kubernetes Cluster was deployed and export the Kubernetes Cluster configuration file using the following command:
    export KUBECONFIG=<Path to the kubernetes configuration file including the filename>
  2. Command to fetch the Kafka Edge Certificate and Password:
    export CLUSTER_NAME=edge
    kubectl get secret $CLUSTER_NAME-cluster-ca-cert -n kafka-edge -o jsonpath='{.data.ca\.crt}' | base64 --decode > ca.crt
    kubectl get secret $CLUSTER_NAME-cluster-ca-cert -n kafka-edge -o jsonpath='{.data.ca\.password}' | base64 --decode > ca.password
  3. Command to fetch the Kafka Edge Scram Password:
    export USER_NAME=kafka-scram-sha-512-client-credentials
    export SCRAM_PASSWORD_FILE_PATH=user-scram.password
    kubectl get secret $USER_NAME -n kafka-edge -o jsonpath='{.data.password}' | base64 --decode > $SCRAM_PASSWORD_FILE_PATH
    export SCRAM_PASSWORD=`cat $SCRAM_PASSWORD_FILE_PATH`
  4. Copy the Kafka Edge TLS certificate and password files from Step1 and the Kafka Edge Scram Password file from Step 2, to the system where Domain Manager is deployed.
  5. Install the Kafka edge certificate in Domain Manager. The following snippet creates a keystore file cacerts.
    export CERT_FILE_PATH=ca.crt
    export CERT_PASSWORD_FILE_PATH=ca.password
    export KEYSTORE_LOCATION=cacerts
    export PASSWORD=`cat $CERT_PASSWORD_FILE_PATH`
    export CA_CERT_ALIAS=strimzi-kafka-cert
    keytool -noprompt -importcert -alias $CA_CERT_ALIAS -file $CERT_FILE_PATH -keystore $KEYSTORE_LOCATION -keypass $PASSWORD -storepass $PASSWORD
  6. Create a directory called certs under opt/InCharge/SAM/smarts/local/conf/. Move the keystore file cacerts under the cert directory.
    Note: The path of the keystore file needs to be provided while configuring Kafka Access Settings. It is not mandatory to store the keystore file under opt/InCharge/SAM/smarts/local/conf/. It can be any location on the system where Domain Manager is running.
  7. Modify the /etc/hosts file where the Domain Manager Servers are running to update the IP address to Kafka Service mapping:
    For TKG deployment, < Virtual IP address of the VMware Tanzu Kubernetes Grid workload cluster> kafka-edge.
    For AKS deployment, < Kafka Edge IP> kafka-edge.
    For VM Based On-Prem Demo deployment, <Control Node VM IP> kafka-edge
    Note: For identifying the Kafka IP address, see Identify Data Collection Framework and Kafka IP Address and Port Numbers.
  8. Kafka TLS authentication related information:
    1. Kafka Scram user name : kafka-scram-sha-512-client-credentials.
    2. SCRAM_PASSWORD : Contains Kafka Scram password.
    3. */smarts/local/conf/cacerts : Kafka trust store location in domain manager servers (For example: /opt/InCharge/SAM/smarts/local/conf/cacerts).
    4. PASSWORD : Contains Trust Store password.
    Note: Delete the following password files after configuring Kafka TLS information in the VMware Telco Cloud Service Assurance user interface domain settings.
    • ca.password
    • user-scram.password