Configuring Kafka for SSL

A typical Kafka/Vertica configuration consists of the following steps:

  1. Create a certifying authority certificate.
  2. Create a trust store and key store on your Kafka brokers using your certificate.
  3. Configure the server.properties file on each Kafka broker to use your key store.

Create a Certifying Authority Certificate

If you do not already have one, create a certifying authority certificate, as shown in the following example.

openssl req -new -x509 -keyout ca-key -out ca-cert -days 365

For more information on generating a certificate, refer to the OpenSSL documentation.

Create a Trust Store and Key Store on your Kafka Brokers

You must create a trust store and key store on each of your Kafka brokers.

  1. Create a trust store on your Kafka broker by importing your certificate. The following example shows a typical trust store command.
    keytool -keystore kafka.truststore.jks -alias caroot -import -file ca-cert			
  2. Create a key store on your Kafka broker, as shown in the following example. The following example shows a typical series of key store commands.
    keytool -keystore brokername.keystore.jks -alias brokername -validity 365 -keyalg RSA –genkey
    keytool -keystore brokername.keystore.jks -alias brokername -certreq -file cert-file	
    openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 –CAcreateserial
    keytool -keystore brokername -alias caroot -import -file ca-cert
    keytool -keystore brokername.keystore.jks -alias broker$$i -import -file cert-signed
  3. Repeat the key store and trust store configuration process for each Kafka broker, specifying the correct alias and key store name for that broker.

Configure the server.properties File on Each Kafka Broker to Use Your Key Store

You can pass SSL configuration information from your Kafka broker to Vertica by including user defined session parameters in your server.properties file. For more information on configuring your server.properties file, refer the Apache Kafka documentation.

kafka_Enable_SSL=1
kafka_SSL_CA=<Certifying Authority contents>
kafka_SSL_Certificate=<Certificate contents>
kafka_SSL_PrivateKey_secret=<Private Key contents>
kafka_SSL_PrivateKeyPassword_secret=<Private Key password>