quickstart-ssl

Quick Start SSL

This folder contains a variant of the Quick Start app configured to establish a secure connection with the Kafka broker.

The docker-compose.yml file has been revised to enable support for SSL, as follows:

• broker:

  • Enabling of SSL on port 29094
  • Definition of new environment variables to configure key store, trust store, client authentication, and secrets:
    • KAFKA_SSL_TRUSTSTORE_FILENAME
    • KAFKA_SSL_TRUSTSTORE_CREDENTIALS
    • KAFKA_SSL_KEYSTORE_FILENAME
    • KAFKA_SSL_KEYSTORE_CREDENTIALS
    • KAFKA_SSL_KEY_CREDENTIALS
    • KAFKA_SSL_CLIENT_AUTH

• kafka-connector:

  Adaption of adapters.xml to include the following changes:

  • Update of the parameter bootstrap.servers to the new SSL endpoint (broker:29094):

    <param name="bootstrap.servers">broker:29094</param>

  • Configuration of the encryption settings:

    <param name="encryption.enable">true</param>
    <param name="encryption.protocol">TLSv1.2</param>
    <param name="encryption.hostname.verification.enable">false</param>

  • Configuration of the trust store to authenticate the broker:

    <param name="encryption.truststore.path">secrets/kafka.connector.truststore.jks</param>
    <param name="encryption.truststore.password">kafka-connector-truststore-password</param>

  • Configuration of the key store for client authentication with the broker:

    <param name="encryption.keystore.enable">true</param>
    <param name="encryption.keystore.path">secrets/kafka-connector.keystore.jks</param>
    <param name="encryption.keystore.password">kafka-connector-password</param>
    <param name="encryption.keystore.key.password">kafka-connector-private-keypassword</param>

• producer:

  • Update of the parameter --bootstrap-servers to the new SSL endpoint (broker:29094)
  • Provisioning of the producer.properties configuration file to enable SSL support:

    # Enable SSL
    security.protocol=SSL
    # Trust store configuration to authenticate the broker
    ssl.truststore.location=/usr/app/secrets/producer.truststore.jks
    ssl.truststore.password=producer-truststore-password
    # Key tore configuration for client authentication with the broker
    ssl.keystore.location=/usr/app/secrets/producer.keystore.jks
    ssl.keystore.password=producer-password
    ssl.key.password=producer-password
    # Disable host name verification
    ssl.endpoint.identification.algorithm=

In addition, all services reference the local secrets folder to retrieve their secrets. In particular:

• broker mounts secrets/broker to /etc/kafka/secrets for the following resources:

  • The trust store file broker.truststore.jks
  • The key store file broker.keystore.jks
  • The credentials files broker_keystore_credentials and broker_key_credentials

• kafka-connector mounts secrets/kafka-connector to LS_KAFKA_CONNECTOR_HOME/secrets for the following resources:

  • The trust store file kafka-connector.truststore.jks
  • The key store file kafka-connector.keystore.jks

• producer mounts secrets/producer to /usr/app/secrets for the following resources:

  • The trust store file producer.truststore.jks
  • The key store file producer.keystore.jks

You can regenerate all of them with:

$ ./generate-secrets.sh

Run

From this directory, follow the same instructions you can find in the Quick Start section of the main README file.