Enabling SSL for Apache Kafka Wire Protocol Service

Describes the security protocol values that are needed to enable SSL for Apache Kafka Wire Protocol Service.

Data Access Gateway 5.1 and later added SSL support for the Apache Kafka Wire Protocol Service. This section provides examples for configuring /opt/mapr/data-access-gateway/conf/kafka-server.conf to enable SASL_SSL and SSL security in server-side and client-side configurations.

New Security Protocol Values

Release 7.2.0 and later support two new values for the security-protocol parameter of kafka-server.conf:

SASL_SSL
SSL

When you specify the SASL_SSL value, you must also specify the corresponding sasl-mechanism value as indicated in the following table:

Specifying `security-protocol` as . . .	With `sasl-mechanism` as . . .	Enables
`SASL_SSL`	`PLAIN¹`	Username/password-based (PAM) client authentication with SSL encryption and one-way SSL server authentication.
`SSL`	(Unspecified)	SSL authentication (two-way mutual SSL authentication) and SSL encryption.

¹PLAIN is the only mechanism currently supported.

SASL_SSL Server-Side Configuration Example

Here is a typical SASL_SSL server-side configuration example:

kafka.server = {
  rpc = {
    # TCP port for the Kafka Wire protocol service. Default is 9092
    port = 9092

    # Configures authentication and encryption schemes
    # Supported values are PLAINTEXT|SASL_PLAINTEXT|SASL_SSL|SSL
    # To enable authentication, set to SASL_PLAINTEXT, SASL_SSL or SSL
    # Encryption is supported for SASL_SSL and SSL
    security-protocol = SASL_SSL

    # Configures list of SASL authentication mechanisms
    # The only supported mechanism in this release is PLAIN
    # Effective only if "security-protocol" is set to SASL_PLAINTEXT or SASL_SSL
    sasl-mechanism = PLAIN
  } 
}

SASL_SSL Client-Side Configuration

You can configure the SASL_SSL client-side configuration the same way it is configured in Apache Kafka. In this configuration, /opt/mapr/conf/ssl_truststore performs the one-way SSL server authentication. For example:

security.protocol=SASL_SSL
ssl.truststore.location=/opt/mapr/conf/ssl_truststore
ssl.truststore.password=<some_password>
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="user1" password="user1";

SSL Server-Side Configuration

To make the SSL protocol work correctly in a server-side configuration, the cluster administrator MUST specify the rpc.ssl.principal-mapping-rules in the server config file. For example:

kafka.server = {
  rpc = {
    # TCP port for the Kafka Wire protocol service. Default is 9092
    port = 9092

    # Configures authentication and encryption schemes
    # Supported values are PLAINTEXT|SASL_PLAINTEXT|SASL_SSL|SSL
    # To enable authentication, set to SASL_PLAINTEXT, SASL_SSL or SSL
    # Encryption is supported for SASL_SSL and SSL
    security-protocol = SSL

    ssl.principal-mapping-rules = [
      "RULE:^CN=.*O=(.*?),.*$/$1/L,",
      "DEFAULT"
    ]
  }
}

The ssl.principal-mapping-rules parameter specifies a list of mapping rules. For information about how to configure the mapping rules, see Customizing the SSL User Name in the Kafka documentation.

SSL Client-Side Configuration

You can configure the client-side configuration the same way it is configured in Apache Kafka. In this configuration, the /opt/mapr/conf/ssl_truststore performs the SSL server authentication. To perform client authentication by the server, you must add the CA of the client certificate to the /opt/mapr/conf/ssl_truststore. Both the server and the client use this trust store file.

security.protocol=SSL
ssl.truststore.location=/opt/mapr/conf/ssl_truststore
ssl.truststore.password=<some_password>
ssl.keystore.location=/<client_cert_path>/example_ssl_client_keystore
ssl.keystore.password=<some_password>
ssl.key.password=<some_password>
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1