Enable SSL on Kafka
To install Kafka, follow the steps mentioned below:
Download Kafka binary
.tar.gzversion 0.10.2.1 from the below URL.Extract the
tar.gzusing the below command:$ tar -xvf kafka\_2.12-0.10.2.1.tgz -C <<installationDir>> $ cd <<installationDir>>/<<extractedDir>>To enable SSL on Kafka, follow the steps mentioned below:
Perform the following steps on each node in the cluster:
Generating Node Certificates:
Create a certificate authority for your Kafka cluster. Substitute the
<DOMAIN\_NAME>with your machine’s domain name on all nodes with the Keystore password and validity.Passwords should be same.$keytool -genkeypair -keystore kafka.keystore -keyalg RSA -alias <<Domain Name >> -dname "CN=$(hostname -f)" -storepass <<password>> -keypass <<password>> -validity 32767On all the nodes, rename the keystore file to jks file.
$mv kafka.keystore kafka.jksGenerate a self signed certificate on all the nodes.
$keytool -export - alias <<Domain name of host>> -keystore kafka.jks -rfc -file selfsigned.cerRename
selfsigned.certoselfsigned.pem$mv selfsigned.cer selfsigned<hostname/ip>.pemCopy the
selfsigned.pemfile from all the nodes to one of the Kafka servers where the trust store file will be generated.$scp selfsigned<hostip/name>.pem <<Ip\_address of Kafka server >>:/path\_of\_certificateImport the self-signed certificate to truststore on node where truststore file will be generated.
$keytool-keystore truststore.jks-import-alias<<Hostname\_of\_the\_node>> -file selfsigned<<hostname/ip>>.pemCopy the truststore files from the server to all the other nodes in the same path.
$scp truststore.jks <hostname/ip of kafka brokers>:/path\_of\_certificatePlace the
kafka.jksin the same path as the certificate. Change the file permissions ofKafka.jksandtruststore.jkson all nodes.$chmod 777 kafka.jks truststore.jks
Configure SSL on all nodes of the Kafka Cluster
Enable TLS and specify the information required to access the node’s certificate.
Add the following information to
<<installationDir>>/<<extractedDir>>/config/server.propertiesfile on each node.listeners=SSL://<<hostname>>:9093 advertised.listeners=SSL://<<hostname>>:9093 ssl.keystore.location=<<kafka.jks file location>> ssl.keystore.password= <<keystore password>> ssl.key.password=<<key password>> ssl.truststore.location=<<truststore.jks file location>> ssl.truststore.password=<<truststore password>> security.inter.broker.protocol = SSLConfigure more properties in
<<installationDir>>/<<extractedDir>>/config/server.propertiesfile under the extracted folder.The brokerid should be different for each kafka broker.$broker.id= log.dirs= zookeeper.connect= <<Ip address of zookeeper>>:2181
To start the Kafka servers on all nodes
$ nohup bin/kafka-server-start.sh config/server.properties &
Additional Certificates on SSL Enabled Kafka
If you want to use a Kafka Alert operator in the Workflow, It requires an additional CA File, a Cert File, and a Key File.
Follow the steps below to generate these files:
Get the
keystore jksfile that you generated while enabling SSL on Kafka in the earlier steps.Run the command prompt and get the alias name by running the below command:
keytool -list -rfc -keystore keystore.jk1Extract the client certificate.
keytool -exportcert -alias <alias\_name> -keystore keystore.jks -rfc -file certificate.pemExtract the client key.
keytool -v -importkeystore -srckeystore keystore.jks -srcalias <alias\_name> -destkeystore cert\_and\_key.p12 -deststoretype PKCS12Following command will print the key. Copy and paste the output in
key.pemfile.openssl pkcs12 -in cert\_and\_key.p12 -nocerts –nodesAt last, extract the CARoot certificate.
keytool -exportcert -alias alias\_name -keystore keystore.jks -rfc -file CARoot.pem
These steps will generate the following files:
CARoot.pemcertificate.pemkey.pem
You can place these files on the machine where Airflow is deployed and provide their path while creating Kafka Alert Operator.
If you have any feedback on Gathr documentation, please email us!