Configuring the Kafka Broker
The Kafka Broker supports listening on multiple ports and IP addresses. To enable this feature, specify one or more comma-separated values in the listeners property in server.properties.
-
Both PLAINTEXT and SSL ports are required if SSL is not enabled for inter-broker
communication (see the following subsection for information about enabling
inter-broker communication):
listeners=PLAINTEXT://host.name:port,SSL://host.name:port
.The following SSL configuration settings are needed on the broker side:
ssl.keystore.location = /var/private/ssl/kafka.server.keystore.jks ssl.keystore.password = test1234 ssl.key.password = test1234 ssl.truststore.location = /var/private/ssl/kafka.server.truststore.jks ssl.truststore.password = test1234
The following optional settings are available:
Property Description Value(s) ssl.client.auth
Specify whether client authentication is required, requested, or not required.
none
: no client authentication.required
: client authentication is required.requested
: client authentication is requested, but a client without certs can still connect.Note: If you set
ssl.client.auth
torequested
orrequired
, then you must provide a truststore for the Kafka broker. The truststore should contain all CA certificates that are used to sign clients' keys.none
ssl.cipher.suites
Specify one or more cipher suites: named combinations of authentication, encryption, MAC and key exchange algorithms used to negotiate the security settings for a network connection using the TLS or SSL network protocol. ssl.enabled.protocols
Specify the SSL protocols that you will accept from clients. Note: SSL is deprecated; its use in production is not recommended. TLSv1.2,TLSv1.1,TLSv1
ssl.keystore.type
Specify the SSL keystore type. JKS
ssl.truststore.type
Specify the SSL truststore type. JKS
-
To enable SSL for inter-broker communication, add the following setting to the
broker properties file (default is PLAINTEXT):
security.inter.broker.protocol = SSL
. - To enable any cipher suites other than the defaults that come with JVM (see “Java Cryptography documentation”), you will need to install JCE Unlimited Strength Policy files (download link below).
-
Validate the configuration. After you start the broker, you should see the
following information in the
server.log
file:with addresses: PLAINTEXT -> EndPoint(192.168.64.1,9092,PLAINTEXT),SSL -> EndPoint(192.168.64.1,9093,SSL)
-
To make sure that the server keystore and truststore are set up properly, run the
following command:
openssl s_client -debug -connect localhost:9093 -tls1
.(Note: TLSv1, TLSv1.1, and TLSv1.2 should be listed under
ssl.enabled.protocols
)In the
openssl
output you should see the server certificate; for example:Server certificate -----BEGIN CERTIFICATE----- MIID+DCCAuACCQCx2Rz1tXx3NTANBgkqhkiG9w0BAQsFADB6MQswCQYDVQQGEwJV UzELMAkGA1UECAwCQ0ExFDASBgNVBAcMC1NhbnRhIENsYXJhMQwwCgYDVQQKDANv cmcxDDAKBgNVBAsMA29yZzEOMAwGA1UEAwwFa2FmYWsxHDAaBgkqhkiG9w0BCQEW DXRlc3RAdGVzdC5jb20wHhcNMTUwNzMwMDQyOTMwWhcNMTYwNzI5MDQyOTMwWjBt MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFDASBgNVBAcTC1NhbnRhIENsYXJh MQwwCgYDVQQKEwNvcmcxDDAKBgNVBAsTA29yZzEfMB0GA1UEAxMWU3JpaGFyc2hh IENoaW50YWxhcGFuaTCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLf Spwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4Ad NG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQT WhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGB APfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0 SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEk O8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQBTDv+z0kqA4GEAAKBgB+Pdz0306bq TpUAdb2FERMPLFsx06H0x+TULivcp7HbS5yrkV9bXZmv/FD98x76QxXrOq1WpQhY YDeGDjH+XQkJ6ZxBVBZNJDIpCnfQpfzXAvryQ+cm8oXUsKidtHf4pLMYViXX6BWX Oc2hX4rG+lC8/NXW+1zVvCr9To9fngzjMA0GCSqGSIb3DQEBCwUAA4IBAQBfyVse RJ+ugiNlWg5trZscqH0tlocbnek4UuV/xis2eAu9l4EFOM5kRt5GmkGZRcM/zHF8 BRJwXbf0fytMQKSPFk8R4/NGDOlzoK+F7uXeJ0S2u/T29xk0u2i4tjvleq6OCphE i9vdjM0E0Whf9SHRhOXirOYFX3cL775XwKdzKKRkk+AszFR+mRu90rdoaepQtgGh 9Kfwr4+6AU/dPtdGuomtBQqMxCzlrLd8EYhVVQ97wHIZ3sPvlM5PIhOJ/YHSBJIC 75eo/4acDxZ+j3sR5kcFulzYwFLgDYBaKH/w3mYCgTALeB1zUkX53NVizIvhUd69 XJO4lDSDtGOlfort -----END CERTIFICATE----- subject=/C=US/ST=CA/L=Santa Clara/O=org/OU=org/CN=JBrown issuer=/C=US/ST=CA/L=Santa Clara/O=org/OU=org/CN=kafak/emailAddress=test@test.com
If the certificate does not display, or if there are any other error messages, then your keystore is not set up properly.