Step 5: Configure Kafka clients

Learn how to configure TLS/SSL communication for Kafka clients.

SSL is supported only for the new Kafka producer and consumer APIs. The configurations for SSL are the same for both the producer and consumer.

Before you begin with configuration, you need to acquire keys and signed certificates for all clients.

If client authentication is not required in the broker, the following example shows a minimal configuration:

security.protocol=SSL
ssl.truststore.location=/var/private/ssl/kafka.client.truststore.jks
ssl.truststore.password=SamplePassword123

If client authentication is required, a keystore must be created as well and it needs to be signed by a CA. In addition, the following properties: must be configured:

ssl.keystore.location=/var/private/ssl/kafka.client.keystore.jks
ssl.keystore.password=SamplePassword123
ssl.key.password=SamplePassword123

Other configuration settings might also be needed, depending on your requirements and the broker configuration:

  • ssl.provider (Optional). The name of the security provider used for SSL connections. Default is the default security provider of the JVM.

  • ssl.cipher.suites (Optional). A cipher suite is a named combination of authentication, encryption, MAC, and a key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol.

  • ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1. This property should list at least one of the protocols configured on the broker side.

  • ssl.truststore.type=JKS

  • ssl.keystore.type=JKS