Configure TLS/SSL authentication for Kafka brokers

Kafka supports TLS/SSL authentication (two-way authentication). To enable and configure TLS/SSL authentication, you need to enable TLS/SSL encryption and set client authentication to be either required or requested by the brokers.

TLS/SSL authentication for Kafka brokers can be configured and enabled by setting the SSL Client Authentication property to either required or requested. If set to required, all clients connecting to the broker will be required to authenticate with TLS/SSL. If set to requested, authentication will be requested by the broker, but clients without certificates will still be able to connect.

  • Configure TLS/SSL encryption for the Kafka brokers. For more information, see Configure TLS/SSL encryption for Kafka brokers.
  1. In Cloudera Manager, select the Kafka service.
  2. Go to Configuration.
  3. Find and configure the SSL Client Authentication property based on your cluster and requirements.
    Cloudera Manager Property Description
    SSL Client Authentication Client authentication mode for SSL connections. This configuration has three valid values, required, requested, and none. If set to required, client authentication is required. If set to requested, client authentication is requested and clients without certificates can still connect. If set to none, which is the default value, no client authentication is required
  4. Configure principal mapping rules:
    1. Find the Kafka Broker Advanced Configuration Snippet (Safety Valve) for kafka.properties property.
    2. Add principal mapping rules.
      For example:
      ssl.principal.mapping.rules=RULE:^.*[Cc][Nn]=([a-zA-Z0-9.]*).*$/$1/L,DEFAULT
      
  5. Click Save Changes.
  6. Restart the Kafka service.
Kafka brokers are configured for TLS/SSL authentication.
Configure your clients for TLS/SSL authentication.