Enabling TLS/SSL for the SRM service

TLS/SSL can be enabled and configured for the Streams Replication Manager (SRM) service (Driver and Service roles) with various configuration properties available in Cloudera Manager. Configuring these properties affects the security configuration of SRM in multiple ways.

Both the Driver and Service roles of SRM have a number of TLS/SSL related properties associated with them. A dedicated TLS/SSL feature toggle exists for both roles. These are the Enable TLS/SSL for SRM Driver and Enable TLS/SSL for SRM Service properties. In addition to the feature toggles, there are a number of other properties that can be used to configure key and truststore information.

Configuring the feature toggles and the key/truststore related properties have the following effects on SRM’s security configuration:

The SRM Service role’s REST server becomes secured and uses HTTPS.
The SRM Driver role’s replication specific Connect REST servers become secured and use HTTPS. In addition, client authentication will also be required from any client connecting to these servers.
note
The replication specific Connect REST servers are for internal use only. They enable communication between Driver role instances. Third party clients should not interface with them.
If the deployment has a co-located Kafka cluster and that cluster was configured using a service dependency, both the Service and Driver roles will use the keystore and truststore information when they establish a connection with the co-located Kafka cluster.
Both the Driver and Service roles will use these properties as fallback configurations when establishing a connection to a Kafka cluster.
That is, if there is a Kafka cluster in your configuration that has its protocol specified as SSL, but no trust or keystore information is set for it, the roles will use the truststore and keystore configured with these properties.

Configuring these properties is part of the process of defining and adding clusters described in Defining and adding clusters for replication. Depending on how you set up your co-located cluster, these properties might already be configured.

If you configured the co-located cluster with a service dependency, then these properties are configured in your deployment and no additional steps are needed to enable or configure TLS/SSL.

However, if you chose to set up the co-located cluster with a Kafka credential, these properties might not be configured. Although in a case like this the properties required by SRM to access the co-located cluster will be set, the server functionality of the roles will not be TLS/SSL enabled. Additionally, while not crucial, no fallback properties will be set up for security either. In a case like this Cloudera recommends that you complete the following steps.

In Cloudera Manager, go to Clusters and select the Streams Replication Manager service.
Go to Configuration.

Find and configure the following properties based on your cluster and requirements:

Table 1.
Cloudera Manager Property	Description
Enable TLS/SSL for SRM Driver	Encrypt communication between clients and SRM Driver using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)).
SRM Driver TLS/SSL Server JKS Keystore File Location	The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when SRM Driver is acting as a TLS/SSL server. The keystore must be in JKS format.
SRM Driver TLS/SSL Server JKS Keystore File Password	The password for the SRM Driver JKS keystore file.
SRM Driver TLS/SSL Server JKS Keystore Key Password	The password that protects the private key contained in the JKS keystore used when SRM Driver is acting as a TLS/SSL server.
SRM Driver TLS/SSL Trust Store File	The location on disk of the trust store, in .jks format, used to confirm the authenticity of TLS/SSL servers that SRM Driver might connect to. This trust store must contain the certificate(s) used to sign the service(s) connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead.
SRM Driver TLS/SSL Trust Store Password	The password for the SRM Driver TLS/SSL Trust Store File. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information.
Enable TLS/SSL for SRM Service	Encrypt communication between clients and SRM Service using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL))
SRM Service TLS/SSL Server JKS Keystore File Location	The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when SRM Service is acting as a TLS/SSL server. The keystore must be in JKS format.
SRM Service TLS/SSL Server JKS Keystore File Password	The password for the SRM Service JKS keystore file.
SRM Service TLS/SSL Server JKS Keystore Key Password	The password that protects the private key contained in the JKS keystore used when SRM Service is acting as a TLS/SSL server.
SRM Service TLS/SSL Trust Store File	The location on disk of the trust store, in .jks format, used to confirm the authenticity of TLS/SSL servers that SRM Service might connect to. This trust store must contain the certificate(s) used to sign the service(s) connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead.
SRM Service TLS/SSL Trust Store Password	The password for the SRM Service TLS/SSL Trust Store File. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information.

Click Save Changes.
Restart the SRM service.