Configuring TLS/SSL properties
The SRM client’s secure storage is automatically populated with the sensitive properties needed by the srm-control tool to access clusters defined with Kafka credentials. However, if the co-located cluster uses TLS/SS and was defined through a service dependency, the TLS/SSL properties of the co-located cluster must be configured and added to the secure storage manually.
-
Ensure that you have reviewed the information available in Configuring srm-control and understand that the following step list is only one part of the full configuration workflow. Depending on your scenario, completing other configuration tasks might be required.
-
Ensure that setup and configuration of the SRM service is complete:
-
The Kafka clusters that SRM connects to are defined and are added to the SRM service’s configuration. This includes both external and co-located clusters.
-
Replications are configured.
-
-
If TLS/SSL encryption is enabled on the co-located Kafka cluster:
-
Generate or acquire a truststore containing the certificate of the Certificate Authority that issued the co-located Kafka cluster’s certificate.
-
Note down the password of the truststore. You will need to provide it during configuration.
-
-
If both TLS/SSL encryption and authentication are enabled on the co-located Kafka cluster:
-
Generate or acquire a key and truststore which contain all necessary keys and certificates.
-
Note down the locations and passwords for the key and truststores. You will need to provide these during configuration.
-
If the Certificate Authority that issued the tool’s certificate is different from the Certificate Authority of the co-located Kafka cluster’s certificate, ensure the tool’s Certificate Authority certificate is added to the truststore of the co-located Kafka cluster. Otherwise, the co-located Kafka cluster will not trust the certificates used by the tool and a trusted connection will not be established.
-
- If your co-located cluster uses Kerberos authentication, continue with Configuring Kerberos properties.
- If your co-located cluster uses a SASL authentication mechanism different from Kerberos, continue with Configuring properties for non-Kerberos authentication mechanisms.
- If the co-located cluster does not use SASL authentication continue with Setting the secure storage password as an environment variable.