Configuring TLS/SSL encryption for the Kafka Connect role
Kafka Connect roles inherit the TLS/SSL configuration of the parent Kafka service. If you are deploying Kafka Connect roles under a Kafka service that already has TLS/SSL enabled, Cloudera Manager will automatically enable TLS/SSL for Connect as well. If required however, you can manually enable or disable TLS/SSL.
- In Cloudera Manager, select the Kafka service.
- Go to Configuration.
- Find and configure the following properties based on your cluster and
requirements.
Table 1. Cloudera Manager Property Description Enable TLS/SSL for Kafka Connect
ssl_enabled
Encrypt communication between clients and Kafka Connect using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)). Kafka Connect TLS/SSL Server JKS Keystore File Location
ssl_server_keystore_location
The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Kafka Connect is acting as a TLS/SSL server. Kafka Connect TLS/SSL Server JKS Keystore File Password
ssl_server_keystore_password
The password for the Kafka Connect keystore file. Kafka Connect TLS/SSL Server JKS Keystore Key Password
ssl_server_keystore_keypassword
The password that protects the private key contained in the JKS keystore used when Kafka Connect is acting as a TLS/SSL server. Kafka Connect TLS/SSL Trust Store File
ssl_client_truststore_location
The location on disk of the trust store, used to confirm the authenticity of TLS/SSL servers that Kafka Connect might connect to. This trust store must contain the certificate(s) used to sign the service(s) connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead. Kafka Connect TLS/SSL Trust Store Password
ssl_client_truststore_password
The password for the Kafka Connect TLS/SSL Trust Store File. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information. ssl.client.auth
Client authentication mode for SSL connections. This configuration has three valid values, required, requested, and none. If set to required, client authentication is required. If set to requested, client authentication is requested and clients without certificates can still connect. If set to none, which is the default value, no client authentication is required - Click Save Changes.
- Restart the service.