Configure TLS/SSL encryption for Kafka clients
Kafka supports TLS/SSL encrypted communication with both brokers and clients. Client configuration is done by setting the relevant security-related properties for the client.
The following steps demonstrate configuration for the console consumer or producer. If you are configuring a custom developed client, see Java client security examples or .Net client security examples for code examples.
- Generate or acquire a truststore containing the certificate of the Certificate Authority that issued the broker certificates.
- Note down the location and password for the truststore. You will need to provide these during configuration.
- Create a
.propertiesfile.In this example the file is named
- Add the mandatory properties to the file.The following configuration example contains all mandatory properties:
security.protocol=SSL ssl.truststore.location= [***PATH TO CLIENT TRUSTSTORE***] ssl.truststore.password=[***PASSWORD***]
- (Optional) Add additional security properties to the file.Depending on your requirements and broker configuration, additional configuration properties might also be needed. The following are some of the most commonly used optional properties:
- Run the client.
- Console Producer
kafka-console-producer --bootstrap-server [***HOST1:PORT1***] --topic [***TOPIC***] --producer.config client.properties
- Console Consumer
kafka-console-consumer --bootstrap-server [***HOST1:PORT1***] --topic [***TOPIC***] --consumer.config client.properties