Configuring TLS/SSL encryption for the Kafka Connect role

Kafka Connect roles inherit the TLS/SSL configuration of the parent Kafka service. If you are deploying Kafka Connect roles under a Kafka service that already has TLS/SSL enabled, Cloudera Manager will automatically enable TLS/SSL for Connect as well. If required however, you can manually enable or disable TLS/SSL.

  1. In Cloudera Manager, select the Kafka service.
  2. Go to Configuration.
  3. Find and configure the following properties based on your cluster and requirements.
    Table 1.
    Cloudera Manager Property Description

    Enable TLS/SSL for Kafka Connect

    ssl_enabled

    Encrypt communication between clients and Kafka Connect using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)).

    Kafka Connect TLS/SSL Server JKS Keystore File Location

    ssl_server_keystore_location

    The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Kafka Connect is acting as a TLS/SSL server.

    Kafka Connect TLS/SSL Server JKS Keystore File Password

    ssl_server_keystore_password

    The password for the Kafka Connect keystore file.

    Kafka Connect TLS/SSL Server JKS Keystore Key Password

    ssl_server_keystore_keypassword

    The password that protects the private key contained in the JKS keystore used when Kafka Connect is acting as a TLS/SSL server.

    Kafka Connect TLS/SSL Trust Store File

    ssl_client_truststore_location

    The location on disk of the trust store, used to confirm the authenticity of TLS/SSL servers that Kafka Connect might connect to. This trust store must contain the certificate(s) used to sign the service(s) connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead.

    Kafka Connect TLS/SSL Trust Store Password

    ssl_client_truststore_password

    The password for the Kafka Connect TLS/SSL Trust Store File. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information.
    ssl.client.auth Client authentication mode for SSL connections. This configuration has three valid values, required, requested, and none. If set to required, client authentication is required. If set to requested, client authentication is requested and clients without certificates can still connect. If set to none, which is the default value, no client authentication is required
  4. Click Save Changes.
  5. Restart the service.
TLS/SSL encryption is configured for the Kafka Connect role.