Configuring TLS/SSL encryption for Kafka MirrorMaker

The Kafka MirrorMaker role supports TLS/SSL encrypted communication with Kafka brokers. To enable and configure TLS/SSL, you need to enable TLS/SSL for the MirrorMaker role, enter key and truststore related information, and specify the client authentication used by the source and destination Kafka clusters.

  • Generate or acquire a key and truststore for the MirrorMaker role which contain all necessary keys and certificates.
  • Note down the locations and passwords for the key and truststores. You will need to provide these during configuration.
  1. In Cloudera Manager, select the Kafka service.
  2. Go to Configuration.
  3. Find and configure the following properties based on your cluster and requirements.
    Table 1.
    Cloudera Manager Property Description

    Enable TLS/SSL for Kafka MirrorMaker

    ssl_enabled

    Encrypt communication between clients and Kafka MirrorMaker using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)).

    Kafka MirrorMaker TLS/SSL Server JKS Keystore File Location

    ssl_server_keystore_location

    The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Kafka MirrorMaker is acting as a TLS/SSL server.

    Kafka MirrorMaker TLS/SSL Server JKS Keystore File Password

    ssl_server_keystore_password

    The password for the Kafka MirroMaker keystore file.

    Kafka MirrorMaker TLS/SSL Server JKS Keystore Key Password

    ssl_server_keystore_keypassword

    The password that protects the private key contained in the JKS keystore used when Kafka MirrorMaker is acting as a TLS/SSL server.

    Kafka MirrorMaker TLS/SSL Trust Store File

    ssl_client_truststore_location

    The location on disk of the trust store, used to confirm the authenticity of TLS/SSL servers that Kafka MirrorMaker might connect to. This trust store must contain the certificate(s) used to sign the service(s) connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead.

    Kafka MirrorMaker TLS/SSL Trust Store Password

    ssl_client_truststore_password

    The password for the Kafka MirrorMaker TLS/SSL Trust Store File. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information.

    Source Kafka Cluster's Client Auth

    source.ssl.client.auth

    Only required if the source Kafka cluster requires client authentication.

    Destination Kafka Cluster's Client Auth

    destination.ssl.client.auth

    Only required if destination Kafka cluster requires client authentication.
  4. Click Save Changes.
  5. Restart the Kafka service.
The Kafka MirrorMaker role is configured for TLS/SSL encryption.