Configuring TLS/SSL client authentication for the Kafka Connect REST API

Learn how to configure TLS/SSL client authentication for the Kafka Connect REST API.

You can secure the Kafka Connect API by configuring the Kafka Connect roles to require SSL Client authentication. This can be done by setting the SSL Client Authentication property to required. When set to required, only clients that pass SSL client authentication will be able to access the Kafka Connect API. As a result, any client that you would like to give access to should have its certificate added to the Kafka Connect truststore. This includes Streams Messaging Manager as well. Cloudera recommends that in secure environments only Streams Messaging Manager is given access to the Kafka Connect API.

In addition to setting client authentication to required, you may also want to consider setting up a firewall using third party tools to further secure access to the Kafka Connect API. Note however, that even with a firewall in place and SSL authentication set to required, if Streams Messaging Manager is given access to the Kafka Connect API, then any user that has access to Streams Messaging Manager will be able to interact with the Kafka Connect API. This is due to Streams Messaging Manager not enforcing authorization checks when users are accessing Kafka Connect functionality within Streams Messaging Manager. This is true for both the Streams Messaging Manager UI and Streams Messaging Manager REST API. As a result, caution is advised even if the Kafka Connect API itself is secured.

Complete the following steps to set SSL Client Authentication to required.

  1. Select the Kafka Service.
  2. Go to Configuration.
  3. Find the SSL Client Authentication property.
  4. Set the property to required.
  5. Click Save Changes.
  6. Restart the service.
Only authenticated clients are allowed to connect to the Kafka Connect API.
If you are using Streams Messaging Manager to manage and monitor Kafka Connect, and you are not using auto TLS, add the certificate of Streams Messaging Manager to the Kafka Connect truststore.