Enabling TLS/SSL for the Streams Replication Manager service

TLS/SSL can be enabled and configured for the Streams Replication Manager service (Driver and Service roles) with various configuration properties available in Cloudera Manager. Configuring these properties affects the security configuration of Streams Replication Manager in multiple ways.

Both the Driver and Service roles of Streams Replication Manager have a number of TLS/SSL related properties associated with them. A dedicated TLS/SSL feature toggle exists for both roles. These are the Enable TLS/SSL for SRM Driver and Enable TLS/SSL for SRM Service properties. In addition to the feature toggles, there are a number of other properties that can be used to configure key and truststore information.

Configuring the feature toggles and the key/truststore related properties have the following effects on Streams Replication Manager’s security configuration:
  • The Streams Replication Manager Service role’s REST server becomes secured and uses HTTPS.
  • The Streams Replication Manager Driver role’s replication specific Connect REST servers become secured and use HTTPS. In addition, client authentication will also be required from any client connecting to these servers.
  • If the deployment has a co-located Kafka cluster and that cluster was configured using a service dependency, both the Service and Driver roles will use the keystore and truststore information when they establish a connection with the co-located Kafka cluster.
  • Both the Driver and Service roles will use these properties as fallback configurations when establishing a connection to a Kafka cluster.

    That is, if there is a Kafka cluster in your configuration that has its protocol specified as SSL, but no trust or keystore information is set for it, the roles will use the truststore and keystore configured with these properties.

Configuring these properties is part of the process of defining and adding clusters described in Defining and adding clusters for replication. Depending on how you set up your co-located cluster, these properties might already be configured.

If you configured the co-located cluster with a service dependency, then these properties are configured in your deployment and no additional steps are needed to enable or configure TLS/SSL.

However, if you chose to set up the co-located cluster with a Kafka credential, these properties might not be configured. Although in a case like this the properties required by Streams Replication Manager to access the co-located cluster will be set, the server functionality of the roles will not be TLS/SSL enabled. Additionally, while not crucial, no fallback properties will be set up for security either. In a case like this Cloudera recommends that you complete the following steps.

  1. In Cloudera Manager, go to Clusters and select the Streams Replication Manager service.
  2. Go to Configuration.
  3. Find and configure the following properties based on your cluster and requirements:
    Table 1.
    Cloudera Manager Property Description
    Enable TLS/SSL for SRM Driver Encrypt communication between clients and Streams Replication Manager Driver using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)).
    SRM Driver TLS/SSL Server JKS Keystore File Location The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Streams Replication Manager Driver is acting as a TLS/SSL server. The keystore must be in JKS format.
    SRM Driver TLS/SSL Server JKS Keystore File Password The password for the Streams Replication Manager Driver JKS keystore file.
    SRM Driver TLS/SSL Server JKS Keystore Key Password The password that protects the private key contained in the JKS keystore used when Streams Replication Manager Driver is acting as a TLS/SSL server.
    SRM Driver TLS/SSL Trust Store File The location on disk of the trust store, in .jks format, used to confirm the authenticity of TLS/SSL servers that Streams Replication Manager Driver might connect to. This trust store must contain the certificate(s) used to sign the service(s) connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead.
    SRM Driver TLS/SSL Trust Store Password The password for the Streams Replication Manager Driver TLS/SSL Trust Store File. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information.
    Enable TLS/SSL for SRM Service Encrypt communication between clients and Streams Replication Manager Service using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL))
    SRM Service TLS/SSL Server JKS Keystore File Location The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Streams Replication Manager Service is acting as a TLS/SSL server. The keystore must be in JKS format.
    SRM Service TLS/SSL Server JKS Keystore File Password The password for the Streams Replication Manager Service JKS keystore file.
    SRM Service TLS/SSL Server JKS Keystore Key Password The password that protects the private key contained in the JKS keystore used when Streams Replication Manager Service is acting as a TLS/SSL server.
    SRM Service TLS/SSL Trust Store File The location on disk of the trust store, in .jks format, used to confirm the authenticity of TLS/SSL servers that Streams Replication Manager Service might connect to. This trust store must contain the certificate(s) used to sign the service(s) connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead.
    SRM Service TLS/SSL Trust Store Password The password for the Streams Replication Manager Service TLS/SSL Trust Store File. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information.
  4. Click Save Changes.
  5. Restart the Streams Replication Manager service.