Configuring TLS/SSL properties

The SRM client’s secure storage is automatically populated with the sensitive properties needed by the srm-control tool to access clusters defined with Kafka credentials. However, if the co-located cluster uses TLS/SS and was defined through a service dependency, the TLS/SSL properties of the co-located cluster must be configured and added to the secure storage manually.

  • Ensure that you have reviewed the information available in Configuring srm-control and understand that the following step list is only one part of the full configuration workflow. Depending on your scenario, completing other configuration tasks might be required.

  • Ensure that setup and configuration of the SRM service is complete:
    • The Kafka clusters that SRM connects to are defined and are added to the SRM service’s configuration. This includes both external and co-located clusters.

    • Replications are configured.

  • If TLS/SSL encryption is enabled on the co-located Kafka cluster:

    • Generate or acquire a truststore containing the certificate of the Certificate Authority that issued the co-located Kafka cluster’s certificate.

    • Note down the password of the truststore. You will need to provide it during configuration.

  • If both TLS/SSL encryption and authentication are enabled on the co-located Kafka cluster:

    • Generate or acquire a key and truststore which contain all necessary keys and certificates.

    • Note down the locations and passwords for the key and truststores. You will need to provide these during configuration.

    • If the Certificate Authority that issued the tool’s certificate is different from the Certificate Authority of the co-located Kafka cluster’s certificate, ensure the tool’s Certificate Authority certificate is added to the truststore of the co-located Kafka cluster. Otherwise, the co-located Kafka cluster will not trust the certificates used by the tool and a trusted connection will not be established.

  1. In Cloudera Manager, go to Clusters and select the Streams Replication Manager service.
  2. Go to Configuration.
  3. Click Gateway in the Filters pane.
  4. Find and configure the following properties:
    If the co-located cluster uses SSL/TLS encryption only, and no authentication is required, you do not need to configure the keystore related properties from the following list.
    JKS Keystore file Location for the SRM client's TLS/SSL server
    The path to the TLS/SSL keystore file containing the client certificate and private key. Ensure that this file is available on all SRM hosts.
    SRM Client's TLS/SSL Server JKS Keystore File Password
    The password used to access the keystore file specified in the JKS Keystore file Location for the SRM client's TLS/SSL server property.
    SRM Client's TLS/SSL Server JKS Keystore Key Password
    The password used to access the key stored in the keystore file specified in the JKS Keystore file Location for the SRM client's TLS/SSL server property.
    Gateway TLS/SSL Trust Store File
    The path to the TLS/SSL truststore file containing the server (co-located cluster’s) certificate and public key. Ensure that this file is available on all SRM hosts.
    Gateway TLS/SSL Truststore Password
    The password used to access the truststore file specified in the Gateway TLS/SSL Trust Store File property.
  5. Click Save Changes.
  6. Re-deploy client configuration.
  • If your co-located cluster uses Kerberos authentication, continue with Configuring Kerberos properties.
  • If your co-located cluster uses a SASL authentication mechanism different from Kerberos, continue with Configuring properties for non-Kerberos authentication mechanisms.
  • If the co-located cluster does not use SASL authentication continue with Setting the secure storage password as an environment variable.