Cloudera Docs

Configure TLS/SSL for KRaft Controllers

Learn how to configure TLS/SSL for KRaft Controllers.

  1. In Cloudera Manager, select the Kafka service.
  2. Go to Configuration.
  3. Find and configure the following properties based on your cluster and requirements.
    Table 1. KRaft TLS/SSL configuration properties
    Cloudera Manager Property Description

    Enable TLS/SSL for Kraft Controller

    ssl_enabled

    		 Encrypt communication between clients and KRaft Controller using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)).

    KRaft Controller TLS/SSL Server JKS Keystore File Location

    ssl_server_keystore_location

    		 The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when KRaft Controller is acting as a TLS/SSL server. The keystore must be in the format specified in Administration > Settings > Java Keystore Type.

    KRaft Controller TLS/SSL Server JKS Keystore File Password

    ssl_server_keystore_password

    		 The password for the KRaft Controller keystore file.

    KRaft Controller TLS/SSL Server JKS Keystore Key Password

    ssl_server_keystore_keypassword

    		 The password that protects the private key contained in the keystore used when KRaft Controller is acting as a TLS/SSL server.

    KRaft Controller TLS/SSL Trust Store File

    ssl_client_truststore_location

    		 The location on disk of the trust store, in .jks format, used to confirm the authenticity of TLS/SSL servers that KRaft Controller might connect to. This trust store must contain the certificate(s) used to sign the service(s) connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead.

    KRaft Controller TLS/SSL Trust Store Password

    ssl_client_truststore_password

    		 The password for the KRaft Controller TLS/SSL Trust Store File. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information.

    SSL Client Authentication

    ssl.client.auth

    		 Client authentication mode for SSL connections. This configuration has three valid values, required, requested, and none. If set to required, client authentication is required. If set to requested, client authentication is requested and clients without certificates can still connect. If set to none, which is the default value, no client authentication is required.
  4. Click Save Changes.
  5. Restart the Kafka service.
TLS/SSL encryption is configured for the KRaft Controller role.