Learn how to set up SRM security for clusters with differing security
setups.
In a complex system you might have clusters that require no encryption or
authentication while others do. SRM is capable of operating in environments where the
security setup of each cluster SRM is connecting to is different. Configuring security is
achieved by adding the appropriate configuration properties to your
srm.properties
configuration file. When connecting SRM to clusters with
non-uniform security setups, you have to add each configuration property separately for each
cluster in your system. This can be done by prepending the configuration property with the
cluster name. For example, primary.security.protocol
specifies the security
protocol for the cluster named “primary”.
-
Specify the security protocols for each cluster:
primary.security.protocol = SSL
backup.security.protocol = SASL_SSL
-
Add truststore information:
Truststore information is only required if you are using SSL
encryption.
backup.ssl.truststore.location=/var/private/ssl/kafka.client.truststore.jks
backup.ssl.truststore.password=test1234
primary.ssl.truststore.location=/var/private/ssl/kafka.client.truststore.jks
primary.ssl.truststore.password=test1234
-
Add keystore information:
Keystore information is only required if you are using SSL
authentication.
primary.ssl.keystore.location=/var/private/ssl/kafka.client.keystore.jks
primary.ssl.keystore.password=test1234
primary.ssl.key.password=test1234
-
Specify the authentication mechanism:
Specifying the authentication mechanism is only required if you are using
SASL.
backup.sasl.mechanism = GSSAPI
-
Specify the service name:
Service name information is only required if you are using
Kerberos.
primary.sasl.kerberos.service.name = kafka
backup.sasl.kerberos.service.name = srm
-
Configure the JAAS.
JAAS configuration is only required if you are using SASL.
If one or more of your
clusters operates in a different kerberos realm, you have to specify a unique JAAS
configuration for each. Configuring multiple kerberos realms is only possible by
embedding the JAAS configuration in the srm.properties
file. Passing
JAAS configuration files with the SRM_KERBEROS_OPTS
environment
variable is not supported in this
scenario.
primary.sasl.jaas.config = \
com.sun.security.auth.module.Krb5LoginModule required \
useKeyTab=true \
keyTab="path/to/keytab file" \
storeKey=true \
useTicketCache=false \
principal="streamsrepmgr@STREAMANALYTICS.COM";
backup.sasl.jaas.config = \
com.sun.security.auth.module.Krb5LoginModule required \
useKeyTab=true \
keyTab="path/to/keytab file" \
storeKey=true \
useTicketCache=false \
principal="streamsrepmgr@EXAMPLE.COM";