Kafka connector security configuration
You can configure security for reactive messaging channels at both the channel level and the connector level. Connector-wide properties, like bootstrap.servers apply globally, whereas channel-specific properties, such as topic or group.id, customize the individual channel behavior.
Open Liberty enhances secure communication by supporting various protocols, each designed to safeguard data exchanges.
These protocols help maintain the interactions with services and data to be confidential and secure. To secure communication with Kafka brokers, set the necessary security properties in the microprofile-config.properties file to support various authentication protocols such as SSL/TLS, SASL/PLAIN or mTLS.
Secure Sockets Layer (SSL)
The following example demonstrates how to configure a Kafka client for secure SSL communication with Kafka brokers in the microprofile-config.properties file. The following configuration enables SSL-based authentication so that the client can securely verify the identity of the Kafka server it connects to.
mp.messaging.connector.liberty-kafka.bootstrap.servers=SSL\://kafka-server\:34691 mp.messaging.connector.liberty-kafka.security.protocol=SSL mp.messaging.connector.liberty-kafka.ssl.truststore.password=kafka-teststore mp.messaging.connector.liberty-kafka.ssl.truststore.location=kafka-truststore.jks
In the example, specifying the truststore location and password is crucial for securing communications with Kafka brokers. The client can authenticate the server identity through trusted certificates, hence establishing a secure SSL/TLS connection. The truststore location (ssl.truststore.location) identifies the file that contains these certificates. Meanwhile, the truststore password (ssl.truststore.password) protects this file, safeguarding the integrity and confidentiality of data transmitted between the client and server. This streamlined setup is essential for preventing unauthorized access and facilitating encrypted, authenticated communication in line with best security practices.s
Simple Authentication and Security Layer (SASL)/PLAIN
The following example demonstrates the setup of the SASL/PLAIN authentication with either the Open Liberty Kafka Login Module or the Kafka Plain Login Module. This configuration enables encrypted communication and authentication with Kafka brokers. It uses properties set in the microprofile-config.properties file to support different authentication protocols, including password encryption with Open Liberty securityUtility encode. Applications can maintain the confidentiality and integrity of messages, ensuring secure data flow across distributed systems.
Authenticating with Open Liberty’s Kafka Login Module that can use passwords encoded by Open Liberty securityUtility encode on a per channel basis.
mp.messaging.incoming.aes-test-in.connector=liberty-kafka
mp.messaging.incoming.aes-test-in.bootstrap.servers=SASL_SSL\://kafka-boostrap-server\:39643
mp.messaging.incoming.aes-test-in.security.protocol=SASL_SSL
mp.messaging.incoming.aes-test-in.sasl.mechanism=PLAIN
mp.messaging.incoming.aes-test-in.ssl.truststore.password=kafka-teststore
mp.messaging.incoming.aes-test-in.sasl.jaas.config=com.ibm.ws.kafka.security.LibertyLoginModule required username\="test" password\="{aes}<encoded password>";
mp.messaging.incoming.aes-test-in.ssl.truststore.location=kafka-truststore.jks
mp.messaging.incoming.aes-test-in.group.id=group-id-1
mp.messaging.incoming.aes-test-in.auto.offset.reset=earliest
mp.messaging.outgoing.aes-test-out.connector=liberty-kafka
mp.messaging.outgoing.aes-test-out.bootstrap.servers=SASL_SSL\://kafka-boostrap-server\:39643
mp.messaging.outgoing.aes-test-out.security.protocol=SASL_SSL
mp.messaging.outgoing.aes-test-out.sasl.mechanism=PLAIN
mp.messaging.outgoing.aes-test-out.sasl.jaas.config=com.ibm.ws.kafka.security.LibertyLoginModule required username\="test" password\="{aes}<encoded password>";
mp.messaging.outgoing.aes-test-out.ssl.truststore.location=kafka-truststore.jks
mp.messaging.outgoing.aes-test-out.ssl.truststore.password=kafka-teststoreAuthenticating with Kafka’s Plain Login Module.
mp.messaging.connector.liberty-kafka.security.protocol=SASL_SSL mp.messaging.connector.liberty-kafka.bootstrap.servers=SASL_SSL\://kafka-boostrap-server\:34696 mp.messaging.connector.liberty-kafka.ssl.truststore.location=kafka-truststore.jks mp.messaging.connector.liberty-kafka.sasl.mechanism=PLAIN mp.messaging.connector.liberty-kafka.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username\="test" password\="test-QmCFfb"; mp.messaging.connector.liberty-kafka.ssl.truststore.password=kafka-teststore
Mutual TLS (mTLS)
Mutual TLS is an enhanced security protocol that requires both the client and server to authenticate each other, providing a two-way SSL authentication. Each channel uses a separate keystore to authenticate itself with the Kafka Bootstrap server.
The following example configures each channel with its own keystore to authenticate itself with the Kafka bootstrap server, as detailed in the configuration settings. With the mp.messaging.connector.liberty-kafka and specific channel configurations, the example demonstrates how to establish a secure, encrypted channel by using SSL. Mutual TLS not only secures the data in transit but also makes sure that each communication partner is authenticated, thus adding another layer of security.
mp.messaging.connector.liberty-kafka.bootstrap.servers=SSL\://kafka-boostrap-server\:39647 mp.messaging.connector.liberty-kafka.security.protocol=SSL mp.messaging.connector.liberty-kafka.ssl.truststore.location=kafka-truststore.jks mp.messaging.connector.liberty-kafka.ssl.truststore.password=kafka-teststore mp.messaging.incoming.test-in.connector=liberty-kafka mp.messaging.incoming.test-in.ssl.keystore.location=kafka-keystore.jks mp.messaging.incoming.test-in.ssl.keystore.password=kafka-teststore mp.messaging.incoming.test-in.group.id=group-id-1 mp.messaging.incoming.test-in.topic=incoming-topic mp.messaging.incoming.test-in.auto.offset.reset=earliest mp.messaging.outgoing.test-out.connector=liberty-kafka mp.messaging.outgoing.test-out.topic=outgoing-topic mp.messaging.outgoing.test-out.ssl.keystore.location=kafka-keystore2.jks mp.messaging.outgoing.test-out.ssl.keystore.password=kafka-teststore
