Scribd
Upload
151 views

Kafka Secuirty

The document provides instructions for setting up Kafka with SSL encryption. It describes how to start Zookeeper and Kafka, create topics and producers/consumers. It then explains how to generate a Certificate Authority (CA) certificate and key, create a Kafka broker certificate signed by the CA, import the CA into the broker's truststore, and configure Kafka to use SSL on port 9093 with the keystore and truststore.

Uploaded by

Naidu
Copyright
© © All Rights Reserved
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
151 views

Kafka Secuirty

The document provides instructions for setting up Kafka with SSL encryption. It describes how to start Zookeeper and Kafka, create topics and producers/consumers. It then explains how to generate a Certificate Authority (CA) certificate and key, create a Kafka broker certificate signed by the CA, import the CA into the broker's truststore, and configure Kafka to use SSL on port 9093 with the keystore and truststore.

Uploaded by

Naidu
Copyright
© © All Rights Reserved
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
You are on page 1/ 4

Starting zookeeper

————————
kafka/bin/zookeeper-server-start.sh -daemon kafka/config/zookeeper.properties

tail -n 100 kafka/logs/zookeeper.out

echo "ruok" |nc localhost 2181 ;echo

To start Kafka
———————
kafka/bin/kafka-server-start.sh -daemon kafka/config/server.propertie

tail -n 10 kafka/logs/kafkaServer.out

To stop Kafka and zookeeper


———————————————————-
kafka/bin/kafka-server-stop.sh
kafka/bin/zookeeper-server-stop.sh

Change/add the following properties in server.properties


————————————————————————————————————————
Advertised.listeners=PLAINTEXT://localhost:9092
Zookeeper.connect=localhost:2181

Settingup in the Kafka client


————————————————

kafka/bin/kafka-topics.sh -zookeeper localhost:2181 --create --topic


kafka-security-topic --replication-factor 1 --partitions 2

To start Kafka producer and consumer


—————————————————

kafka/bin/kafka-console-producer.sh --broker-list localhost:9092


--topic kafka-security-topic

kafka/bin/kafka-console-consumer.sh --bootstrap-server
localhost:9092 --topic kafka-security-topic

Creating Certificate Authority(CA)


—————————————————

openssl req -new -newkey rsa:4906 -days 365 -x509 -subj


"/CN=Kafka-Security-CA" -keyout ca-key -out ca-cert -nodes
this will generate private key ‘ca-key’ and public certificate ‘ca-cert
file’

Setting up SSL in Kafka


————————————

export SRVPASS=serversecret

Generate Kafka broker certificate using key tool command

keytool -genkey -keystore kafka.server.keystore.jks -validity 365


-storepass $SRVPASS -keypass $SRVPASS -dname "CN=localhost"
-storetype pkcs12

keytool -list -v -keystore kafka.server.keystore.jks

To get signed version of certificate for Kafka broker( 2 way process)

keytool -keystore kafka.server.keystore.jks -certreq -file cert-file


-storepass $SRVPASS -keypass $SRVPASS

To sign certificate

openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-
signed -days 365 -CAcreateserial -passin pass:$SRVPASS

keytool -printcert -v -file cert-signed

To create trust store on Kafka broker


——————————————

keytool -keystore kafka.server.truststore.jks -alias CARoot -import


-file ca-cert -storepass $SRVPASS -keypass $SRVPASS -noprompt

To import signed certificate into keystore


—————————————————————

keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file


ca-cert -storepass $SRVPASS -keypass $SRVPASS -noprompt

-keystore kafka.server.keystore.jks -import -file cert-signed


-storepass $SRVPASS -keypass $SRVPASS -noprompt

Configure Kafka broker


——————————

/config/server.properties

listeners=PLAINTEXT://localhost:9092,SSL://localhost:9093
advertised.listeners=PLAINTEXT://localhost:9092,SSL://localhost:9093
zookeeper.connect=localhost:2181

ssl.keystore.location=/Users/nmalla/naidu/softwares/sslcrerts/kafka.server.
keystore.jks
ssl.keystore.password=serversecret
ssl.key.password=serversecret
ssl.truststore.location=/Users/nmalla/naidu/softwares/sslcrerts/kafka.serve
r.truststore.jks
ssl.truststore.password=serversecret

Restart Kafka

grep "EndPoint" kafka/logs/server.log

———
Confluent blog

# With user prompts


keytool -keystore kafka.server.keystore.jks -alias localhost -genkey

# Without user prompts, pass command line arguments


keytool -keystore kafka.server.keystore.jks -alias localhost -validity
365 -genkey -storepass password -keypass password -dname
{distinguished-name} -ext SAN=DNS:{hostname}

You might also like