We are excited to announce the release of mTLS client authentication for our Instaclustr for Apache Kafka ® offering. 

Thus far we provided the option for customers to enable TLS encryption between clients and the Kafka cluster. This allowed the clients to authenticate the broker using a cluster-specific truststore downloaded from the Instaclustr Console or APIs. Now, with the addition of support for mutual TLS (also referred to as mTLS), both parties can authenticate each other and communicate over an encrypted channel.  

This new feature extends the current implementation of mTLS in Instaclustr managed Kafka clusters where it is used for securing internal broker-to-broker communication and communication between the Kafka brokers and any enabled add-ons. 

We have implemented mTLS client authentication to work in combination with Kafka ACLs (Access Control Lists). So, after the broker and client have authenticated each other, on the broker’s side, the distinguished name (DN) extracted from the certificate provided by the client is used to map it to a Kafka principal, using Kafka ACLs for authorization.  

If we’ve piqued your interest, you can read more on how to provision a cluster with mTLS enabled here, with this page providing some general information on mTLS itself.  

The best piece of news about this new feature is you will not have to pay anything extra to access it! All new clusters provisioned on Kafka versions 2.8.2 or later on our managed platform can access it during cluster creation. For customers already running Instaclustr for Apache Kafka clusters on these versions who want to enable this feature, please reach out to our friendly Technical Operations team by opening a support ticket. 

If you aren’t yet a customer, sign up for a free trial account to test our managed Kafka offering with mTLS client authentication.