NetApp Closes Acquisition of Instaclustr Read the announcement
Configure the Keystore to Use Client ⇄ Broker Encryption & Mutual Authentication (mTLS) For Apache Kafka® Client
This article describes how to configure a local keystore to enable Apache Kafka clients to connect to the cluster with Client ⇄ Broker Encryption & Mutual Authentication (mTLS) and a connection example.
- You must have a Kafka cluster with mTLS enabled – see documentation for more help with this.
- You must have the signed user certificates available – see documentation for more help with this.
- You must allow the client IP to connect to the mTLS ports through your cluster firewall – see documentation for more help with this.
- You have keytool, a key and certificate management utility which is bundled with the Java Development Kit (JDK). For more information refer to the keytool documentation. Another tool or service could be used instead as many options are available.
Configuring the Keystore to Use mTLS Authentication with Apache Kafka Clients
- Add the cluster CA X.509 certificate to the keystore. Ensure it is the same the keystore used while creating the certificate signing request. An example code snippet for this using keytool in a terminal is as followsAdd Instaclustr RootCA to the keystore12keytool –keystore <path to keystore, e.g. keystore.jks> -alias <alias e.g CAroot> –import –noprompt –file \<e.g. cluster-ca-certificate.pem> -storepass <store password used at setup> –keypass <key password used at setup>
For more information on where to find the CA X509 certificate, refer to the instructions here.
- For instructions on how to generate the signed certificate, please refer to the instructions here. Add the signed client certificate to the keystore. An example code snippet for this using keytool in a terminal is as follows12keytool –keystore <path to keystore, e.g. keystore.jks> -alias <alias, e.g. mtls> -import –noprompt –file \<path to signed certificate, e.g. mtls-ca-signed.crt> -storepass <store password used at setup> –keypass <key password used at setup>
Now that you have the keystore set up to connect to your Kafka cluster, a range of connection examples are available on the Connection Information page using different connection methods. As an example, the following steps show how to connect a consumer and producer using the Kafka CLI.
- Download and unzip a copy of Kafka. Kafka can be downloaded from https://kafka.apache.org/downloads and choose appropriate version.
- Create a configuration file (e.g. kafka.properties) containing the following properties:Example Config properties123456security.protocol=SSLssl.truststore.location=<path to trustore, e.g. truststore.jks>ssl.truststore.password=<trustrore password>ssl.keystore.location=<path to keystore, e.g. keystore.jks>ssl.keystore.password=<keystore password>ssl.key.password=<key password used at setup>
- Start a console producer using the following command Start a kafka producer123kafka-console-producer.sh --broker-list <ip, e.g.126.96.36.199>:<port, e.g., 9082> \--topic test-topic -–producer.config \<path to producer config, e.g. kafka.properties>
- In a separate terminal, start a consumer with the following commandRun a kafka consumer12kafka-console-consumer.sh --bootstrap-server <ip, e.g.188.8.131.52>:<port, e.g. 9082> --topic <topic>\–-consumer.config <path to consumer config, e.g. kafka.properties>
- Type “instaclustr” in the producer terminal and press Enter. Confirm that “instaclustr” is received in the consumer terminal.
Refer to the following resources for further information on mTLS with Apache Kafka:
By Instaclustr Support
Experiencing difficulties on the website or console?
Already have an account?
Need help with your cluster?Contact Support
Why sign up?
To experience the ease of creating and managing clusters via the Instaclustr Console
Spin up a cluster in minutes