Skip to content

Demo: SSL Authentication

The demo shows how to use SSL/TLS for authentication so no connection can be established between Kafka clients (consumers and producers) and brokers unless a valid and trusted certificate is provided.

Before You Begin

The demo is a follow-up to Demo: Secure Inter-Broker Communication. Please finish it first before this demo.

Generate Certificate for Client Authentication

Generate the keys and certificate of a Kafka client to be authenticated as jacek.

keytool \
  -genkey \
  -keystore jacek.keystore \
  -alias jacek \
  -dname CN=jacek \
  -keyalg RSA \
  -validity 365 \
  -storepass 123456

You should now have one more file in the directory:

  • jacek.keystore - the keystore with the private key and the certificate of the user

Use keytool to print out the content of the keystore.

keytool -list -v -keystore jacek.keystore -storepass 123456

The keystore should contain 1 entry for the alias jacek.

Sign Client Certificate (Using CA)

Create a certificate signing request (CSR).

Export the client certificate from jacek.keystore.

keytool \
  -certreq \
  -keystore jacek.keystore \
  -alias jacek \
  -file jacek.unsigned.crt \
  -storepass 123456

Sign the certificate signing request (jacek.unsigned.crt) with the root CA.

$ openssl x509 \
  -req \
  -CA ca.crt \
  -CAkey ca.key \
  -in jacek.unsigned.crt \
  -out jacek.crt \
  -days 365 \
  -CAcreateserial \
  -passin pass:1234
Signature ok
subject=CN = jacek
Getting CA Private Key

You should have the following file in the directory:

  • jacek.crt - the signed certificate of the user

Import Certificates to Client Keystore

Create a SSL keystore for the Kafka client. Each client gets its own unique keystore.

Import the certificate of the CA into the client keystore.

$ keytool \
  -import \
  -file ca.crt \
  -keystore jacek.keystore \
  -alias ca \
  -storepass 123456 \
  -noprompt
Certificate was added to keystore

Import the signed certificate into the client keystore. Make sure to use the same -alias as you used ealier.

$ keytool \
  -import \
  -file jacek.crt \
  -keystore jacek.keystore \
  -alias jacek \
  -storepass 123456 \
  -noprompt
Certificate reply was installed in keystore

Use keytool to print out the certificates in the client keystore.

keytool -list -v -keystore jacek.keystore -storepass 123456

There should be 2 entries (one for the CA and another for the client itself).

Require Client Authorization Using SSL on Kafka Brokers

Enable SSL authentication (require client authentication using SSL certificates).

Edit config/server-ssl.properties and add the following configuration property:

ssl.client.auth=required

Start the broker(s).

./bin/kafka-server-start.sh config/server-ssl.properties

Tip

Use export KAFKA_OPTS=-Djavax.net.debug=all to debug SSL-related issues.

Verify the SSL configuration of the broker. The following uses the Cryptography and SSL/TLS Toolkit (OpenSSL) and the client tool.

openssl s_client -connect localhost:9093

The client tool will quit immediately since the broker requires clients to provide valid certificates. You should find the following INFO message in the broker logs:

[SocketServer brokerId=0] Failed authentication with /0:0:0:0:0:0:0:1 (SSL handshake failed)

Configure SSL Authentication for Kafka Client

Use the following jacek-client.properties as a minimal configuration of a Kafka client to use SSL authentication:

security.protocol=SSL
ssl.truststore.location=/tmp/kafka-ssl-demo/client.truststore
ssl.truststore.password=123456
ssl.keystore.location=/tmp/kafka-ssl-demo/jacek.keystore
ssl.keystore.password=123456
ssl.key.password=123456

Use kafka-console-producer.sh utility to send records to Kafka brokers over SSL:

kafka-console-producer.sh \
  --broker-list :9093 \
  --topic ssl \
  --producer.config /tmp/kafka-ssl-demo/jacek-client.properties

Tip

Use export KAFKA_OPTS=-Djavax.net.debug=all to debug SSL issues. Learn more in the source code of openjdk's sun.security.ssl.SSLLogger.

That's all for the demo. I hope you enjoyed it!