2

How to configure kafka for TLS communication using PEM encoded files in java client. All the documentation I see out there talks about creating and using java KeyStore and trustStore.

https://kafka.apache.org/10/javadoc/index.html?org/apache/kafka/clients/producer/KafkaProducer.html , https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/ , https://docs.confluent.io/current/kafka/authentication_ssl.html

I have x.509 encoded cert, private_key and ca files, how I use them to connect to kafka in golang (just an example) is something like this 

func connect(brokers []string, certs map[string][]byte) {

    certpool := x509.NewCertPool()
    certpool.AppendCertsFromPEM(certs["ca"])
    c, err := tls.X509KeyPair(certs["cert"], certs["private_key"])

    tls := tls.Config{
        RootCAs:            certpool,
        ClientAuth:         tls.NoClientCert,
        ClientCAs:          nil,
        Certificates:       []tls.Certificate{c},
    }

    config := sarama.NewConfig()
    config.Producer.Return.Successes = true
    config.Net.TLS.Enable = true
    config.Net.TLS.Config = &tls
}

How can I replicate the same behavior in java, maybe I am missing something here but is there any api/documentation that I can refer which lets us configure PEM encoded contents rather than creating keyStore?

Nik391
  • 517
  • 2
  • 7
  • 24

2 Answers2

3

As of 2.7.0, Kafka supports the PEM format.

This is the merge request that implemented it: https://issues.apache.org/jira/browse/KAFKA-10338

This is the proposal for adding the PEM format which documents the feature better than their docs/security.html: https://cwiki.apache.org/confluence/display/KAFKA/KIP-651+-+Support+PEM+format+for+SSL+certificates+and+private+key

joseph
  • 2,429
  • 1
  • 22
  • 43
2

You cannot use PEM encoded secrets with Java directly.

Using openssl and keytool you can import your certificate into a JKS for your Java clients.

See Import PEM into Java Key Store

Mickael Maison
  • 25,067
  • 7
  • 71
  • 68