Configurations for SASL Authentication
Siebel CRM-Kafka integration supports the following SASL authentication mechanisms:
-
SASL/PLAIN
-
SASL/SCRAM-SHA-256
-
SASL/SCRAM-SHA-512
Configuring SASL/PLAIN
Changes in Kafka broker:
-
Create a new java Authentication and Authorization Service (JAAS) file called
kafka-server-jaas.conf
with contents like the one below. You need to add the Kafka server users in this file.KafkaServer { org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret" user_admin="admin-secret" user_alice="alice-secret" user_siebel="siebel-secret"; };
Pass the above mentioned jaas file as JVM parameter in Kafka broker as follows:
-Djava.security.auth.login.config=<pathto kafka_server_jaas.conf>
For example, in a Windows Kafka environment, it can be done as follows. For configuration for other platforms, please check Kafka official reference documentation.
set KAFKA_OPTS=-Djava.security.auth.login.config=kafka-server-jaas.conf
-
Update the
server.properties
file of the Kafka broker as follows:listeners=SASL_SSL://serverurl.oraclevcn.com:9095 security.inter.broker.protocol=SASL_SSL sasl.mechanism.inter.broker.protocol=PLAIN sasl.enabled.mechanisms=PLAIN
and also add (for SSL configurations)
ssl.keystore.location=C:\\DebugBuild\\certs\\siebelkeystore.jks ssl.keystore.password=siebel ssl.truststore.location=C:\\DebugBuild\\certs\\siebeltruststore.jks ssl.truststore.password=siebel ssl.key.password=siebel ssl.client.auth=required
Changes in AI sidecar for SASL/PLAIN:
-
Generate the encrypted password for the passwords setup in the Kafka-server-jaas.conf file (shown above) by using the EncryptString jar file in
<AI server>\webapps\siebel\WEB-INF\lib
. -
Update the following properties in application interface.properties:
SecureAIToKafkaCommunication=true KafkaServers=<Kafka host name>:<Kafka port number> KafkaAuthenticationEnabled=true KafkaAuthenticationMechanism=PLAIN KafkaAuthenticationUser=<SASL user name created in the Kafka-server-jaas.conf file on Kafka server> KafkaAuthenticationPassword=<Encrypted password for the above user from the kafka-server-jaas.conf file> KafkaKeyStoreType=JKS KafkaKeyStoreName=<Key Store location e.g. Z:\\siebel\\applicationcontainer_external\\siebelcerts\\siebelkeystore.jks> KafkaKeyStorePassword=<Encrypted Key Store Password> KafkaTrustStoreType=JKS KafkaTrustStoreName=< Encrypted Trust Store location for example, in Windows, Z:\\siebel\\applicationcontainer_external\\siebelcerts\\siebelkeystore.jks> KafkaTrustStorePassword=<Trust Store Password> KafkaPassword=<Encrypted Kafka user password>
Configuring SASL/SCRAM-SHA-256 or SASL/SCRAM-SHA-512
Suggested configuration changes in Kafka server (broker):
For more information, refer to Kafka Official Documentation. Use the following guidance:
-
To encrypt the passwords, use the
EncryptString
utility from the folder <Application External>\webapps\siebel\WEB-INF\libTo encrypt the password, run:
java -jar EncryptString.jar <password>
and use the resulting encrypted string. -
All properties beginning with Kafka are used for sidecar AI-Kafka communication.
Make the following changes in Kafka broker:
-
Create new users in Kafka by following the official Apache Kafka documentation.
In Windows:
kafka-configs.bat --alter --add-config "SCRAM-SHA-256=[iterations=8192,password=admin- secret],SCRAM-SHA-512=[password=admin-secret]" --entity-type users --entity-name admin --bootstrap-server localhost:9092
or
kafka-configs.bat --zookeeper localhost:2181 --alter --add-config "SCRAM-SHA- 256=[iterations=8192,password=admin-secret],SCRAM-SHA-512=[password=admin-secret]" --entity-type users --entity-name admin
-
Create a file called
kafka_server_jaas.conf
with the following contents:KafkaServer { org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="admin-secret"; };
-
Pass the JAAS config file location as JVM parameter to each Kafka broker:
-Djava.security.auth.login.config=/path to kafka_server_jaas.conf
-
Configure SASL port and SASL mechanisms in server.properties:
listeners=SASL_SSL://<fully qualified server name>:<port number, for example 9093> security.inter.broker.protocol=SASL_SSL sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256 (or SCRAM-SHA-512) sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule require d username=admin password=admin-secret; sasl.enabled.mechanisms=SCRAM-SHA-256 (or SCRAM-SHA-512)
-
Configure SSL support configuration in server.properties:
ssl.keystore.location=<A keystore location> ssl.keystore.password=<keystore password> ssl.truststore.location=<truststore location> ssl.truststore.password=<truststore password> ssl.key.password=<necessary password> ssl.client.auth=required
Corresponding configurations in applicationinterface.properties file of AI sidecars:
SecureAIToKafkaCommunication=true
KafkaServers=<Kafka host name>:<Kafka port number>
KafkaAuthenticationEnabled=true
KafkaAuthenticationMechanism=SCRAM-SHA-256 (or SCRAM-SHA-512)
KafkaAuthenticationUser=<SASL user name created in step 1 on Kafka server>
KafkaAuthenticationPassword=<Encrypted password for the above user created in step 1>.
KafkaKeyStoreType=JKS
KafkaKeyStoreName=<Key Store location>
KafkaKeyStorePassword=<Key Store Password>
KafkaTrustStoreType=JKS
KafkaTrustStoreName=<Trust Store location>
KafkaTrustStorePassword=<Trust Store Password>
KafkaPassword=<Kafka user password>
…
….other properties for Siebel-Kafka integration….
….other properties for AI not related to Siebel-Kafka Integration…
…