Configurations for SASL Authentication

Siebel CRM-Kafka integration supports the following SASL authentication mechanisms:

  • SASL/PLAIN

  • SASL/SCRAM-SHA-256

  • SASL/SCRAM-SHA-512

Configuring SASL/PLAIN

SASL/PLAIN is a simple username/password authentication mechanism that can be used with TLS for encryption to implement secure authentication.
Note: All username and passwords mentioned below are for sample purposes only.

Changes in Kafka broker:

  1. Create a new java Authentication and Authorization Service (JAAS) file called kafka-server-jaas.conf with contents like the one below. You need to add the Kafka server users in this file.

    KafkaServer {
        org.apache.kafka.common.security.plain.PlainLoginModule required
        username="admin"
        password="admin-secret"
        user_admin="admin-secret"
        user_alice="alice-secret"
        user_siebel="siebel-secret";
    };
    
  2. Pass the above mentioned jaas file as JVM parameter in Kafka broker as follows:-Djava.security.auth.login.config=<pathto kafka_server_jaas.conf>

    For example, in a Windows Kafka environment, it can be done as follows. For configuration for other platforms, please check Kafka official reference documentation.

    set KAFKA_OPTS=-Djava.security.auth.login.config=kafka-server-jaas.conf
  3. Update the server.properties file of the Kafka broker as follows:

    listeners=SASL_SSL://serverurl.oraclevcn.com:9095
    security.inter.broker.protocol=SASL_SSL
    sasl.mechanism.inter.broker.protocol=PLAIN
    sasl.enabled.mechanisms=PLAIN
    

    and also add (for SSL configurations)

    ssl.keystore.location=C:\\DebugBuild\\certs\\siebelkeystore.jks
    ssl.keystore.password=siebel
    ssl.truststore.location=C:\\DebugBuild\\certs\\siebeltruststore.jks
    ssl.truststore.password=siebel
    ssl.key.password=siebel
    ssl.client.auth=required
    
Note: Please refer the Kafka documentation for more information, https://kafka.apache.org/documentation/#security_sasl_plain

Changes in AI sidecar for SASL/PLAIN:

  1. Generate the encrypted password for the passwords setup in the Kafka-server-jaas.conf file (shown above) by using the EncryptString jar file in <AI server>\webapps\siebel\WEB-INF\lib.

  2. Update the following properties in application interface.properties:

    SecureAIToKafkaCommunication=true
    KafkaServers=<Kafka host name>:<Kafka port number>
    KafkaAuthenticationEnabled=true
    KafkaAuthenticationMechanism=PLAIN
    KafkaAuthenticationUser=<SASL user name created in the Kafka-server-jaas.conf file on Kafka server>
    KafkaAuthenticationPassword=<Encrypted password for the above user from the kafka-server-jaas.conf file>
    KafkaKeyStoreType=JKS
    KafkaKeyStoreName=<Key Store location e.g. Z:\\siebel\\applicationcontainer_external\\siebelcerts\\siebelkeystore.jks>
    KafkaKeyStorePassword=<Encrypted Key Store Password>
    KafkaTrustStoreType=JKS
    KafkaTrustStoreName=< Encrypted Trust Store location for example, in Windows, Z:\\siebel\\applicationcontainer_external\\siebelcerts\\siebelkeystore.jks>
    KafkaTrustStorePassword=<Trust Store Password>
    KafkaPassword=<Encrypted Kafka user password>
    

Configuring SASL/SCRAM-SHA-256 or SASL/SCRAM-SHA-512

Suggested configuration changes in Kafka server (broker):

For more information, refer to Kafka Official Documentation. Use the following guidance:

Note:
  • To encrypt the passwords, use the EncryptString utility from the folder <Application External>\webapps\siebel\WEB-INF\lib

    To encrypt the password, run: java -jar EncryptString.jar <password> and use the resulting encrypted string.

  • All properties beginning with Kafka are used for sidecar AI-Kafka communication.

Make the following changes in Kafka broker:

  1. Create new users in Kafka by following the official Apache Kafka documentation.

    In Windows:

    kafka-configs.bat --alter --add-config "SCRAM-SHA-256=[iterations=8192,password=admin-
    secret],SCRAM-SHA-512=[password=admin-secret]" --entity-type users --entity-name admin --bootstrap-server localhost:9092

    or

    kafka-configs.bat --zookeeper localhost:2181 --alter --add-config "SCRAM-SHA-
    256=[iterations=8192,password=admin-secret],SCRAM-SHA-512=[password=admin-secret]" --entity-type users --entity-name admin
  2. Create a file called kafka_server_jaas.conf with the following contents:
    KafkaServer {
                 org.apache.kafka.common.security.scram.ScramLoginModule required
                 username="admin"
                 password="admin-secret";
    };
  3. Pass the JAAS config file location as JVM parameter to each Kafka broker:
    -Djava.security.auth.login.config=/path to kafka_server_jaas.conf
  4. Configure SASL port and SASL mechanisms in server.properties:
    listeners=SASL_SSL://<fully qualified server name>:<port number, for example 9093>
    security.inter.broker.protocol=SASL_SSL
    sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256 (or SCRAM-SHA-512)
    sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule require
    d username=admin password=admin-secret;
    sasl.enabled.mechanisms=SCRAM-SHA-256 (or SCRAM-SHA-512)
  5. Configure SSL support configuration in server.properties:
    ssl.keystore.location=<A keystore location>
    ssl.keystore.password=<keystore password>
    ssl.truststore.location=<truststore location>
    ssl.truststore.password=<truststore password>
    ssl.key.password=<necessary password>
    ssl.client.auth=required

Corresponding configurations in applicationinterface.properties file of AI sidecars:

SecureAIToKafkaCommunication=true
KafkaServers=<Kafka host name>:<Kafka port number>
KafkaAuthenticationEnabled=true
KafkaAuthenticationMechanism=SCRAM-SHA-256 (or SCRAM-SHA-512)
KafkaAuthenticationUser=<SASL user name created in step 1 on Kafka server>
KafkaAuthenticationPassword=<Encrypted password for the above user created in step 1>. 
KafkaKeyStoreType=JKS
KafkaKeyStoreName=<Key Store location>
KafkaKeyStorePassword=<Key Store Password>
KafkaTrustStoreType=JKS
KafkaTrustStoreName=<Trust Store location>
KafkaTrustStorePassword=<Trust Store Password>
KafkaPassword=<Kafka user password>
…
….other properties for Siebel-Kafka integration….
….other properties for AI not related to Siebel-Kafka Integration…
	…