Configurations for SASL Authentication

Siebel CRM-Kafka integration supports the following SASL authentication mechanisms:

SASL/PLAIN
SASL/SCRAM-SHA-256
SASL/SCRAM-SHA-512

Configuring SASL/PLAIN

SASL/PLAIN is a simple username/password authentication mechanism that can be used with TLS for encryption to implement secure authentication.

Note: All username and passwords mentioned below are for sample purposes only.

Changes in Kafka broker:

Create a new java Authentication and Authorization Service (JAAS) file called kafka-server-jaas.conf with contents like the one below. You need to add the Kafka server users in this file.

KafkaServer {
    org.apache.kafka.common.security.plain.PlainLoginModule required
    username="admin"
    password="admin-secret"
    user_admin="admin-secret"
    user_alice="alice-secret"
    user_siebel="siebel-secret";
};

Pass the above mentioned jaas file as JVM parameter in Kafka broker as follows:-Djava.security.auth.login.config=<pathto kafka_server_jaas.conf>
For example, in a Windows Kafka environment, it can be done as follows. For configuration for other platforms, please check Kafka official reference documentation.
set KAFKA_OPTS=-Djava.security.auth.login.config=kafka-server-jaas.conf

Update the server.properties file of the Kafka broker as follows:

listeners=SASL_SSL://serverurl.oraclevcn.com:9095
security.inter.broker.protocol=SASL_SSL
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN

and also add (for SSL configurations)

ssl.keystore.location=C:\\DebugBuild\\certs\\siebelkeystore.jks
ssl.keystore.password=siebel
ssl.truststore.location=C:\\DebugBuild\\certs\\siebeltruststore.jks
ssl.truststore.password=siebel
ssl.key.password=siebel
ssl.client.auth=required

Note: Please refer the Kafka documentation for more information, https://kafka.apache.org/documentation /#security_sasl_plain

Changes in AI sidecar for SASL/PLAIN:

Generate the encrypted password for the passwords setup in the Kafka-server-jaas.conf file (shown above) by using the EncryptString jar file in <AI server>\webapps\siebel\WEB-INF\lib.

Update the following properties in application interface.properties:

SecureAIToKafkaCommunication=true
KafkaServers=<Kafka host name>:<Kafka port number>
KafkaAuthenticationEnabled=true
KafkaAuthenticationMechanism=PLAIN
KafkaAuthenticationUser=<SASL user name created in the Kafka-server-jaas.conf file on Kafka server>
KafkaAuthenticationPassword=<Encrypted password for the above user from the kafka-server-jaas.conf file>
KafkaKeyStoreType=JKS
KafkaKeyStoreName=<Key Store location e.g. Z:\\siebel\\applicationcontainer_external\\siebelcerts\\siebelkeystore.jks>
KafkaKeyStorePassword=<Encrypted Key Store Password>
KafkaTrustStoreType=JKS
KafkaTrustStoreName=< Encrypted Trust Store location for example, in Windows, Z:\\siebel\\applicationcontainer_external\\siebelcerts\\siebelkeystore.jks>
KafkaTrustStorePassword=<Trust Store Password>
KafkaPassword=<Encrypted Kafka user password>

Configuring SASL/SCRAM-SHA-256 or SASL/SCRAM-SHA-512

Suggested configuration changes in Kafka server (broker):

For more information, refer to Kafka Official Documentation. Use the following guidance:

Note:

To encrypt the passwords, use the EncryptString utility from the folder <Application External>\webapps\siebel\WEB-INF\lib

To encrypt the password, run: java -jar EncryptString.jar <password> and use the resulting encrypted string.
All properties beginning with Kafka are used for sidecar AI-Kafka communication.

Make the following changes in Kafka broker:

Create new users in Kafka by following the official Apache Kafka documentation.

In Windows:

kafka-configs.bat --alter --add-config "SCRAM-SHA-256=[iterations=8192,password=admin-
secret],SCRAM-SHA-512=[password=admin-secret]" --entity-type users --entity-name admin --bootstrap-server localhost:9092

kafka-configs.bat --zookeeper localhost:2181 --alter --add-config "SCRAM-SHA-
256=[iterations=8192,password=admin-secret],SCRAM-SHA-512=[password=admin-secret]" --entity-type users --entity-name admin

Create a file called kafka_server_jaas.conf with the following contents:

KafkaServer {
             org.apache.kafka.common.security.scram.ScramLoginModule required
             username="admin"
             password="admin-secret";
};

Pass the JAAS config file location as JVM parameter to each Kafka broker:
```
-Djava.security.auth.login.config=/path to kafka_server_jaas.conf
```

Configure SASL port and SASL mechanisms in server.properties:

listeners=SASL_SSL://<fully qualified server name>:<port number, for example 9093>
security.inter.broker.protocol=SASL_SSL
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256 (or SCRAM-SHA-512)
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule require
d username=admin password=admin-secret;
sasl.enabled.mechanisms=SCRAM-SHA-256 (or SCRAM-SHA-512)

Configure SSL support configuration in server.properties:

ssl.keystore.location=<A keystore location>
ssl.keystore.password=<keystore password>
ssl.truststore.location=<truststore location>
ssl.truststore.password=<truststore password>
ssl.key.password=<necessary password>
ssl.client.auth=required

Corresponding configurations in applicationinterface.properties file of AI sidecars:

SecureAIToKafkaCommunication=true
KafkaServers=<Kafka host name>:<Kafka port number>
KafkaAuthenticationEnabled=true
KafkaAuthenticationMechanism=SCRAM-SHA-256 (or SCRAM-SHA-512)
KafkaAuthenticationUser=<SASL user name created in step 1 on Kafka server>
KafkaAuthenticationPassword=<Encrypted password for the above user created in step 1>. 
KafkaKeyStoreType=JKS
KafkaKeyStoreName=<Key Store location>
KafkaKeyStorePassword=<Key Store Password>
KafkaTrustStoreType=JKS
KafkaTrustStoreName=<Trust Store location>
KafkaTrustStorePassword=<Trust Store Password>
KafkaPassword=<Kafka user password>
…
….other properties for Siebel-Kafka integration….
….other properties for AI not related to Siebel-Kafka Integration…
	…