Enabling Security in IDIH

5.6.1 Enabling Security in IDIH

Steps to enable SSL in Kafka VM

Prerequisite

Refer to SSL Certificate creation for IDIH in the Post Installation Procedure section.

Perform the following steps to populate SSL fields in server.properties file:

Log in to Kafka VM.
Create certificate directory from the following path if it does not exist.
```
mkdir /opt/kafka/store/
```
Copy Kafka certificates to the /opt/kafka/store directory.
Update the permissions of /opt/kafka/store folder as well as the keystore and truststore files using the following command:
- Assuming the name of KeyStore file is serverKeyStore.p12
- Assuming the name of trustStore file is trustStore.p12
```
chmod 775 /opt/kafka/store; chmod 775 /opt/kafka/store/serverKeyStore.p12; chmod 775 /opt/kafka/store/trustStore.p12
```
Navigate to /opt/kafka/config directory.
```
cd /opt/kafka/config
```
Open server.properties from vi server.properties.

Modify listener.security.protocol.map property

There are three instances of listener.security.protocol.map in server.properties.

Uncomment the one which has "SSL" for EXTERNAL listener and comment the other two.

# Maps listener names to security protocols, the default is for them to be the same. See the config documentation for more details
#listener.security.protocol.map=INTERNAL_PLAINTEXT:PLAINTEXT,PLAINTEXT:PLAINTEXT,INTERNAL_SSL:SSL,EXTERNAL:PLAINTEXT
 
# Uncomment the below line and comment the other instances of "listener.security.protocol.map" to enable SSL for EXTERNAL Connectivity
listener.security.protocol.map=INTERNAL_PLAINTEXT:PLAINTEXT,PLAINTEXT:PLAINTEXT,INTERNAL_SSL:SSL,EXTERNAL:SSL
 
# Uncomment the below line and comment the other instances of "listener.security.protocol.map" to enable SASL_SSL for EXTERNAL Connectivity
#listener.security.protocol.map=INTERNAL_PLAINTEXT:PLAINTEXT,PLAINTEXT:PLAINTEXT,INTERNAL_SSL:SSL,EXTERNAL:SASL_SSL

Uncomment and update the following SSL properties which are present at end of the file.

# SSL
   ssl.protocol = TLS
   ssl.enabled.protocols=TLSv1.3
   ssl.keystore.type = PKCS12
   ssl.keystore.location = /opt/kafka/store/serverKeyStore.p12
   ssl.keystore.password = <keystore password>
   ssl.key.password = <key_password>
   ssl.truststore.type = PKCS12
   ssl.truststore.location = /opt/kafka/store/trustStore.p12
   ssl.truststore.password = <trust password>
   ssl.cipher.suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256
   ssl.client.auth = required

Restart Kafka by running the following command:
```
systemctl restart kafka
```
Kafka logs can be accessed at /opt/kafka/kafkaservice.log file.
Note:
For JKS type, update the following:
- ssl.keystore.type,ssl.keystore.location
- ssl.truststore.type,ssl.truststore.location accordingly.

Steps to enable SASL_SSL in Kafka VM

SASL_SSL is combination of SASL and SSL.

Prerequisites

SSL must be enabled, if SSL is not enabled then follow Steps to enable SSL in Kafka VM except the 7th and 9th point.

Following are the steps to populate SASL_SSL fields in server.properties file.

Login to Kafka VM.
Go to /opt/kafka/config and open the server.properties file.
```
cd /opt/kafka/store
vi server.properties
```

Modify listener.security.protocol.map property.

There are three instances of listener.security.protocol.map in server.properties.

Uncomment the one which has SASL_SSL for EXTERNAL listener and comment the other two.

# Maps listener names to security protocols, the default is for them to be the same. See the config documentation for more details
#listener.security.protocol.map=INTERNAL_PLAINTEXT:PLAINTEXT,PLAINTEXT:PLAINTEXT,INTERNAL_SSL:SSL,EXTERNAL:PLAINTEXT
 
# Uncomment the below line and comment the other instances of "listener.security.protocol.map" to enable SSL for EXTERNAL Connectivity
#listener.security.protocol.map=INTERNAL_PLAINTEXT:PLAINTEXT,PLAINTEXT:PLAINTEXT,INTERNAL_SSL:SSL,EXTERNAL:SSL
 
# Uncomment the below line and comment the other instances of "listener.security.protocol.map" to enable SASL_SSL for EXTERNAL Connectivity
listener.security.protocol.map=INTERNAL_PLAINTEXT:PLAINTEXT,PLAINTEXT:PLAINTEXT,INTERNAL_SSL:SSL,EXTERNAL:SASL_SSL

Uncomment the following property.
```
sasl.enabled.mechanisms=PLAIN
```
Go to /opt/kafka/store path.
```
cd /opt/kafka/store
```

Create a file named kafka_server_jaas.conf file using the following template:

KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required 
user_username1=“user1password” 
user_username2=“user2password” 
user_username3=“user3password” 
user_username4=“user4password” 
. 
. 
. 
user_usernameN=“userNpassword”; 
};


Example : 
KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
user_idihuser1=“changeme” 
user_idihuser2=“changeme” 
user_idihuser3=“changeme”;
};

Note:

The username accepts only alphanumeric characters. Range: the length of the username must be between 8 and 64 characters.
The password accepts any characters. Range: the length of the password must be between 8 and 64 characters.

Update the permissions of file so that kafka process will have read access and restrict the other users.

Export the following command.

export KAFKA_OPTS="-Djava.security.auth.login.config=/opt/kafka/store/kafka_server_jaas.conf"

Perform the following command to restart Kafka.
```
systemctl restart kafka
```
Kafka logs can be accessed at /opt/kafka/kafkaservice.log file

Enable SSL for internal communication in Service VM

Prerequisites:

Refer to SSL Certificate creation for IDIH in the Post Installation Procedure section.

Perform the following steps to enable SSL for internal communication in Service VM:

Log in to Service VM.
Copy the files to the following path /opt/store in service VM.
Update the permissions of /opt/store folder as well as the keystore and trustsore files using the following command:
```
chmod 775 /opt/store; chmod 775 /opt/store/serverKeyStore.p12; chmod 775 /opt/store/trustStore.p12
```
Go to opt directory cd /opt.
Edit docker compose file.
```
vi cnidih_VM.yaml
```

The password for the keystore and truststore is provided by default, if the user changes the files, they can modify the password in the sections below:


MICRONAUT_SERVER_SSL_KEY_STORE_PASSWORD
MICRONAUT_SERVER_SSL_TRUST_STORE_PASSWORD
MICRONAUT_HTTP_CLIENT_SSL_KEY_STORE_PASSWORD
MICRONAUT_HTTP_CLIENT_SSL_TRUST_STORE_PASSWORD

Service VM Alert Manager TLS Config

On the service VM, navigate to the /opt path and then to the alertmanager directory, within this directory, you will find a file named alertmanager.yaml.

Open the file, comment out the line for non-TLS communication, and uncomment the lines for TLS configuration, as shown below:


- url: 'http://alarmmanagement:8092/api/cnidih/alarmmanagement/v1/alarms'
# below four lines is for tls
#- url: 'https://alarmmanagement:8092/api/cnidih/alarmmanagement/v1/alarms'
# http_config:
# tls_config:
# insecure_skip_verify: true

After making the changes, run the following command to list all the containers:
```
podman ps -a
```
Identify the Alertmanager container and remove it by running the following command:
```
podman rm -f <container id>
```
Run the following command to restart the services
```
docker-compose -f cnidih_VM.yaml up -d  
```
Note:
Ensure the password for certificates has been updated accordingly in the cnidih_VM.yaml file.

Validation

Access Kafka using client certificates.
Access the IDIH portal with https://.