5.7.1 Enabling Security in IDIH

Note:

You can skip below steps if you are using default certificates.

For SSL Certificate configuration, see Generating Self-Signed Certificate For IDIH section.

Perform the following steps to populate SSL fields in broker.properties file:

1. Log in to Kafka VM.
2. Create certificate directory from the following path if it does not exist.

   mkdir /opt/kafka/store/

3. Copy Kafka certificates to the /opt/kafka/store directory.
4. Update the permissions of /opt/kafka/store folder as well as the keystore and truststore files using the following command:
   • Assuming the name of KeyStore file is serverKeyStore.p12
   • Assuming the name of trustStore file is trustStore.p12

   chmod 775 /opt/kafka/store; chmod 775 /opt/kafka/store/serverKeyStore.p12; chmod 775 /opt/kafka/store/trustStore.p12

5. Navigate to /opt/kafka/config directory.

   cd /opt/kafka/config

6. Open broker.properties from vi broker.properties.
7. Modify listener.security.protocol.map property
   1. There are three instances of listener.security.protocol.map in broker.properties.
   2. Add the one with SSL for the EXTERNAL listener and comment out the other two.

      # Maps listener names to security protocols, the default is for them to be the same. See the config documentation for more details
      #listener.security.protocol.map=INTERNAL_PLAINTEXT:PLAINTEXT,PLAINTEXT:PLAINTEXT,INTERNAL_SSL:SSL,EXTERNAL:PLAINTEXT
       
      # Uncomment the below line and comment the other instances of "listener.security.protocol.map" to enable SSL for EXTERNAL Connectivity
      listener.security.protocol.map=INTERNAL_PLAINTEXT:PLAINTEXT,PLAINTEXT:PLAINTEXT,INTERNAL_SSL:SSL,EXTERNAL:SSL
       
      # Uncomment the below line and comment the other instances of "listener.security.protocol.map" to enable SASL_SSL for EXTERNAL Connectivity
      #listener.security.protocol.map=INTERNAL_PLAINTEXT:PLAINTEXT,PLAINTEXT:PLAINTEXT,INTERNAL_SSL:SSL,EXTERNAL:SASL_SSL

8. Add and update the following SSL properties which are present at end of the file.

   # SSL
      ssl.protocol = TLS
      ssl.enabled.protocols=TLSv1.3
      ssl.keystore.type = PKCS12
      ssl.keystore.location = /opt/kafka/store/serverKeyStore.p12
      ssl.keystore.password = <keystore password>
      ssl.key.password = <key_password>
      ssl.truststore.type = PKCS12
      ssl.truststore.location = /opt/kafka/store/trustStore.p12
      ssl.truststore.password = <trust password>
      ssl.cipher.suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256
      ssl.client.auth = required
      

9. Restart Kafka by running the following command:

   
   systemctl restart kafka

10. Kafka logs can be accessed at /opt/kafka/kafkaservice.log file.

    Note:

    For JKS type, update the following:

    • ssl.keystore.type,ssl.keystore.location
    • ssl.truststore.type,ssl.truststore.location accordingly.

Steps to enable SASL_SSL in Kafka VM

SASL_SSL is combination of SASL and SSL.

Prerequisites

SSL must be enabled, if SSL is not enabled then follow Steps to enable SSL in Kafka VM except the 7th and 9th point.

Following are the steps to populate SASL_SSL fields in broker.properties file.

1. Login to Kafka VM.
2. Go to /opt/kafka/config and open the broker.properties file.

   
   cd /opt/kafka/store
   vi broker.properties

3. Modify listener.security.protocol.map property.
   1. There are three instances of listener.security.protocol.map in broker.properties.
   2. Add the one which has SASL_SSL for EXTERNAL listener and comment the other two.

      # Maps listener names to security protocols, the default is for them to be the same. See the config documentation for more details
      #listener.security.protocol.map=INTERNAL_PLAINTEXT:PLAINTEXT,PLAINTEXT:PLAINTEXT,INTERNAL_SSL:SSL,EXTERNAL:PLAINTEXT
       
      # Uncomment the below line and comment the other instances of "listener.security.protocol.map" to enable SSL for EXTERNAL Connectivity
      #listener.security.protocol.map=INTERNAL_PLAINTEXT:PLAINTEXT,PLAINTEXT:PLAINTEXT,INTERNAL_SSL:SSL,EXTERNAL:SSL
       
      # Uncomment the below line and comment the other instances of "listener.security.protocol.map" to enable SASL_SSL for EXTERNAL Connectivity
      listener.security.protocol.map=INTERNAL_PLAINTEXT:PLAINTEXT,PLAINTEXT:PLAINTEXT,INTERNAL_SSL:SSL,EXTERNAL:SASL_SSL

4. Uncomment the following property.

   sasl.enabled.mechanisms=PLAIN

5. Go to /opt/kafka/store path.

   cd /opt/kafka/store

6. Create a file named kafka_server_jaas.conf file using the following template:

   KafkaServer {
   org.apache.kafka.common.security.plain.PlainLoginModule required 
   user_username1=“user1password” 
   user_username2=“user2password” 
   user_username3=“user3password” 
   user_username4=“user4password” 
   . 
   . 
   . 
   user_usernameN=“userNpassword”; 
   };
   

   
   Example : 
   KafkaServer {
   org.apache.kafka.common.security.plain.PlainLoginModule required
   user_idihuser1=“changeme” 
   user_idihuser2=“changeme” 
   user_idihuser3=“changeme”;
   };

   Note:

   • The username accepts only alphanumeric characters. Range: the length of the username must be between 8 and 64 characters.
   • The password accepts any characters. Range: the length of the password must be between 8 and 64 characters.
7. Update the permissions of file so that kafka process will have read access and restrict the other users.
8. Export the following command.

   export KAFKA_OPTS="-Djava.security.auth.login.config=/opt/kafka/store/kafka_server_jaas.conf"

9. Perform the following command to restart Kafka.

   systemctl restart kafka

10. Kafka logs can be accessed at /opt/kafka/kafkaservice.log file

Enable SSL for internal communication in Service VM

Prerequisites:

Refer to SSL Certificate creation for IDIH in the Generating Self-Signed Certificate For IDIH section.

Perform the following steps to enable SSL for internal communication in Service VM:

1. Log in to Service VM.
2. Copy the files to the following path /opt/store in service VM.
3. Update the permissions of /opt/store folder as well as the keystore and trustsore files using the following command:

   chmod 775 /opt/store; chmod 775 /opt/store/serverKeyStore.p12; chmod 775 /opt/store/trustStore.p12

4. Go to opt directory cd /opt.
5. Edit docker compose file.

   vi cnidih_VM.yaml

6. The password for the keystore and truststore is provided by default, if the user changes the files, they can modify the password in the sections below:

   
   MICRONAUT_SERVER_SSL_KEY_STORE_PASSWORD
   MICRONAUT_SERVER_SSL_TRUST_STORE_PASSWORD
   MICRONAUT_HTTP_CLIENT_SSL_KEY_STORE_PASSWORD
   MICRONAUT_HTTP_CLIENT_SSL_TRUST_STORE_PASSWORD

Validation

• Access Kafka using client certificates.
• Access the IDIH portal with https://.