Oracle Cloud Infrastructure Documentation

Configuring SASL/SCRAM

OCI Streaming with Apache Kafka supports SCRAM-SHA-512.

SASL/SCRAM authentication ensures security by using username and password credentials. SCRAM uses salted passwords and cryptographic hashing algorithms to protect user credentials. Credentials aren't stored or transmitted in plain text.

Create the required IAM policies and then complete the following tasks to configure SASL/SCRAM authentication for a Kafka cluster.

  1. Create sign-in credentials in OCI Vault
  2. Update Kafka cluster with created credentials
  3. Configure Kafka clients to use the secure credentials

Required IAM Policies

Add the following policy statements before configuring SASL/SCRAM authentication for a Kafka cluster.

allow service rawfka to {SECRET_UPDATE} in compartment <compartment>
allow service rawfka to use secrets in compartment <compartment> where request.operation = 'UpdateSecret'

Creating Credentials in Vault

Use the OCI Vault service to create secure user credentials.

  1. Create a vault, if you don't already have one.
  2. Create a master encryption key in the vault to be used to encrypt the secret.
  3. Create a secret in the vault. For the Kafka cluster, the secret must be created with Manual secret generation method. Whenever you manually rotate the secret, you must also update SASL SCRAM for the cluster. Else, the Kafka cluster continues to use the old secret, as it can't automatically detect or synchronize updated secret versions, leading to authentication failures.

Updating SASL/SCRAM for the Kafka Cluster

Update the Kafka cluster with the created or updated secure credentials.

    1. On the Kafka clusters list page, select the cluster that you want to work with.
    2. On the details page, select the Actions menu and then select Update SASL SCRAM.
    3. In the Update SASL SCRAM panel, select the vault with the secure credentials.
    4. Select the secret in the vault.
    5. Select Update.

  • Use the cluster enable-superuser command and required parameters to add SASL/SCRAM properties in a cluster configuration:

    oci kafka cluster enable-superuser --compartment-id <compartment-ocid> --kafka-cluster-id <cluster-ocid> --secret-id <secret-ocid>

    Required Options

    <compartment-ocid>
    The OCID of the compartment the vault secret is created.
    <cluster-ocid>
    The OCID of the Kafka cluster where the SASL/SCRAM credentials need to be updated.
    <secret-id>
    The OCID of the vault secret where new credentials need to be updated.

    Use the cluster disable-superuser command and required parameters to remove SASL/SCRAM properties in a cluster configuration:

    oci kafka cluster disable-superuser  --kafka-cluster-id <cluster-ocid>

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the enableSuperuser operation to add or update the SASL/SCRAM credentials for the Kafka cluster.

Configuring Kafka Clients

To connect to a Kafka cluster using SASL/SCRAM, you need to update the Kafka client properties file.

Create a client.properties file with the following information: 
security.protocol=SASL_SSL
sasl.mechanism=SCRAM-SHA-512
ssl.truststore.location=/path/to/truststore.jks
ssl.truststore.password=<your-truststore-password>
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="<your-username>" password="<your-password>";