Connect to Confluent Kafka

Learn to create a connection to Confluent Kafka, which you use with the Confluent Schema Registry connection, to serve as a source or target in an OCI GoldenGate Big Data deployment.

Before you begin

Ensure that you:

• Review how OCI GoldenGate connects to your source and targets.

• Configure the required policies to enable secure Vault and Secrets access, such as use secrets, use vaults, and read secret-bundles. For more information, see Minimum recommended policies.

• If using TLS/ mTLS, convert the JKS truststore or truststore and keystore to PKCS12 format to use in the connection.

  1. Use the keytool utility in the JDK to convert to the PKCS12 format.

     For the keystore, the keytool utility prompts you for a password, as shown in the following example:

     keytool -importkeystore -srckeystore [MY_KEYSTORE.jks] -destkeystore [MY_KEYSTORE.p12] -srcstoretype JKS -deststoretype PKCS12 -deststorepass [PASSWORD_PKCS12]

     For the truststore, the keytool utility prompts for a password, as shown in the following example:

     keytool -importkeystore -srckeystore [MY_TRUSTSTORE.jks] -destkeystore [MY_TRUSTSTORE.p12] -srcstoretype JKS -deststoretype PKCS12 -deststorepass [PASSWORD_PKCS12]

  2. After converting the keystore and truststore, add the following lines to the Kafka producer properties file and then save your changes:

     ssl.truststore.type=PKCS12
     ssl.keystore.type=PKCS12

  3. Upload the file to the connection's Producer properties in the Settings section of Advanced options.

• Create a connection to Confluent Schema Registry to be used together with this connection. You must then assign both connections to the same OCI GoldenGate Big Data deployment.

Create a source connection

To create a source Confluent Kafka connection:

1. From the OCI GoldenGate Overview page, select Connections.

   You can also select Create Connection under the Get started section and skip to step 3.

2. On the Connections page, select Create Connection.

3. On the Create Connection page, complete the fields as follows:

   1. For Name, enter a name for the connection.

   2. (Optional) For Description, enter a description that helps you distinguish this connection from others.

   3. (For GoldenGate on Multicloud only) Select your Subscription, and then complete the following fields.

      1. From the Compartment dropdown, select the compartment in which the Resource Anchor resides.

      2. Select the Multicloud partner region.

      3. Select your Partner availability zone. The available options populate based on the selected Multicloud partner region.

   4. For Compartment, select the compartment in which to create the connection.

   5. From the Type dropdown, select Confluent Kafka.

   6. Under Bootstrap servers:

      1. Enter the Host and Port number for the Bootstrap server. Enter the Private IP only if the hostname is not resolvable from your subnet or if it uses SSL/TLS.

         Note: If you enter a private IP, then OCI GoldenGate rewrites the private IP in the format, ip-10-0-0-0.ociggsvc.oracle.vcn.com.

         Tip: All nodes in the cluster must have FQDNs to allow for traversal over private endpoints.

      2. (Optional) Select + Bootstrap server to add another bootstrap server.

   7. For Security protocol, select from:

      • Plaintext

      • SASL over plaintext, and then provide the Username and Password.

      • SASL over SSL, and then provide the Username, Password, and Truststore and Keystore values as needed.

      • SSL, and then provide the Truststore and Keystore values as needed.

   8. Expand Show advanced options. You can configure the following options:

      • Security

        • Deselect Use vault secrets you prefer not to use password secrets for this connection. If not selected:

          • Select Use Oracle-managed encryption key to leave all encryption key management to Oracle.

          • Select Use customer-managed encryption key to select a specific encryption key stored in your OCI Vault to encrypt your connection credentials.

      • Network connectivity

        • Shared endpoint, to share an endpoint with the assigned deployment. You must allow connectivity from the deployment's ingress IP.

        • Dedicated endpoint, for network traffic through a dedicated endpoint in the assigned subnet in your VCN. You must allow connectivity from this connection's ingress IPs.

          Note:

          • If a dedicated connection remains unassigned for seven days, then the service converts it to a shared connection.
          • Learn more about Oracle GoldenGate connectivity.

      • Settings: To capture from Kafka, create a Kafka Consumer properties file with one of the following deserializers or converters:

        • Kafka Consumer properties for JSON deserializer:

          key.deserializer=org.apache.kafka.common.serialization.ByteArrayDeserializer
          value.deserializer=org.apache.kafka.common.serialization.ByteArrayDeserializer

        • Kafka Consumer properties for JSON converter:

          key.converter=org.apache.kafka.connect.json.JsonConverter
          value.converter=org.apache.kafka.connect.json.JsonConverter

        • Kafka Consumer properties for Avro converter:

          key.converter=io.confluent.connect.avro.AvroConverter
          value.converter=io.confluent.connect.avro.AvroConverter

      • Security attributes: Add security attributes to control access to this connection using Zero Trust Packet Routing (ZPR).

      • Tags: Add tags to organize your resources.

4. Select Create.

The connection appears in the Connections list, where you can select it to view its details. Ensure that you also create a connection to Confluent Schema Registry, and then assign both connections to a Big Data deployment.

Create a target connection

To create a target Confluent Kafka connection:

1. From the OCI GoldenGate Overview page, select Connections.

   You can also select Create Connection under the Get started section and skip to step 3.

2. On the Connections page, select Create Connection.

3. On the Create Connection page, complete the fields as follows:

   1. For Name, enter a name for the connection.

   2. (Optional) For Description, enter a description that helps you distinguish this connection from others.

   3. (For GoldenGate on Multicloud only) Select your Subscription, and then complete the following fields.

      1. From the Compartment dropdown, select the compartment in which the Resource Anchor resides.

      2. Select the Multicloud partner region.

      3. Select your Partner availability zone. The available options populate based on the selected Multicloud partner region.

   4. For Compartment, select the compartment in which to create the connection.

   5. From the Type dropdown, select Confluent Kafka.

   6. Under Bootstrap servers:

      1. Select a Traffic routing method:

      2. Enter the Host and Port number for the Bootstrap server. Enter the Private IP only if the hostname is not resolvable from your subnet or if it uses SSL/TLS.

         Note: If you enter a private IP, then OCI GoldenGate rewrites the private IP in the format, ip-10-0-0-0.ociggsvc.oracle.vcn.com.

         Tip: All nodes in the cluster must have FQDNs to allow for traversal over private endpoints.

      3. (Optional) Select + Bootstrap server to add another bootstrap server.

   7. For Security protocol, select from:

      • Plaintext

      • SASL over plaintext, and then provide the Username and Password.

      • SASL over SSL, and then provide the Username, Password, and Truststore and Keystore values as needed.

      • SSL, and then provide the Truststore and Keystore values as needed.

   8. Expand Show advanced options. You can configure the following options:

      • Security

        • Deselect Use vault secrets you prefer not to use password secrets for this connection. If not selected:

          • Select Use Oracle-managed encryption key to leave all encryption key management to Oracle.

          • Select Use customer-managed encryption key to select a specific encryption key stored in your OCI Vault to encrypt your connection credentials.

      • Network connectivity

        • Shared endpoint, to share an endpoint with the assigned deployment. You must allow connectivity from the deployment's ingress IP.

        • Dedicated endpoint, for network traffic through a dedicated endpoint in the assigned subnet in your VCN. You must allow connectivity from this connection's ingress IPs.

          Note:

          • If a dedicated connection remains unassigned for seven days, then the service converts it to a shared connection.
          • Learn more about Oracle GoldenGate connectivity.

      • Settings: To use Snappy compression in Kafka replication, drag and drop or select Producer properties, and change replication settings as discussed in Using Compression OCI GoldenGate (Confluent) Kafka Replication.

      • Security attributes: Add security attributes to control access to this connection using Zero Trust Packet Routing (ZPR).

      • Tags: Add tags to organize your resources.

4. Select Create.

The connection appears in the Connections list, where you can select it to view its details. Ensure that you also create a connection to Confluent Schema Registry, and then assign both connections to a Big Data deployment.

Create a connection to Confluent Cloud with Private Links

Private Link lets you access your Confluent Cloud cluster running on a third party cloud through a private endpoint that exists in your virtual network.

Before you create the connection, ensure you have the following:

• Create private network connectivity between Oracle Cloud Infrastructure (OCI) and the target third party cloud.

• While adding network configuration for private link in Confluent Cloud, ensure that you select Private DNS Resolution.

• Configure DNS zones and set up DNS records in the third party cloud where you configured Confluent Cloud and in OCI. In OCI, you can create zones within your VCN's private views. Within zones, you can add the required DNS records.

You can use the instructions above to create the connection, but in place of Steps 5 and 6, do the following:

• For Step 3e:

  • Provide the Bootstrap servers host and port details.

  • You can add multiple Bootstrap servers.

• For 3f:

  • For Security protocol, select SASL over Plaintext.

  • Enter the username and password.

Next steps

• Assign a connection to a deployment
• Manage connections

Troubleshoot Kafka connection errors

Most connection issues result in TimeoutException errors. For example:

A failure occurred sending a message to Kafka to topic [ggstest] org.apache.kafka.common.errors.TimeoutException: Topic ggstest not  present in metadata after 60000/120000 ms.

If you encounter this message in your Replicat report file, you can:

• Ensure the target topic is present or check that auto topic creation is enabled within the target Kafka settings.

• Ensure that there are no firewall rules blocking traffic.

• If you're running Kafka on OCI with a private endpoint, then ensure that you use the Internal FQDN as the bootstrap server in server.properties and in the Kafka connection.

• If you're connecting to a Confluent Cloud with private endpoints:

  • Ensure that the DNS zones and DNS records are configured properly in both OCI and the target third party cloud.

  • Ensure that the network connection between OCI and the target cloud work fine.

  • Test that you can connect to the target Confluent Cloud with OpenSSL (openssl s_client -connect <bootstrap>) from an OCI VM running in the same subnet connected to the third party cloud.

  • Test that you can publish or consume messages from a Kafka client running on OCI within the same subnet connected to the third party cloud. If it fails, then check your network settings on both OCI and the third party cloud.