4.2.3 Kafka Security Configuration

The basic configuration for Kafka security in order to be compliant with product delivery is described below.

Prerequisites

• SSL certificates & keys (generated using ssl scripts which are provided as part of OCNADD release)

Configuring SASL for Kafka

Kafka uses the Java Authentication and Authorization Service (JAAS) for SASL configuration. In OCNADD, by default, all Kafka communication (inter-broker, Kafka-client, and Kafka-broker and between Kafka and Zookeeper) happens with a common user(ocnadd) configured in <chart-path>/charts/ocnaddkafka/scripts/kafka_server_jass.conf

Customers can add more users in <chart-path>/charts/ocnaddkafka/scripts/kafka_server_jass.conf file.The "ocnadd" user is the default user for all Kafka communication. and should not be modified.

Below is the sample changes to add NRF and SCP user in Kafka:

KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="ocnadd"
password="secret_placeholder"
user_ocnadd="ocnadd";
user_NRF="NRF-secret";
user_SCP="SCP-secret";
};
Client {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="ocnadd"
password="secret_placeholder";
};

user_NRF="NRF-secret"; is added for NRF user and user_SCP="SCP-secret"; is added for SCP user.

After doing the above changes continue with the installation steps as in the Oracle Communications Network Analytics Data Director Installation, Upgrade, and Fault Recovery Guide.

Note:

• The user addition is one time operation and can be done only during installation.
• It is recommended to use a strong password in kafka_server_jass.conf.