1. Oracle Banking Microservices Platform Foundation Installation Guide
  2. Security with SSL Encryption with SASL-SCRAM Authentication

10 Security with SSL Encryption with SASL-SCRAM Authentication

This topic describes about Security - SSL Encryption with SASL-SCRAM authentication.

Generate Keystore

The items highlighted in bold are placeholders and should be replaced with suitable values when running the command.

keytool -genkeypair -alias alias -keyalg keyalg -keysize keysize -sigalg 
sigalg -validity valDays -keystore keystore

Table 10-1 Generate Keystore - Keyword Details

Keyword Description
alias Used to identify the public and private key pair created.
keyalg It is a key algorithm used to generate the public and private key pair.

The RSA key algorithm is recommended.
keysize It is the size of the public and private key pairs generated.

A key size of 1024 or more is recommended.
sigalg It is the algorithm used to generate the signature.

This algorithm should be compatible with the key algorithm and should be one of the values specified in the Java Cryptography API Specification and Reference.
valdays It is the number of days for which the certificate is to be considered valid.

Please consult with your CA on this period.
keystore It is used to specify the location of the JKS file.

If no JKS file is present in the path provided, one will be created.
The command prompts for the following attributes of the certificate and Keystore:

Table 10-2 Generate Keystore - Attributes

Attributes Description
Keystore Password Specify a password used to access the Keystore.

This password needs to be specified later when configuring the identity store in Kafka server.
Key Password Specify a password used to access the private key stored in the Keystore.

This password needs to be specified later when configuring the SSL attributes of the Kafka Server.
First and Last Name (CN) Enter the domain name of the machine. For example, www.example.com.
Name of your Organizational Unit The name of the department or unit making the request.

Use this field to further identify the SSL Certificate you are creating, for example, by department or by physical server.
Name of your Organization The name of the organization making the certificate request. For example, Oracle Financial Services.

It is recommended to use the company or organization's formal name, and this name entered here must match the name found in official records.
Name of your City or Locality The city in which your organization is physically located. For example, Bengaluru.
Name of your State or Province The state/province in which your organization is physically located. For example, Karnataka.
Two-letter Country Code for this Unit The country in which your organization is physically located. For example, US, UK, IN, etc.

Example 10-1 Sample Execution

Listed below is the result of a sample execution.

keytool -genkeypair -alias certificates -keyalg RSA -keysize 1024 -sigalg SHA512withRSA 
-validity 365 -keystore /scratch/Data/Certificates/KafkaServerKeystore.jks

Enter keystore password:<Enter a password to protect the keystore>

Re-enter new password:<Confirm the password keyed above>

What is your first and last name?

[Unknown]: <domain name>.oracle.com

What is the name of your organizational unit?

[Unknown]: <application name>

What is the name of your organization?

[Unknown]: Oracle Financial Services

What is the name of your City or Locality?

[Unknown]: Bengaluru

What is the name of your State or Province?

[Unknown]: Karnataka

What is the two-letter country code for this unit?

[Unknown]: IN

Is CN= name.oracle.com, OU=Test, O=Oracle Financial Services, L= Bengaluru, ST= Karnataka, C=IN correct? [no]: yes

Enter key password for < password >

RETURN if same as keystore password): <Enter a password to protect the key>

Export Private Key as Certificate

Export private key as certificate command is mentioned below:

keytool -export -alias <alias_name> -file <export_certificate_file_name_with_location.cer> 
-keystore <keystore_name.jks> -keypass <Private key Password> -storepass <Store Password>

Example:

keytool -export -alias certs -file /scratch/Data/Certificates/KafkaCert.cer 
-keystore /scratch/Data/Certificates/KafkaServerKeystore.jks -keypass oracle123 -storepass oracle123

If successful, the following message will be displayed:

Certificate stored in file < KafkaCert.cer>

Import the Cert and Generate TrustStore

To import the cert and generate TrustStore, the command is mentioned below:

keytool -import -alias alias -file cert_file -keystore truststore –storepass storepass

Table 10-3 Generate TrustStore - Keyword Details

Keyword Description
alias It is used to identify the public and private key pair.

Specify the alias of the key pair used to create the CSR in the earlier step.
cert_file It is the location of the file containing the PKCS#7 formatted reply from the CA, containing the signed certificate.
truststore It is the location where the TrustStore should be generated.
storepass It is the password for the TrustStore.
The user can generate two TrustStores from the same cert.
  • One used for Kafka server
  • One used for Clients

Example:

keytool -import -alias certs -file /scratch/Data/Certificates/KafkaCert.cer 
–keystore /scratch/Data/Certificates/KafkaServerTrustStore.jks -storepass oracle123
keytool -import -alias certs -file /scratch/Data/Certificates/KafkaCert.cer 
-keystore /scratch/Data/Certificates/KafkaClientTrustStore.jks -storepass oracle123
Three Keystore files are required for this method as given in the table below:

Table 10-4 Keystore Files

File Name Description
KafkaServerKeystore.jks Keystore file for Kafka brokers
KafkaServerTrustStore.jks TrustStore file for server
KafkaClientTrustStore.jks TrustStore file for client

To validate the server, each client should import the KafkaClientTrustStore.jks file.

Note:

The TrustStore files should be generated using the same CA. The user can generate and place these files on all the different servers of Kafka so that they can be accessed by server*.properties file. The KafkaClientTrustStore.jks should be placed on the server, which is accessible by the microservices also.

Create Users in Zookeeper

To create users in Zookeeper, follow below steps:
  1. Start the zookeeper.

    Note:

    Refer to Zookeeper Cluster Setup topic.
  2. Follow the below steps for user creation.
    1. Execute the admin command for admin user creation.
      ./kafka-configs.sh --zookeeper localhost:2181 --alter --add-config 
“SCRAM-SHA-256=[password=admin-secret],SCRAM-SHA-512=[password=admin-secret]” 
--entity-type users --entity-name admin

      Note:

      The user created with admin as username and password is setup for the user for each scram mechanism. Here, the user admin is used for Kafka broker auth.
    2. Execute the test command for test user creation.
      ./kafka-configs.sh --zookeeper localhost:2181 --alter --add-config 
“SCRAM-SHA-256=[iterations=8192,password=test-secret],SCRAM-SHA-512=[password=test-secret]” 
--entity-type users --entity-name test

      Note:

      The user created with test as username and password is setup for the user for each scram mechanism. Here, the user test is used for client auth.