11 Security with SSL Encryption with SASL-SCRAM Authentication
This topic describes about Security - SSL Encryption with SASL-SCRAM authentication.
Generate Keystore
The items highlighted in bold are placeholders and should be replaced with suitable values when running the command.
keytool -genkeypair -alias alias -keyalg keyalg -keysize keysize -sigalg
sigalg -validity valDays -keystore keystore
Table 11-1 Generate Keystore - Keyword Details
Keyword | Description |
---|---|
alias |
Used to identify the public and private key pair created. |
keyalg |
It is a key algorithm used to generate the public and private key pair.
The RSA key algorithm is recommended. |
keysize |
It is the size of the public and private key pairs generated.
A key size of 1024 or more is recommended. |
sigalg |
It is the algorithm used to generate the signature.
This algorithm should be compatible with the key algorithm and should be one of the values specified in the Java Cryptography API Specification and Reference. |
valdays |
It is the number of days for which the certificate is to be considered valid.
Please consult with your CA on this period. |
keystore |
It is used to specify the location of the JKS file.
If no JKS file is present in the path provided, one will be created. |
Table 11-2 Generate Keystore - Attributes
Attributes | Description |
---|---|
Keystore Password | Specify a password used to access the Keystore.
This password needs to be specified later when configuring the identity store in Kafka server. |
Key Password | Specify a password used to access the private key stored in the Keystore.
This password needs to be specified later when configuring the SSL attributes of the Kafka Server. |
First and Last Name (CN) | Enter the domain name of the machine. For example, www.example.com. |
Name of your Organizational Unit | The name of the department or unit making the request.
Use this field to further identify the SSL Certificate you are creating, for example, by department or by physical server. |
Name of your Organization | The name of the organization making the certificate request. For example, Oracle Financial Services.
It is recommended to use the company or organization's formal name, and this name entered here must match the name found in official records. |
Name of your City or Locality | The city in which your organization is physically located. For example, Bengaluru. |
Name of your State or Province | The state/province in which your organization is physically located. For example, Karnataka. |
Two-letter Country Code for this Unit | The country in which your organization is physically located. For example, US, UK, IN, etc. |
Example 11-1 Sample Execution
Listed below is the result of a sample execution.
keytool -genkeypair -alias certificates -keyalg RSA -keysize 1024 -sigalg SHA512withRSA
-validity 365 -keystore /scratch/Data/Certificates/KafkaServerKeystore.jks
Enter keystore password:<Enter a password to protect the keystore>
Re-enter new password:<Confirm the password keyed above>
What is your first and last name?
[Unknown]: <domain name>.oracle.com
What is the name of your organizational unit?
[Unknown]: <application name>
What is the name of your organization?
[Unknown]: Oracle Financial Services
What is the name of your City or Locality?
[Unknown]: Bengaluru
What is the name of your State or Province?
[Unknown]: Karnataka
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN= name.oracle.com, OU=Test, O=Oracle Financial Services, L= Bengaluru, ST= Karnataka, C=IN correct? [no]: yes
Enter key password for < password >
RETURN if same as keystore password): <Enter a password to protect the key>
Export Private Key as Certificate
Export private key as certificate command is mentioned below:
keytool -export -alias <alias_name> -file <export_certificate_file_name_with_location.cer>
-keystore <keystore_name.jks> -keypass <Private key Password> -storepass <Store Password>
Example:
keytool -export -alias certs -file /scratch/Data/Certificates/KafkaCert.cer
-keystore /scratch/Data/Certificates/KafkaServerKeystore.jks -keypass oracle123 -storepass oracle123
If successful, the following message will be displayed:
Certificate stored in file < KafkaCert.cer>
Import the Cert and Generate TrustStore
To import the cert and generate TrustStore, the command is mentioned below:
keytool -import -alias alias -file cert_file -keystore truststore –storepass storepass
Table 11-3 Generate TrustStore - Keyword Details
Keyword | Description |
---|---|
alias |
It is used to identify the public and private key pair.
Specify the alias of the key pair used to create the CSR in the earlier step. |
cert_file |
It is the location of the file containing the PKCS#7 formatted reply from the CA, containing the signed certificate. |
truststore |
It is the location where the TrustStore should be generated. |
storepass |
It is the password for the TrustStore. |
- One used for Kafka server
- One used for Clients
Example:
keytool -import -alias certs -file /scratch/Data/Certificates/KafkaCert.cer
–keystore /scratch/Data/Certificates/KafkaServerTrustStore.jks -storepass oracle123
keytool -import -alias certs -file /scratch/Data/Certificates/KafkaCert.cer
-keystore /scratch/Data/Certificates/KafkaClientTrustStore.jks -storepass oracle123
Table 11-4 Keystore Files
File Name | Description |
---|---|
KafkaServerKeystore.jks |
Keystore file for Kafka brokers |
KafkaServerTrustStore.jks |
TrustStore file for server |
KafkaClientTrustStore.jks |
TrustStore file for client |
To validate the server, each client should import the KafkaClientTrustStore.jks
file.
Note:
The TrustStore files should be generated using the same CA. The user can generate and place these files on all the different servers of Kafka so that they can be accessed by server*.properties file. TheKafkaClientTrustStore.jks
should be placed on the server, which is accessible by the microservices also.
Create Users in Zookeeper
- Start the zookeeper.
Note:
Refer to Zookeeper Cluster Setup topic. - Follow the below steps for user creation.
- Execute the admin command for admin user creation.
./kafka-configs.sh --zookeeper localhost:2181 --alter --add-config “SCRAM-SHA-256=[password=admin-secret],SCRAM-SHA-512=[password=admin-secret]” --entity-type users --entity-name admin
Note:
The user created with admin as username and password is setup for the user for each scram mechanism. Here, the user admin is used for Kafka broker auth. - Execute the test command for test user creation.
./kafka-configs.sh --zookeeper localhost:2181 --alter --add-config “SCRAM-SHA-256=[iterations=8192,password=test-secret],SCRAM-SHA-512=[password=test-secret]” --entity-type users --entity-name test
Note:
The user created with test as username and password is setup for the user for each scram mechanism. Here, the user test is used for client auth.
- Execute the admin command for admin user creation.