SSL Authentication with Apache Kafka
Apache Kafka is the big thing in Event-driven architectures and Microservices ecosystem and with its fast, scalable, and distributed architecture, it is certainly the talk of the town.
During a recent engagement, we were required to interact with Kafka platform which was configured with the mTLS (mutual TLS) client authentication mechanism. Whilst working, we faced a few SSL challenges on how to interact with Kafka broker and Kafka schema registry and overcame these challenges. During the course, we have learned a few concepts around SSL/TLS certificates and Kafka command-line (CLI) tools. Here are some pointers on how we used the Confluent CLI tool to interact with the Kafka platform.
This blog post focuses on solving mTLS challenges associated with interacting with Apache Kafka when the Kafka broker and schema registry are configured with a truststore having client authentication enabled.
Concept
What is mutual TLS (mTLS)?
Transport Layer Security (TLS), a newer incarnation of SSL is a protocol for securing communication between 2 entities. mutual TLS (mTLS) is a two-way authentication mechanism to ensure that traffic between the client and the server is secure and that you can trust the content flowing in both the directions. It is a standard mechanism used by servers to authenticate the principal (client) that is trying to access a resource.
TLS uses private-key/certificate pairs during the SSL/TLS handshake process.
- Each server needs its own private-key/certificate pair, and the client uses the certificate to authenticate the broker.
- Each client needs a private-key/certificate pair if client authentication is enabled and the server uses the certificate to authenticate the client.
Apache Kafka command-line (CLI) tools
Confluent platform provides the following command-line tools (https://docs.confluent.io/current/installation/cli-reference.html) to interact with Apache Kafka.
- kafka-console-producer — Sends data to Kafka topics.
kafka-console-produceris a producer command-line tool to read data from standard input and write it to a Kafka topic. - kafka-console-consumer — Reads data from Kafka topics.
kafka-console-consumeris a consumer command line that reads data from a Kafka topic and writes it to standard output (console). - kafka-avro-console-producer — Sends Avro data in JSON format to the console. The
kafka-avro-console-produceris a producer CLI to read data from standard input and write it to a Kafka topic in an Avro format. This console uses the Avro converter with the Schema Registry in order to properly write the Avro data schema. - kafka-avro-console-consumer —Receives Avro data in JSON format from the console. The
kafka-avro-console-consumeris thekafka-console-consumerwith an Avro formatter (io.confluent.kafka.formatter.AvroMessageFormatter). This tool uses the Avro converter with the Schema Registry in order to properly read the Avro data schema.
You can always download the entire Confluent platform to get the CLI tools to connect to Kafka platform. This reference will guide you through the process of installing the Confluent platform locally on your device — Confluent Installation
Note: You don’t need the entire Kafka platform to use the CLI tools. There are official Docker images (https://docs.confluent.io/current/installation/docker/image-reference.html) provided by Confluent and this blogpost introduces you on how to use these docker images.
Confluent Docker Images
This blog post introduces to using a couple of Confluent docker images (cp-kafka & cp-schema-registry) to connect and interact with Kafka platform.
1. cp-kafka
The confluentinc/cp-kafka docker image provided by Confluent can be used to execute the following CLI commands.
- kafka-console-producer
- kafka-console-consumer
cp-kafka (SSL configuration)
You can configure each Kafka broker and client (consumer) with a truststore, which is used to determine which certificates (broker or client) to trust (authenticate).
- kafka-console-producer (ssl)
- kafka-console-consumer (ssl)
If client authentication is not required by the broker, the following is a minimal SSL configuration.
client-ssl.properties
If client authentication is required, then a keystore must be provided for the client and the following must also be configured.
Note: You need to have the JKS file(s) truststore.jks and/or keystore.jks in the same directory where you are running the docker commands.
JKS keystore and PEM from PFX/PKCS12
2. cp-schema-registry
The confluentinc/cp-schema-registry docker image provided by Confluent can be used to execute the following CLI commands.
- kafka-avro-console-producer
- kafka-avro-console-consumer
Coming to the most important part of this blog post on how to use the Kafka CLI tools when mTLS is enabled on both the Kafka Broker and Kafka Schema Registry..
cp-schema-registry (SSL configuration)
When the Kafka schema registry is also configured with a truststore, the schema registry does not respect the SSL properties passed for the Kafka CLI client but I managed to get it working by passing in the SSL config values as JVM parameters.
- kafka-avro-console-producer (ssl)
- kafka-avro-console-consumer (ssl)
Bonus
I have built a simple docker based CLI tool for kafka-avro-console-consumer using 3 musketeers pattern (https://3musketeers.io/). You can find the code here: https://github.com/swapdesai/kafka-avro-console-consumer
AVRO to JSON
If you have your own schema and need to create a sample JSON message out of it, refer to this repository: https://github.com/swapdesai/kafka-avro-to-json
Useful commands — Interacting with Schema Registry
Commands to interact with Schema Registry when SSL configured.
References
Apache Kafka Quickstart
Confluent Platform CLI Tools
See you in the next post,
SD
Where to find me? 👉
Find me on LinkedIn 🔥
PS: There is a host of exciting Kafka and Cloud-Native Transformation projects taking place at Contino. If you are looking for a challenge, — Get in touch! We’re hiring!
