Configure TLS/SSL authentication for Kafka clients
Kafka supports TLS/SSL authentication (two-way authentication). Client configuration is done by setting the relevant security-related properties for the client.
The following steps demonstrate configuration for the console consumer or producer. If you are configuring a custom developed client, see Java client security examples or .Net client security examples for code examples.
- Generate or acquire a key and truststore for your clients which contain all necessary keys and certificates.
- Note down the locations and passwords for the key and truststores. You will need to provide these during configuration.
- If the Certificate Authority of the client certificates is different from the
Certificate Authority of the broker certificates, ensure the client Certificate
Authority certificate is added to the truststore of the Kafka brokers.
Otherwise, the broker will not trust the certificates used by its clients and a trusted connection will not be established.
- Create a
.propertiesfile.In this example the file is named
- Add the mandatory properties to the file.The following configuration example contains all mandatory properties:
security.protocol=SSL ssl.truststore.location=[***PATH TO CLIENT TRUSTSTORE***] ssl.truststore.password=[***PASSWORD***] ssl.keystore.location=[***PATH TO CLIENT KEYSTORE***] ssl.keystore.password=[***PASSWORD***] ssl.key.password=[***PASSWORD***]
- (Optional) Add additional properties.Depending on your requirements and broker configuration, other configuration properties might also be needed. The following are some of the most commonly used optional properties:
- Run the client.
- Console Consumer
kafka-console-producer --bootstrap-server [***HOST1:PORT1***] --topic [***TOPIC***] --producer.config client.properties
- Console Producer
kafka-console-consumer --bootstrap-server [***HOST1:PORT1***] --topic [***TOPIC***] --consumer.config client.properties