Versions Compared

Old Version 3

changes.mady.by.user Octavian Chiriac

Saved on

compared with

New Version Current

changes.mady.by.user Pamela Totas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This section explains how to generate a self-signed key and certificate for MC2 Kafka Service. If a certificate and key signed by a Certicate Authority are available follow the Java keytool documentation to add the key and certificate to estar/tpe/dynamic/mc2/private/kafkaservice/server.keystore.jks. You can use same key and certificate for both Kafka Service and MC2 Service/Pyruleservice.

  1. Generate a self-signed certificate

cd estar/tpe/dynamic/mc2

mkdir -p private

...

openssl req -x509 -newkey rsa:4096 -extensions SAN \
-reqexts SAN \
-subj '/C=US/CN=*.domain.com' \
-config <(echo "[req]"; echo "distinguished_name=req"; echo "[SAN]"; \
echo "subjectAltName=DNS:node1-hostname,IP:node1-ip,DNS:node2-hostname,IP:node1-ip,...") \
-keyout kafka-server-key.pem -out kafka-server-cert.pem -days 365 -nodes

In the above command line the CN should contain the domain name for the servers on which MC2/Kafka Service will be running. The subjectAltName should contain a list of host names and IP addresses for the servers on which MC2/Kafka is running in the specified format, separated by comma.

Note: if a CA certificate is available you can save them as kafka-server-key.pem and kafka-server-cert.pem and follow the instructions below. The CA certificate must contain the SubjectAltName and a wildcard CN (common name).

2. Create a PEM file with server key and certificate, which will be used to create the Java JKS keystore:

...

7. On each app server node open cfg/db_connection.ini file and add the following sections:

Code Block
languagepowershell
[kafkaservice_key]
DBType=
DBName=kafkaservice_key
EstarName=kafkaservice_key
Credfile=estar/tpe/dynamic/mc2/private/kafkaservice/epasswd

[kafkaservice_keystore]
DBType=
DBName=kafkaservice_keystore
EstarName=kafkaservice_keystore
Credfile=estar/tpe/dynamic/mc2/private/kafkaservice/epasswd

[kafkaservice_truststore]
DBType=
DBName=kafkaservice_truststore
EstarName=kafkaservice_truststore
Credfile=estar/tpe/dynamic/mc2/private/kafkaservice/epasswd

8. On each app server node edit the estar/tpe/cfg/kafkaservice/kafka-service.yml - create this file if it does not exist. Add to this file the following parameters:

Code Block
languageyaml
eagle.enable.ssl: true
eagle.kafka.instance.kafkaBrokerConfigs:
  ssl.client.auth: required

9. Restart MC2 Kafka service:

...

estar/tpe/dynamic/mc2/private/kafka_ssl_client/client.keystore.jks

  1. Generate a self-signed certificate

cd estar/tpe/dynamic/mc2

mkdir -p private

...

openssl req -x509 -newkey rsa:4096 -extensions SAN \
-reqexts SAN \
-subj '/C=US/CN=*.domain.com' \
-config <(echo "[req]"; echo "distinguished_name=req"; echo "[SAN]"; \
echo "subjectAltName=DNS:node1-hostname,IP:node1-ip,DNS:node2-hostname,IP:node1-ip,...") \
-keyout keyfile.pem -out certfile.pem -days 365

In the above command line the CN should contain the domain name for the servers on which MC2/Kafka Service will be running. The subjectAltName should contain a list of host names and IP addresses for the servers on which MC2/Kafka is running in the specified format, separated by comma.

Write down the password used when creating the certificate. We will refer to this password as client_cert_password

Note: if a CA certificate is available you can save them as keyfile.pem and certfile.pem and follow the instructions below. The CA certificate must contain the SubjectAltName and a wildcard CN (common name).

2. Create a PEM file with server key and certificate, which will be used to create the Java JKS keystore:

...

keytool -import -v -trustcacerts -alias kafkaservice kafkaclient -file ../kafka_ssl_client/certfile.pem -keystore server.truststore.jks

...

9. On each app server node open cfg/db_connection.ini file and add the following sections:

Code Block
languagepowershell
[mc2ejmkey]
DBType=
DBName=mc2ejmkey
EstarName=mc2ejmkey
Credfile=estar/tpe/dynamic/mc2/private/kafka_ssl_client/epasswd

[mc2ejmkeystore]
DBType=
DBName=mc2ejmkeystore
EstarName=mc2ejmkeystore
Credfile=estar/tpe/dynamic/mc2/private/kafka_ssl_client/epasswd

[mc2ejmtruststore]
DBType=
DBName=mc2ejmtruststore
EstarName=mc2ejmtruststore
Credfile=estar/tpe/dynamic/mc2/private/kafka_ssl_client/epasswd

[mc2pykafka]
DBType=
DBName=mc2pykafka
EstarName=mc2pykafka
Credfile=estar/tpe/dynamic/mc2/private/kafka_ssl_client/epasswd

10. On one of the app servers edit the estar/tpe/dynamic/mc2/cfg/extractservice.yml file - this file is on a shared location and will affect all MC2 Extract Service instances. Create this file if it does not exist. The file should have the following parameters set at the beginning of the file:

Code Block
languageyaml
eagle.kafka.camel.defaultCfg.connectionParameters.securityProtocol: SSL

In the extractservice-lb section the following parameter should be set:

...