Enabling MC2 Kafka Service TLS Communication
This document describes how to enable TLS for communication between Kafka nodes in MC2 Kafka Service cluster and also enabling the TLS communication between MC2 Extract Service, Pyruleservice and MC2 Kafka Service.
MC2 Kafka Service TLS Configuration
This section describes how to enable the TLS Configuration for MC2 Kafka Service. MC2 Kafka Service default configuration expects the keystore and truststore in the following files:
estar/tpe/dynamic/mc2/private/kafkaservice/server.keystore.jks
estar/tpe/dynamic/mc2/private/kafkaservice/server.truststore.jks
Generating the Kafka Service Key and Certificate
This section explains how to generate a self-signed key and certificate for MC2 Kafka Service. If a certificate and key signed by a Certicate Authority are available follow the Java keytool documentation to add the key and certificate to estar/tpe/dynamic/mc2/private/kafkaservice/server.keystore.jks. You can use same key and certificate for both Kafka Service and MC2 Service/Pyruleservice.
Generate a self-signed certificate
cd estar/tpe/dynamic/mc2
mkdir -p private
cd private
mkdir -p kafkaservice
cd kafkaservice
openssl req -x509 -newkey rsa:4096 -extensions SAN \
-reqexts SAN \
-subj '/C=US/CN=*.domain.com' \
-config <(echo "[req]"; echo "distinguished_name=req"; echo "[SAN]"; \
echo "subjectAltName=DNS:node1-hostname,IP:node1-ip,DNS:node2-hostname,IP:node1-ip,...") \
-keyout kafka-server-key.pem -out kafka-server-cert.pem -days 365 -nodes
In the above command line the CN should contain the domain name for the servers on which MC2/Kafka Service will be running. The subjectAltName should contain a list of host names and IP addresses for the servers on which MC2/Kafka is running in the specified format, separated by comma.
Note: if a CA certificate is available you can save them as kafka-server-key.pem and kafka-server-cert.pem and follow the instructions below. The CA certificate must contain the SubjectAltName and a wildcard CN (common name).
2. Create a PEM file with server key and certificate, which will be used to create the Java JKS keystore:
cat kafka-server-key.pem kafka-server-cert.pem > kafka-server-keycert.pem
3. Create the Kafka Server keystore:
openssl pkcs12 -export -in kafka-server-keycert.pem -out server.keystore.pkcs12 -name kafkasrv -noiter -nomaciter
Save the password you enter when prompted. We’ll refer to it later as kafka_key_password
4. Import the certificate into the truststore:
keytool -import -v -trustcacerts -alias kafkaserver -file kafka-server-cert.pem -keystore server.truststore.jks
When prompted for a password use the password from step 3 - kafka_key_password
Note: If you have a root and intermediate CA certificates import them in the server.truststore.jks
5. Create the JKS keystore:
keytool -v -importkeystore -srckeystore server.keystore.pkcs12 -srcstoretype PKCS12 -destkeystore server.keystore.jks -deststoretype JKS
When prompted for keystore password and source password use the password from step 3 - kafka_key_password
6. Store the kafka key password in an encrypted eagle storage file. This step can be executed only on one of the app servers - the password file will be created in a shared location:
./cmdmgr.bin credentials --type=aes --action=add --name=kafkaservice_key --user=kafkaservice_key --pass=kafka_key_password --file=../estar/tpe/dynamic/mc2/private/kafkaservice/epasswd
./cmdmgr.bin credentials --type=aes --action=add --name=kafkaservice_keystore --user=kafkaservice_keystore --pass=kafka_key_password --file=../estar/tpe/dynamic/mc2/private/kafkaservice/epasswd
./cmdmgr.bin credentials --type=aes --action=add --name=kafkaservice_truststore --user=kafkaservice_truststore --pass=kafka_key_password --file=../estar/tpe/dynamic/mc2/private/kafkaservice/epasswd
7. On each app server node open cfg/db_connection.ini file and add the following sections:
[kafkaservice_key]
DBType=
DBName=kafkaservice_key
EstarName=kafkaservice_key
Credfile=estar/tpe/dynamic/mc2/private/kafkaservice/epasswd
[kafkaservice_keystore]
DBType=
DBName=kafkaservice_keystore
EstarName=kafkaservice_keystore
Credfile=estar/tpe/dynamic/mc2/private/kafkaservice/epasswd
[kafkaservice_truststore]
DBType=
DBName=kafkaservice_truststore
EstarName=kafkaservice_truststore
Credfile=estar/tpe/dynamic/mc2/private/kafkaservice/epasswd
8. On each app server node edit the estar/tpe/cfg/kafkaservice/kafka-service.yml
- create this file if it does not exist. Add to this file the following parameters:
eagle.enable.ssl: true
eagle.kafka.instance.kafkaBrokerConfigs:
ssl.client.auth: required
9. Restart MC2 Kafka service:
cd eaglemgr
./restart starweb kafkaservice
MC2 Extract Service Kafka TLS Configuration
This section describes how to configure MC2 Extract Service to connect to MC2 Kafka Service with the TLS Connections enabled.
First follow the steps in MC2 Kafka Service TLS Configuration section.
By default MC2 Extract Service uses the keystore and truststore files in:
estar/tpe/dynamic/mc2/private/kafka_ssl_client/client.truststore.jks
estar/tpe/dynamic/mc2/private/kafka_ssl_client/client.keystore.jks
Generate a self-signed certificate
cd estar/tpe/dynamic/mc2
mkdir -p private
cd private
mkdir -p kafka_ssl_client
cd kafka_ssl_client
openssl req -x509 -newkey rsa:4096 -extensions SAN \
-reqexts SAN \
-subj '/C=US/CN=*.domain.com' \
-config <(echo "[req]"; echo "distinguished_name=req"; echo "[SAN]"; \
echo "subjectAltName=DNS:node1-hostname,IP:node1-ip,DNS:node2-hostname,IP:node1-ip,...") \
-keyout keyfile.pem -out certfile.pem -days 365
In the above command line the CN should contain the domain name for the servers on which MC2/Kafka Service will be running. The subjectAltName should contain a list of host names and IP addresses for the servers on which MC2/Kafka is running in the specified format, separated by comma.
Write down the password used when creating the certificate. We will refer to this password as client_cert_password
Note: if a CA certificate is available you can save them as keyfile.pem and certfile.pem and follow the instructions below. The CA certificate must contain the SubjectAltName and a wildcard CN (common name).
2. Create a PEM file with server key and certificate, which will be used to create the Java JKS keystore:
cat keyfile.pem certfile.pem > keycert.pem
3. Create the Kafka client keystore:
openssl pkcs12 -export -in keycert.pem -out client.keystore.pkcs12 -name kafkacli -noiter -nomaciter
Use the same client_cert_password when prompted.
4. Import the certificate into the truststore:
keytool -import -v -trustcacerts -alias kafkaclient -file certfile.pem -keystore client.truststore.jks
When prompted for a password use the password from step 1 - client_cert_password
Note: If you have a root and intermediate CA certificates import them in the client.truststore.jks
5. Create the JKS keystore:
keytool -v -importkeystore -srckeystore client.keystore.pkcs12 -srcstoretype PKCS12 -destkeystore client.keystore.jks -deststoretype JKS
When prompted for keystore password and source password use the password from step 1 - client_cert_password
6. Import the Kafka Service CA, intermediate certificates and root certificate, if available, to client.trustore.jsk. If using the Kafka Service self-signed certificates the command will be:
keytool -import -v -trustcacerts -alias kafkaservice -file ../kafkaservice/kafka-server-cert.pem -keystore client.truststore.jks
When prompted for the keystore password enter the client_cert_password
8. Add the MC2 Kafka Service certificate, CA certificate and intermediate certificates, if available, to a cafile.pem file. If using the Kafka Service self signed certificate run:
cp ../kafkaservice/kafka-server-cert.pem ./cafile.pem
7. Import the client certificate to the Kafka Service truststore. If using the selfsigned certificate execute the following commands:
cd ../kafkaservice
keytool -import -v -trustcacerts -alias kafkaclient -file ../kafka_ssl_client/certfile.pem -keystore server.truststore.jks
When prompted for the keystore password enter the kafka_key_password
8. Store the client kafka key password in an encrypted eagle storage file. This step can be executed only on one of the app servers - the password file will be created in a shared location:
./cmdmgr.bin credentials --type=aes --action=add --name=mc2ejmkey --user=mc2ejmkey --pass=client_cert_password --file=../estar/tpe/dynamic/mc2/private/kafka_ssl_client/epasswd
./cmdmgr.bin credentials --type=aes --action=add --name=mc2ejmkeystore --user=mc2ejmkeystore --pass=client_cert_password --file=../estar/tpe/dynamic/mc2/private/kafka_ssl_client/epasswd
./cmdmgr.bin credentials --type=aes --action=add --name=mc2ejmtruststore --user=mc2ejmtruststore --pass=client_cert_password --file=../estar/tpe/dynamic/mc2/private/kafka_ssl_client/epasswd
./cmdmgr.bin credentials --type=aes --action=add --name=mc2pykafka --user=mc2pykafka --pass=client_cert_password --file=../estar/tpe/dynamic/mc2/private/kafka_ssl_client/epasswd
Make sure you replace client_cert_password with the correct password in the above commands.
9. On each app server node open cfg/db_connection.ini file and add the following sections:
[mc2ejmkey]
DBType=
DBName=mc2ejmkey
EstarName=mc2ejmkey
Credfile=estar/tpe/dynamic/mc2/private/kafka_ssl_client/epasswd
[mc2ejmkeystore]
DBType=
DBName=mc2ejmkeystore
EstarName=mc2ejmkeystore
Credfile=estar/tpe/dynamic/mc2/private/kafka_ssl_client/epasswd
[mc2ejmtruststore]
DBType=
DBName=mc2ejmtruststore
EstarName=mc2ejmtruststore
Credfile=estar/tpe/dynamic/mc2/private/kafka_ssl_client/epasswd
[mc2pykafka]
DBType=
DBName=mc2pykafka
EstarName=mc2pykafka
Credfile=estar/tpe/dynamic/mc2/private/kafka_ssl_client/epasswd
10. On one of the app servers edit the estar/tpe/dynamic/mc2/cfg/extractservice.yml
file - this file is on a shared location and will affect all MC2 Extract Service instances. Create this file if it does not exist. The file should have the following parameters set at the beginning of the file:
eagle.kafka.camel.defaultCfg.connectionParameters.securityProtocol: SSL
In the extractservice-lb section the following parameter should be set:
---
spring:
profiles: extractservice-lb
application:
name: extractservice-lb
eagle.pyservice.environment:
SECURE_KAFKASERVICE: 1
11. Restart extract service on all nodes:
cd eaglemgr
./restart starweb extractservicelb extractserviceworker