Setting Up Authentication for Kafka

You can set up authentication and SSL to improve security between BusinessEvents and Kafka broker.

You must configure Kafka broker and Kafka client (BusinessEvents) for authentication.
    Procedure
    Kafka Broker Configuration
  1. Configure the Kafka broker for a security protocol that you require for authentication, for example SASL_PLAIN.
    For more details about the steps involved for configuring a Kafka broker for a security protocol (JAAS configuration, JVM parameter, and server properties), refer to the Kafka documentation at https://kafka.apache.org/documentation/#security.
  2. Start ZooKeeper and Kafka broker.
    3. Kafka Client (BusinessEvents) Configuration
  3. In BusinessEvents studio, configure the Kafka channel fields for security (Security Protocol and Security Mechanism).
    For more details, see Kafka and Kafka Streams Channel Configuration Properties.
    For example, SASL_PLAINTEXT is selected as the value of Security Protocol and PLAIN is selected as the value of Security Mechanism fields respectively.
  4. Open the BusinessEvents default JAAS configuration file (BE_HOME\mm\config\jaas-config.config) for editing.
    Note: If you want to use your own JAAS configuration file (for example, kafka_client_jaas.config) specify its location in the java.security.auth.login.config CDD property. For example: 
    <property name="java.security.auth.login.config" value="D:/kafka_client_jaas.config"/>
  5. Configure the KafkaClient section in the JAAS configuration file. Specify the login module based on the Security Mechanism selected in the Kafka channel properties (see Kafka and Kafka Streams Channel Configuration Properties).
    You can configure the KafkaClient using the following login modules for authentication:
    • org.apache.kafka.common.security.plain.PlainLoginModule - Specify PlainLoginModule for PLAIN SASL security mechanism when you want to send plain text (non-encrypted) password for authentication. Specify your user name and non-encrypted password in the section.
    • com.tibco.cep.driver.kafka.security.BEPlainLoginModule - Specify BEPlainLoginModule for PLAIN SASL security mechanism when you want to send your encrypted password for authentication. Specify your user name and encrypted password in the section. You can use studio-tools utility to encrypt the password, see Generating Encrypted Passwords.
    • com.sun.security.auth.module.Krb5LoginModule - Specify Krb5LoginModule for GSSAPI (Kerberos) SASL security mechanism.
    • org.apache.kafka.common.security.scram.ScramLoginModule - Specify ScramLoginModule for SCRAM-SHA-256 and SCRAM-SHA-512 SASL security mechanisms.

    For more information on the setting configuring JAAS file for Kafka clients, refer to the Kafka documentation at https://kafka.apache.org/documentation/#security.

    For example, see the following sample configuration of the KafkaClient section for the PLAIN SASL security mechanism and to send encrypted password: 
    KafkaClient {
  com.tibco.cep.driver.kafka.security.BEPlainLoginModule required
//BEPlainLoginModule is a wrapper over Kafka's PlainLoginModule with added support of TIBCO encrypted passwords.
  username=admin
  password="#!8McplDveXbBUsDBnPWzGvAfwlNhVIYS/";
};
  6. Save the JAAS configuration file and start BusinessEvents engine (producer and consumer).