Setting Up Authentication for Kafka
You can set up authentication and SSL to improve security between BusinessEvents and Kafka broker.
Procedure
Kafka Broker Configuration
-
Configure the Kafka broker for a security protocol that you require for authentication, for example
SASL_PLAIN.
For more details about the steps involved for configuring a Kafka broker for a security protocol (JAAS configuration, JVM parameter, and server properties), refer to the Kafka documentation at https://kafka.apache.org/documentation/#security.
- Start ZooKeeper and Kafka broker.
Kafka Client (BusinessEvents) Configuration
-
In BusinessEvents studio, configure the Kafka channel fields for security (Security Protocol and
Security Mechanism).
For more details, see Kafka and Kafka Streams Channel Configuration Properties .For example, SASL_PLAINTEXT is selected as the value of Security Protocol and PLAIN is selected as the value of Security Mechanism fields respectively.
- Open the BusinessEvents default JAAS configuration file (BE_HOME\mm\config\jaas-config.config) for editing.
-
Configure the
KafkaClient section in the JAAS configuration file. Specify the login module based on the
Security Mechanism selected in the Kafka channel properties (see
Kafka and Kafka Streams Channel Configuration Properties
).
You can configure the KafkaClient using the following login modules for authentication:For example, see the following sample configuration of the KafkaClient section for the PLAIN SASL security mechanism and to send encrypted password:
- org.apache.kafka.common.security.plain.PlainLoginModule - Specify PlainLoginModule for PLAIN SASL security mechanism when you want to send plain text (non-encrypted) password for authentication. Specify your user name and non-encrypted password in the section.
- com.tibco.cep.driver.kafka.security.BEPlainLoginModule - Specify BEPlainLoginModule for PLAIN SASL security mechanism when you want to send your encrypted password for authentication. Specify your user name and encrypted password in the section. You can use studio-tools utility to encrypt the password, see Generating Encrypted Passwords.
- com.sun.security.auth.module.Krb5LoginModule - Specify Krb5LoginModule for GSSAPI (Kerberos) SASL security mechanism.
- org.apache.kafka.common.security.scram.ScramLoginModule - Specify ScramLoginModule for SCRAM-SHA-256 and SCRAM-SHA-512 SASL security mechanisms.
For more information on the setting configuring JAAS file for Kafka clients, refer to the Kafka documentation at https://kafka.apache.org/documentation/#security.
KafkaClient { com.tibco.cep.driver.kafka.security.BEPlainLoginModule required //BEPlainLoginModule is a wrapper over Kafka's PlainLoginModule with added support of TIBCO encrypted passwords. username=admin password="#!8McplDveXbBUsDBnPWzGvAfwlNhVIYS/"; };
- Save the JAAS configuration file and start BusinessEvents engine (producer and consumer).
Copyright © Cloud Software Group, Inc. All rights reserved.