Versions Compared

Old Version 23

changes.mady.by.user Andrew Dion

Saved on

compared with

New Version Current

changes.mady.by.user Marc-Danie Nazaire

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Use Kafka Raft ("KRaft") for Kafka's controller layer. As of Kafka 3.3.1 (Oct 2022) the native KRaft is recommended over the Zookeeper controller software. KRaft improves upon performance and consolidates the server configuration files and process to 1 each (per node). NOTE: These instructions where tested with Kafka version 3.3.1.

Configure server.properties

...

In order to secure traffic through the internet with TLS/SSL, Kafka requires clientsclient/server authentication via public key infrastructure (PKI). Each Kafka server needs a keystore for identifying itself, while each client and server needs a truststore to authenticate serverservers. As the Kafka administrator you may choose to have all server certificates signed by a true Certificate Authority (CA), or to manage a private CA within your organization and use it for signing.

In either case, each Kafka server node's keystore must store a unique private key (always kept secure) and certificate (which gets signed). Each server node's truststore must store a list of all signed server certificates, or alternatively a CA's own cert, in order to let server nodes behave as logical clients during inter-broker communication. The servers' truststore contents can be identical to that of clients. One benefit of managing a private CA is enabling all client and server truststores to identically contain only the CA's cert, in effect telling all systems in the network to trust the CA and every cert signed by it. Additionally this enables server nodes to join or leave the cluster without truststores needing to add or revoke certs in any truststorescert addition or revocation. See here for exhaustive comprehensive documentation on PKI architecture and keystore management in Kafka:

...

https://docs.confluent.io/platform/current/security/security_tutorial.html

When creating Create keystores and truststores in PKCS12 format. When creating, you will be prompted for passwords. Add the file locations and passwords to the end of server.properties:

...

Code Block
languagejs
themeRDark
titleshrine.conf
shrine {
...
  kafka {
    sasl.jaas.username = "yourShrineHubUser"
    ssl.truststore.location = "path/to/your/kafka_client/_truststore.pkcs12"
  }
...
}//shrine

...

Code Block
languagejs
themeRDark
titleoverride.conf
shrine.kafka.sasl.jaas.username = "kafka-admin"
shrine.kafka.ssl.truststore.location = "path/to/your/kafka_client/_truststore.pkcs12"
Code Block
languagejs
themeRDark
titlepassword.conf
shrine.kafka.sasl.jaas.password = "yourKafkaAdminPassword" 
shrine.kafka.ssl.truststore.password = "clientTruststorePassword"

...