Demo: Secure Inter-Broker Communication

The demo shows how to set up a secure communication between brokers (and disable the unsecure plaintext listener altogether). That will make Kafka brokers available via TLS/SSL only.

Note
 The demo is a follow-up to Demo: Securing Communication Between Clients and Brokers Using SSL. Please finish it first before this demo.

The demo is made up of the following steps:

  1. Configure Broker to Trust Certificate Authority

  2. Enable SSL for Inter-Broker Communication

  3. Disable Plaintext Unsecure Listener

Configure Broker to Trust Certificate Authority

Import the certificate of the certificate authority (CA) to a broker truststore so the brokers can trust it (when a broker tries to connect using SSL).

$ keytool \
  -import \
  -file ca.crt \
  -keystore server.truststore \
  -alias ca \
  -storepass 123456 \
  -noprompt
Certificate was added to keystore

Use keytool to print out the certificates in the client keystore.

keytool -list -v -keystore server.truststore -storepass 123456

There should be 1 entry for the CA.

Enable SSL for Inter-Broker Communication

Edit config/server-ssl.properties and add the following configuration properties to enable SSL for inter-broker communication:

security.inter.broker.protocol=SSL
ssl.truststore.location=/tmp/kafka-ssl-demo/server.truststore
ssl.truststore.password=123456

Start the broker(s).

./bin/kafka-server-start.sh config/server-ssl.properties
Tip
 Use export KAFKA_OPTS=-Djavax.net.debug=all to debug SSL issues.

Verify the SSL configuration of the broker. The following uses the Cryptography and SSL/TLS Toolkit (OpenSSL) and the client tool.

openssl s_client -connect localhost:9093

Disable Plaintext Unsecure Listener

Edit config/server-ssl.properties and add listeners property to use SSL://:9093 only:

listeners=SSL://:9093

Restart the broker.

./bin/kafka-server-start.sh config/server-ssl.properties
Tip
 Use export KAFKA_OPTS=-Djavax.net.debug=all to debug SSL-related issues.

Verify the SSL configuration of the broker. The following uses the Cryptography and SSL/TLS Toolkit (OpenSSL) and the client tool.

openssl s_client -connect localhost:9093

Enter Ctrl-C to close the session.

That’s all for the demo.

results matching ""

    No results matching ""