Demo: SSL Authentication

The demo shows how to use SSL/TLS for authentication so no connection can be established between Kafka clients (consumers and producers) and brokers unless a valid and trusted certificate is provided.

The demo is a follow-up to Demo: Secure Inter-Broker Communication. Please finish it first before this demo.

The demo is made up of the following steps:

Generate Certificate for Client Authentication

Generate the keys and certificate of a Kafka client to be authenticated as jacek.

$ keytool \
  -genkey \
  -keystore jacek.keystore \
  -alias jacek \
  -dname CN=jacek \
  -keyalg RSA \
  -validity 365 \
  -storepass 123456

You should now have one more file in the directory:

  • jacek.keystore - the keystore with the private key and the certificate of the user

Use keytool to print out the content of the keystore.

keytool -list -v -keystore jacek.keystore -storepass 123456

The keystore should contain 1 entry for the alias jacek.

Sign Client Certificate (Using CA)

Create a certificate signing request (CSR).

Export the client certificate from jacek.keystore.

$ keytool \
  -certreq \
  -keystore jacek.keystore \
  -alias jacek \
  -file jacek.unsigned.crt \
  -storepass 123456

Sign the certificate signing request (jacek.unsigned.crt) with the root CA.

$ openssl x509 \
  -req \
  -CA ca.crt \
  -CAkey ca.key \
  -in jacek.unsigned.crt \
  -out jacek.crt \
  -days 365 \
  -CAcreateserial \
  -passin pass:1234
Signature ok
subject=CN = jacek
Getting CA Private Key

You should have the following file in the directory:

  • jacek.crt - the signed certificate of the user

Import Certificates to Client Keystore

Create a SSL keystore for the Kafka client. Each client gets its own unique keystore.

Import the certificate of the CA into the client keystore.

$ keytool \
  -import \
  -file ca.crt \
  -keystore jacek.keystore \
  -alias ca \
  -storepass 123456 \
Certificate was added to keystore

Import the signed certificate into the client keystore. Make sure to use the same -alias as you used ealier.

$ keytool \
  -import \
  -file jacek.crt \
  -keystore jacek.keystore \
  -alias jacek \
  -storepass 123456 \
Certificate reply was installed in keystore

Use keytool to print out the certificates in the client keystore.

keytool -list -v -keystore jacek.keystore -storepass 123456

There should be 2 entries (one for the CA and another for the client itself).

Require Client Authorization Using SSL on Kafka Brokers

Enable SSL authentication (require client authentication using SSL certificates).

Edit config/ and add the following configuration property:


Start the broker(s).

./bin/ config/
Use export to debug SSL-related issues.

Verify the SSL configuration of the broker. The following uses the Cryptography and SSL/TLS Toolkit (OpenSSL) and the client tool.

openssl s_client -connect localhost:9093

The client tool will quit immediately since the broker requires clients to provide valid certificates. You should find the following INFO message in the broker logs:

[SocketServer brokerId=0] Failed authentication with /0:0:0:0:0:0:0:1 (SSL handshake failed)

Configure SSL Authentication for Kafka Client

Use the following as a minimal configuration of a Kafka client to use SSL authentication:


Use utility to send records to Kafka brokers over SSL: \
  --broker-list :9093 \
  --topic ssl \
  --producer.config /tmp/kafka-ssl-demo/
Use export to debug SSL issues. Consult the source code of Java’s SSLLogger.

That’s all for the demo.

results matching ""

    No results matching ""