9.3 Kafka Security Setup

This topic describes about the Kafka Security setup.

Prerequisites

Before proceeding, ensure that the below installation is done.
  • JDK is installed in all node machines.
  • Kafka is downloaded and extracted the binary in all node machines. Kafka can be found at <Unzip the file>/THIRD_PARTY_SOFTWARES/KAFKA/ARCHIVE.

Generate Keystore

The items highlighted in bold are placeholders and should be replaced with suitable values when running the command.

keytool -genkeypair -alias alias -keyalg keyalg -keysize keysize -sigalg 
sigalg -validity valDays -keystore keystore

Table 9-1 Generate Keystore - Keyword Description

Keyword Description
alias Used to identify the public and private key pair created.
keyalg It is a key algorithm used to generate the public and private key pair.

The RSA key algorithm is recommended.
keysize It is the size of the public and private key pairs generated.

A key size of 1024 or more is recommended.
sigalg It is the algorithm used to generate the signature.

This algorithm should be compatible with the key algorithm and should be one of the values specified in the Java Cryptography API Specification and Reference.
valdays It is the number of days for which the certificate is to be considered valid.

Please consult with your CA on this period.
keystore It is used to specify the location of the JKS file.

If no JKS file is present in the path provided, one will be created.
The command prompts for the following attributes of the certificate and Keystore:

Table 9-2 Certificate and Keystore - Attributes

Attributes Description
Keystore Password Specify a password used to access the Keystore.

This password needs to be specified later when configuring the identity store in Kafka server.
Key Password Specify a password used to access the private key stored in the Keystore.

This password needs to be specified later when configuring the SSL attributes of the Kafka Server.
First and Last Name (CN) Enter the domain name of the machine. For example, www.example.com.
Name of your Organizational Unit The name of the department or unit making the request.

Use this field to further identify the SSL Certificate you are creating, for example, by department or by physical server.
Name of your Organization The name of the organization making the certificate request. For example, Oracle Financial Services.

It is recommended to use the company or organization's formal name, and this name entered here must match the name found in official records.
Name of your City or Locality The city in which your organization is physically located. For example, Bengaluru.
Name of your State or Province The state/province in which your organization is physically located. For example, Karnataka.
Two-letter Country Code for this Unit The country in which your organization is physically located. For example, US, UK, IN, etc.

Example 9-1 Execution

A sample execution of the command is mentioned below:

keytool -genkeypair -alias certificates -keyalg RSA -keysize 1024 -sigalg SHA512withRSA 
-validity 365 -keystore /scratch/Data/Certificates/KafkaServerKeystore.jks

Enter keystore password:<Enter a password to protect the keystore>

Re-enter new password:<Confirm the password keyed above>

What is your first and last name?

[Unknown]: <domain name>.oracle.com

What is the name of your organizational unit?

[Unknown]: <application name>

What is the name of your organization?

[Unknown]: Oracle Financial Services

What is the name of your City or Locality?

[Unknown]: Bengaluru

What is the name of your State or Province?

[Unknown]: Karnataka

What is the two-letter country code for this unit?

[Unknown]: IN Is CN= name.oracle.com, OU=Test, O=Oracle Financial Services, L= Bengaluru, ST= Karnataka, C=IN correct? [no]: yes

Enter key password for < password >

RETURN if same as keystore password): <Enter a password to protect the key>

Re-enter new password: <Confirm the password keyed above>

Export Private Key as Certificate

Export private key as certificate command is mentioned below:

keytool -export -alias <alias_name> -file <export_certificate_file_name_with_location.cer> 
-keystore <keystore_name.jks> -keypass <Private key Password> -storepass <Store Password>

Example:

keytool -export -alias certs -file /scratch/Data/Certificates/KafkaCert.cer 
-keystore /scratch/Data/Certificates/KafkaServerKeystore.jks -keypass oracle123 
-storepass oracle123

If successful, the following message will be displayed:

Certificate stored in file < KafkaCert.cer>

Import the Cert and Generate TrustStore

To import the cert and generate TrustStore, the command is mentioned below:

keytool -import -alias alias -file cert_file -keystore truststore –storepass storepass

Table 9-3 Certificate and TrustStore - Keyword Description

Keyword Description
alias It is used to identify the public and private key pair.

Specify the alias of the key pair used to create the CSR in the earlier step.
cert_file It is the location of the file containing the PKCS#7 formatted reply from the CA, containing the signed certificate.
truststore It is the location where the TrustStore should be generated.
storepass It is the password for the TrustStore.
The user can generate two TrustStores from the same cert.
  • One used for Kafka server
  • One used for clients

Example:

keytool -import -alias certs -file /scratch/Data/Certificates/KafkaCert.cer 
–keystore /scratch/Data/Certificates/KafkaServerTrustStore.jks -storepass oracle123
keytool -import -alias certs -file /scratch/Data/Certificates/KafkaCert.cer 
-keystore /scratch/Data/Certificates/KafkaClientTrustStore.jks -storepass oracle123
Three Keystore files are required for this method as given in the table below:

Table 9-4 Keystore Files

File Name Description
KafkaServerKeystore.jks Keystore file for Kafka brokers
KafkaServerTrustStore.jks TrustStore file for server
KafkaClientTrustStore.jks TrustStore file for client
To validate the server, each client should import the KafkaClientTrustStore.jks file.

Note:

The TrustStore files should be generated using the same CA. The user can generate and place these files on all the different servers of Kafka so that they can be accessed by server*.properties file. The KafkaClientTrustStore.jks should be placed on the server, which is accessible by the microservices also.

Create Users in Zookeeper

To create users in Zookeeper, follow below steps:
  1. Start the zookeeper.

    Note:

    Refer to Zookeeper Cluster Setup topic for more details.
  2. Follow the below steps for user creation.
    1. Execute the admin command for admin user creation.
      ./kafka-configs.sh --zookeeper localhost:2181 --alter --add-config “SCRAM-SHA-256=
[password=admin-secret],SCRAM-SHA-512=[password=admin-secret]” --entity-type users 
--entity-name admin

      Note:

      The user created with admin as username and password is setup for the user for each scram mechanism. Here, the user admin is used for Kafka broker auth.
    2. Execute the test command for test user creation.
      ./kafka-configs.sh --zookeeper localhost:2181 --alter --add-config “SCRAM-SHA-256=
[iterations=8192,password=test-secret],SCRAM-SHA-512=[password=test-secret]” 
--entity-type users --entity-name test

      Note:

      The user created with test as username and password is setup for the user for each scram mechanism. Here, the user test is used for client auth.

Configure Brokers

Some modifications need to be made in the server.properties file of kafka server.
  1. Add the following properties to Kafka in the server.properties file.

    SSL-SCRAM Settings for SSL Configuration (Recommended)

    listeners=SSL://localhost:9092
    advertised.listeners=SSL://localhost:9092
    ssl.endpoint.identification.algorithm=
    ssl.truststore.location=/scratch/Data/Certificates/KafkaServerTrustStore.jks
    ssl.truststore.password=oracle123
    ssl.keystore.location/scratch/Data/Certificates/KafkaServerKeystore.jks
    ssl.keystore.password=oracle123
    ssl.key.password=oracle123
    security.inter.broker.protocol=SSL

    Entries in the properties table for each kafka consumer/producer service

    • 'spring.cloud.stream.kafka.binder.configuration.ssl.truststore.location'
    • 'spring.cloud.stream.kafka.binder.configuration.ssl.truststore.password'
    • 'spring.cloud.stream.kafka.binder.configuration.security.protocol' value = ‘SSL’
    • 'ssl.endpoint.identification.algorithm' = ''

    SSL-SCRAM Settings for SASL-SSL Configuration (Not recommended)

    ssl.endpoint.identification.algorithm=
    ssl.truststore.location=/scratch/Data/Certificates/KafkaServerTrustStore.jks
    ssl.truststore.password=orcl@123
    ssl.keystore.location/scratch/Data/Certificates/KafkaServerKeystore.jks
    ssl.keystore.password=orcl@123
    ssl.key.password=orcl@123
    sasl.enabled.mechanisms= SCRAM-SHA-256
    sasl.mechanism.inter.broker.protocol= SCRAM-SHA-256
    security.inter.broker.protocol=SASL_SSL
    listeners=SASL_SSL://whf00phz:9093
    advertised.listeners=SASL_SSL://10.40.162.113:9093
    listener.name.sasl_ssl.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="admin-secret";

  2. Specify the absolute path of the Kafka Server Truststore and Keystore and its respective passwords.
  3. Modify the host name and IP in the listeners and advertised.listeners properties field accordingly.
  4. Start the Kafka servers.

    Note:

    Refer to the command in Kafka Cluster Setup topic.

Clients Changes (Kafka Consumer and Producer Services)

These attributes should be available in application.yml of any custom service that connects to SSL/Authentication enabled Kafka broker. Values for these needs to be released to the PROPERTIES table.

Table 9-5 List of PROPERTIES

Key Value
spring.cloud.stream.kafka.binder.brokers <hostname:port>
spring.cloud.stream.kafka.binder.zknodes <hostname:port>
spring.cloud.stream.kafka.binder.jaas.options.username <Zookeeper user created for clients>
spring.cloud.stream.kafka.binder.jaas.options.password <Zookeeper user encrypted password for clients>
spring.cloud.stream.kafka.binder.configuration.ssl.truststore.location <location of client trust store certificate>
spring.cloud.stream.kafka.binder.configuration.ssl.truststore.password <Pass code of client truststore certificate>

To encrypt the password, use the following API of plato-config-service:

API: http://hostname:port/config-service/encrypt

Request Type: Text

Request Body: Password

For example, when the user clicks the above API for the following passwords, we get the response of encrypted value:

test-secret : 36c11a239ffafbe229d888e7d21f0508a38a2501fd5592b1fe54e30889dd57ed

While inserting to properties table, append the encrypted values with the keyword {cipher} to get it decrypted by the config-service during fetch as given in below example:

For more information on adding properties to plato-config-deploy.env, refer to the topic Method 3 – Using env files and setUserOverrides.sh file in Configuration and Deployment Guide.

Important Commands

To view the messages getting sent in Kafka, save the below lines to a file and name it as ssl.properties.

ssl.truststore.location=/scratch/Data/Certificates/KafkaClientTrustStore.jks
ssl.truststore.password=orcl@123
security.protocol=SASL_SSL
ssl.endpoint.identification.algorithm=
sasl.mechanism=SCRAM-SHA-256
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
username="obvam_new" \
password="obvam-secret";

Note:

Update the truststore location and the password.

To view the messages getting sent in Kafka, save the below lines to a file and name it as ssl.properties.

./kafka-console-consumer.sh --bootstrap-server kafka-server --topic topicName 
--consumer.config absolute-path-of-consumer-config --from-beginning
For example, 
./kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic test_topic 
--consumer.config =/scratch/kafka/config/ssl.properties --from-beginning

Parent topic: Oracle Banking Microservices Architecture Software Deployment