@@ -128,9 +128,9 @@ To complete the configuration modification, do the following steps:
128128
129129 
130130
131- 1. Under **Advanced kafka-env** add the following lines to the end of the **kafka-env template** property .
131+ 1. Add new configuration properties to the server.properties file .
132132
133- ```config
133+ ```bash
134134 # Configure Kafka to advertise IP addresses instead of FQDN
135135 IP_ADDRESS=$(hostname -i)
136136 echo advertised.listeners=$IP_ADDRESS
@@ -143,8 +143,7 @@ To complete the configuration modification, do the following steps:
143143 echo "ssl.truststore.password=MyServerPassword123" >> /usr/hdp/current/kafka-broker/conf/server.properties
144144 ```
145145
146- TODO: New screen shot showing this text.
147- TODO: Above steps are for Kafka 3.6. For Kafka 4.0 there are separate properties.
146+ 1. Go to Ambari configuration UI and verify that the new properties show up under **Advanced kafka-env** and the **kafka-env template** property.
148147
149148
150149
@@ -153,92 +152,183 @@ TODO: Above steps are for Kafka 3.6. For Kafka 4.0 there are separate properties
153152
154153## Client setup (without authentication)
155154
155+ If you don' t need authentication, the summary of the steps to set up only SSL encryption are:
156+
157+ 1. Sign in to the CA (active head node).
158+ 1. Copy the CA cert to client machine from the CA machine (wn0).
159+ 1. Sign in to the client machine (hn1) and navigate to the ` ~/ssl`
160+ 1. Import the CA cert to the truststore.
161+ 1. Import the CA cert to the keystore.
162+
163+ These steps are detailed in the following code snippets.
164+
165+ 1. Sign in to the CA node.
156166
157- If you don' t need authentication, the steps to set up only SSL encryption are:
167+ ` ` ` bash
168+ ssh sshuser@HeadNode0_Name
169+ cd ssl
170+ ` ` `
158171
159- 1. Sign in to the client machine (hn1) and navigate to the ` ~/ssl`
160- 1. Copy the signed cert to client machine from the CA machine (wn0).
161- 1. Import the CA cert to the truststore
162- 1. Import the CA cert to the keystore
172+ 1. Copy the ca-cert to the client machine
163173
164- These steps are shown in the following code snippet.
174+ ` ` ` bash
175+ scp ca-cert sshuser@HeadNode1_Name:~ /ssl/ca-cert
176+ ` ` `
165177
166- ` ` ` bash
167- cd ssl
178+ 1. Sign in to the client machine (standby head node).
168179
169- # Copy signed cert to client machine
170- scp sshuser@hn0-umakaf:/home/sshuser/ssl/ca-cert .
180+ ` ` ` bash
181+ ssh sshuser@HeadNode1_Name
182+ cd ssl
183+ ` ` `
171184
172- # Import CA cert to truststore
173- keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file ca-cert -storepass " MyClientPassword123" " MyClientPassword123"
185+ 1. Import the CA certificate to the truststore.
174186
175- # Import CA cert to keystore
176- keytool -keystore kafka.client.keystore .jks -alias CARoot -import -file ca-cert -storepass " MyClientPassword123" " MyClientPassword123"
177- ` ` `
187+ ` ` ` bash
188+ keytool -keystore kafka.client.truststore .jks -alias CARoot -import -file ca-cert -storepass " MyClientPassword123" " MyClientPassword123"
189+ ` ` `
178190
179- Create the file ` client-ssl-auth.properties`
191+ 1. Import the CA cert to keystore.
192+
193+ ` ` ` bash
194+ keytool -keystore kafka.client.keystore.jks -alias CARoot -import -file ca-cert -storepass " MyClientPassword123" " MyClientPassword123"
195+ ` ` `
180196
181- ` ` ` bash
182- security.protocol=SSL
183- ssl.truststore.location=/home/sshuser/ssl/kafka.client.truststore.jks
184- ssl.truststore.password=MyClientPassword123
185- ` ` `
197+ 1. Create the file ` client-ssl-auth.properties`
198+
199+ ` ` ` config
200+ security.protocol=SSL
201+ ssl.truststore.location=/home/sshuser/ssl/kafka.client.truststore.jks
202+ ssl.truststore.password=MyClientPassword123
203+ ` ` `
186204
187205# # Client setup (with authentication)
188206
189207> [! Note]
190208> The following steps are required only if you are setting up both SSL encryption ** and** authentication. If you are only setting up encryption, please proceed to [Client setup without authentication](apache-kafka-ssl-encryption-authentication.md#client-setup-without-authentication)
191209
192- Complete the following steps to finish the client setup:
210+ The following four steps summarize the tasks needed to complete the client setup:
193211
1942121. Sign in to the client machine (standby head node).
1952131. Create a java keystore and get a signed certificate for the broker. Then copy the certificate to the VM where the CA is running.
1962141. Switch to the CA machine (active head node) to sign the client certificate.
1972151. Go to the client machine (standby head node) and navigate to the ` ~/ssl`
198216
199- ` ` ` bash
200- rm -R ~ /ssl
201- mkdir ssl
202- cd ssl
217+ The details of each step are given below.
203218
204- # Create a java keystore and get a signed certificate for the broker. Then copy the certificate to the VM where the CA is running .
219+ 1. Sign in to the client machine (standby head node) .
205220
206- keytool -genkey -keystore kafka.client.keystore.jks -validity 365 -storepass " MyClientPassword123" " MyClientPassword123" " CN=hn1-umakss.edi2jmghphluhciglpms50eifg.cx.internal.cloudapp.net"
221+ ` ` ` bash
222+ ssh sshuser@HeadNode1_Name
223+ ` ` `
207224
208- keytool -keystore kafka.client.keystore.jks -certreq -file client-cert-sign-request -storepass " MyClientPassword123 " -keypass " MyClientPassword123 "
225+ 1. Remove any existing ssl directory.
209226
210- # Copy the cert to the CA
211- scp client-cert-sign-request sshuser@HeadNode0_Name:~ /ssl/client-cert-sign-request
227+ ` ` ` bash
228+ rm -R ~ /ssl
229+ mkdir ssl
230+ cd ssl
231+ ` ` `
212232
213- # Switch to the CA machine (active head node) to sign the client certificate.
214- cd ssl
215- openssl x509 -req -CA ca-cert -CAkey ca-key -in ~ /ssl/client-cert-sign-request -out ~ /ssl/client-cert-signed -days 365 -CAcreateserial -passin pass:MyClientPassword123
216- scp client-cert-signed sshuser@HeadNode1_Name:~ /ssl/client-signed-cert
233+ 1. Create a java keystore and create a certificate signing request.
217234
218- scp ca-cert sshuser@HeadNode1_Name:~ /ssl/ca-cert
235+ ` ` ` bash
236+ keytool -genkey -keystore kafka.client.keystore.jks -validity 365 -storepass " MyClientPassword123" " MyClientPassword123" " CN=HEADNODE1_FQDN"
237+
238+ keytool -keystore kafka.client.keystore.jks -certreq -file client-cert-sign-request -storepass " MyClientPassword123" " MyClientPassword123"
239+ ` ` `
219240
220- # Return to the client machine (standby head node), navigate to ~/ssl folder and copy signed cert from the CA (active head node) to client machine
221- keytool -keystore kafka.client.keystore.jks -import -file client-cert-signed -storepass MyClientPassword123 -keypass MyClientPassword123 -noprompt
241+ 1. Copy the certificate signing request to the CA
222242
223- # Execute below commands that create client store with signed cert, and re-imports ca cert:
243+ ` ` ` bash
244+ scp client-cert-sign-request sshuser@HeadNode0_Name:~ /ssl/client-cert-sign-request
245+ ` ` `
224246
225- keytool -keystore kafka.client.keystore.jks -import -file client-cert-signed -storepass MyClientPassword123 -keypass MyClientPassword123 -noprompt
247+ 1. Switch to the CA machine (active head node) and sign the client certificate.
226248
227- keytool -keystore kafka.client.keystore.jks -alias CARoot -import -file ca-cert -storepass MyClientPassword123 -keypass MyClientPassword123 -noprompt
249+ ` ` ` bash
250+ ssh sshuser@HeadNode0_Name
251+ cd ssl
252+ openssl x509 -req -CA ca-cert -CAkey ca-key -in ~ /ssl/client-cert-sign-request -out ~ /ssl/client-cert-signed -days 365 -CAcreateserial -passin pass:MyClientPassword123
253+ ` ` `
228254
229- keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file ca-cert -storepass MyClientPassword123 -keypass MyClientPassword123 -noprompt
230- ` ` `
255+ 1. Copy signed client cert from the CA (active head node) to client machine.
231256
232- Lastly, view the file ` client-ssl-auth.properties` command ` cat client-ssl-auth.properties`
257+ ` ` ` bash
258+ scp client-cert-signed sshuser@HeadNode1_Name:~ /ssl/client-signed-cert
259+ ` ` `
233260
234- ` ` ` bash
235- security.protocol=SSL
236- ssl.truststore.location=/home/sshuser/ssl/kafka.client.truststore.jks
237- ssl.truststore.password=MyClientPassword123
238- ssl.keystore.location=/home/sshuser/ssl/kafka.client.keystore.jks
239- ssl.keystore.password=MyClientPassword123
240- ssl.key.password=MyClientPassword123
241- ` ` `
261+ 1. Copy the ca-cert to the client machine
262+
263+ ` ` ` bash
264+ scp ca-cert sshuser@HeadNode1_Name:~ /ssl/ca-cert
265+ ` ` `
266+
267+ 1. Create client store with signed cert, and import ca cert into the keystore and truststore:
268+
269+ ` ` ` bash
270+ keytool -keystore kafka.client.keystore.jks -import -file client-cert-signed -storepass MyClientPassword123 -keypass MyClientPassword123 -noprompt
271+
272+ keytool -keystore kafka.client.keystore.jks -alias CARoot -import -file ca-cert -storepass MyClientPassword123 -keypass MyClientPassword123 -noprompt
273+
274+ keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file ca-cert -storepass MyClientPassword123 -keypass MyClientPassword123 -noprompt
275+ ` ` `
276+
277+ 1. Create a file ` client-ssl-auth.properties`
278+
279+ ` ` ` bash
280+ security.protocol=SSL
281+ ssl.truststore.location=/home/sshuser/ssl/kafka.client.truststore.jks
282+ ssl.truststore.password=MyClientPassword123
283+ ssl.keystore.location=/home/sshuser/ssl/kafka.client.keystore.jks
284+ ssl.keystore.password=MyClientPassword123
285+ ssl.key.password=MyClientPassword123
286+ ` ` `
287+
288+ # # Verification
289+
290+ > [! Note]
291+ > If HDInsight 4.0 and Kafka 2.1 is installed, you can use the console producer/consumers to verify your setup. If not, run the Kafka producer on port 9092 and send messages to the topic, and then use the Kafka consumer on port 9093 which uses SSL.
292+
293+ # ## Kafka 2.1 or above
294+
295+ 1. Create a topic if it doesn’t exist already.
296+
297+ ` ` ` bash
298+ /usr/hdp/current/kafka-broker/bin/kafka-topics.sh --zookeeper < ZOOKEEPER_NODE> :2181 --create --topic topic1 --partitions 2 --replication-factor 2
299+ ` ` `
300+
301+ 1. Start console producer and provide the path to ` client-ssl-auth.properties` for the producer.
302+
303+ ` ` ` bash
304+ /usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh --broker-list < FQDN_WORKER_NODE> :9093 --topic topic1 --producer.config ~ /ssl/client-ssl-auth.properties
305+ ` ` `
306+
307+ 1. Open another ssh connection to client machine and start console consumer and provide the path to ` client-ssl-auth.properties` for the consumer.
308+
309+ ` ` ` bash
310+ /usr/hdp/current/kafka-broker/bin/kafka-console-consumer.sh --bootstrap-server < FQDN_WORKER_NODE> :9093 --topic topic1 --consumer.config ~ /ssl/client-ssl-auth.properties --from-beginning
311+ ` ` `
312+
313+ # ## Kafka 1.1
314+
315+ 1. Create a topic if it doesn’t exist already.
316+
317+ ` ` ` bash
318+ /usr/hdp/current/kafka-broker/bin/kafka-topics.sh --zookeeper < ZOOKEEPER_NODE_0> :2181 --create --topic topic1 --partitions 2 --replication-factor 2
319+ ` ` `
320+
321+ 1. Start console producer and provide the path to client-ssl-auth.properties as a configuration file for the producer.
322+
323+ ` ` ` bash
324+ /usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh --broker-list < FQDN_WORKER_NODE> :9092 --topic topic1
325+ ` ` `
326+
327+ 3. open another ssh connection to client machine and start console consumer and provide the path to ` client-ssl-auth.properties` for the consumer.
328+
329+ ` ` ` bash
330+ $ /usr/hdp/current/kafka-broker/bin/kafka-console-consumer.sh --bootstrap-server < FQDN_WORKER_NODE> :9093 --topic topic1 --consumer.config ~ /ssl/client-ssl-auth.properties --from-beginning
331+ ` ` `
242332
243333# # Next steps
244334
0 commit comments