Enabling SSL on Kafka to secure MDM notifications

You can use SSL to encrypt the communication between the Apache Kafka broker and client applications. You can also use SSL with SASL for authentication.

Before you begin

To enable data communication to take place in a secure fashion, you must create a key store and a trust store, and then configure them on the Kafka server and clients. For more information, see Creating SSL artifacts.

Procedure

  1. Enable SSL in the Kafka brokers by completing the steps documented in Securing Apache Kafka client communications.
  2. Log in to the WebSphere® Application Server Integrated Solutions Console (admin console), select a relevant resource environment entry (such as kafkaSAMResourceReference), then navigate to Custom properties.
  3. Add or update the following custom properties on the resource environment entries:
    Property name Value
    security.protocol SSL
    ssl.truststore.location The SSL trust store path. This should be the same path as found in the server.properties file.
    ssl.truststore.password The SSL trust store password. This should be the same password as found in the server.properties file.
    enableSSLMessaging true
    ssl.keystore.password The SSL key store password. This should be the same password as found in the server.properties file.
    ssl.key.password The SSL key password. This should be the same password as found in the server.properties file.
    ssl.keystore.location The SSL key store path. This should be the same path as found in the server.properties file.
    sasl.mechanism ssl
    bootstrap.servers <hostname>:<kafka_server_ssl_port>
    If your Kafka broker implementation uses SASL communication, then add or update the following additional resource environment entries:
    Property name Value
    security.protocol SASL_SSL
    sasl.mechanism PLAIN
  4. Restart the InfoSphere® MDM application server.

Results

After completing these changes, you can send messages to Apache Kafka topics in InfoSphere MDM with SSL/SASL enabled.