Retrieving IBM Event Streams connection settings

When you install IBM Event Streams as your Apache Kafka provider, you need to be able to retrieve truststores, which you reuse later to configure Kafka security.

Retrieving connection settings for IBM Event Streams 2019.4.2 or earlier

When you install IBM Event Streams up to version 2019.4.2 as your Apache Kafka provider, the default configuration secures communications to the Kafka brokers with SSL and with authentication based on an API key.

About this task

After IBM Event Streams is installed, to configure it for IBM Business Automation Insights, you retrieve Kafka bootstrap server URLs, download the Kafka server certificate and truststore for the SSL connection, and generate the connection API key. More detailed instructions are provided in section Securing the connection of the IBM Event Streams documentation.

Procedure

  1. Log in to the IBM Event Streams user interface as instructed in the Logging in page of the IBM Event Streams documentation.
  2. Generate an API key.
    1. Click Connect to this cluster.

      You can retrieve the displayed URL as the bootstrap URL to later configure security to Kafka. See, for example, Securing communications to Kafka.

    2. Choose an API key name, for example kafka_bai, and click Produce, consume and create topics.
    3. Authorize all topics and groups.
    4. Click Next, and then Generate API key.
    5. Note the external URL for accessing the cluster.
  3. Use token as the Kafka username parameter.
  4. Use the API key that you generated earlier in step 2 as the Kafka password value.

    For IBM Business Automation Insights, the Operator IBM Event Streams role (or higher) is required to read and write to Kafka topics.

  5. As the Kafka server certificate, download the PEM certificate file and convert it to base64.
    • On Linux® or MacOS
      base64 <es-cert.pem>
    • On Windows
      certutil -encode <PEM certificat file name> <converted PEM certificat file name>
  6. Download the Java™ truststore in JKS format that contains the broker certificate, which you use later to configure event emitters.

    For more information about event emitter security, see Securing communications from event emitters to Kafka.

 New in 20.0.2  Retrieving connection settings for IBM Event Streams 10.0 or later

Procedure

  1. Log in to the IBM Event Streams user interface.
    • Username: admin
    • Password: Your actual password results from the following command.
      oc -n ibm-common-services get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' | base64 --decode
  2. Click Connect to this cluster.
    1. Download the root CA certificate in PEM format.
    2. Import this certificate to a truststore in JKS format. 
      keytool -importcert -file <cert>.pem  -keystore truststore.jks -storepass password -noprompt -alias caRoot
    3. Note the external URL for accessing the cluster.
  3. Generate the username and password that allow you to authenticate to this Event Streams cluster.
    Note: If you have previously defined an Event Streams KafkaUser with scram-sha-512 authentication type, you can reuse the username that it contains. The password is stored in the Kubernetes secret that is bound to this KafkaUser.
    1. Switch to Operators > Installed Operators.
    2. Select the Event Streams operator.
    3. Click the Kafka User tab.
    4. Create a new Event Streams object with kind KafkaUser. 
      spec:
authentication:
  type: scram-sha-512
authorization:
  acls:
    - host: '*'
      operation: Read
      resource:
        name: '*'
        patternType: literal
        type: topic
    - host: '*'
      operation: Describe
      resource:
        name: '*'
        patternType: literal
        type: topic
    - host: '*'
      operation: Read
      resource:
        name: '*'
        patternType: literal
        type: group
    - host: '*'
      operation: Write
      resource:
        name: '*'
        patternType: literal
        type: topic
    - host: '*'
      operation: Create
      resource:
        name: '*'
        patternType: literal
        type: topic
    - host: '*'
      operation: Describe
      resource:
        name: '*'
        patternType: literal
        type: topic    
    - host: '*'
      operation: Read
      resource:
        name: '__schema_'
        patternType: prefix
        type: topic
    - host: '*'
      operation: Alter
      resource:
        name: '__schema_'
        patternType: prefix
        type: topic
  type: simple
    5. Switch to the Resources tab, click the link to the corresponding secret, click the Reveal Value link, and then take note of the password.