Use the mqsisetdbparms or mqsicredentials command to associate security credentials with a
connection to a Kafka cluster, and configure the Kafka nodes to authenticate by using the required
username and password.
Before you begin
Read the following topics:
About this task
Before you can connect to a Kafka cluster that requires authentication with a username and
password, you must use either the mqsisetdbparms or mqsicredentials command to configure the credentials that the KafkaConsumer, KafkaRead, and KafkaProducer nodes use to authenticate to the Kafka cluster.
To configure the Kafka nodes to authenticate using the username and password, you set the
Security protocol property on the node to either
SASL_PLAINTEXT or SASL_SSL.
If you are using the IBM Event
Streams service on IBM Cloud, the Security
protocol property on the Kafka node must be set to SASL_SSL. For more information about configuring the security credentials for connecting
to Event Streams, see Using Kafka nodes with IBM Event Streams.
For more information about configuring Kafka nodes to authenticate by using Salted Challenge
Response Authentication Mechanism (SCRAM), see Authenticating connections to a Kafka cluster by using SASL/SCRAM.
Procedure
Follow these steps to configure a connection to a secured Kafka cluster:
- Use either the mqsisetdbparms or mqsicredentials command to associate a username and password with a
connection to a Kafka cluster:
- Configure security credentials by using the mqsisetdbparms command, specifying the required username
(-u), password (-p), and resource name
(-n). The resource name is in the form
kafka::
followed by the
name of the security identity that is specified on the Kafka node; for example,
kafka::myKafkaSecId
. Alternatively, you can use the default security identity, by
specifying a resource name of kafka::KAFKA
or
kafka::KAFKA::integrationServerName
.The following example shows how to specify a
username, password, and named Kafka security
identity:
mqsisetdbparms -w workDir -n kafka::myKafkaSecId -u myUsername -p myPassword
The
following example shows how to specify a username and password, and specifies that the default Kafka
security identity for the integration server will be
used:
mqsisetdbparms -w workDir -n kafka::KAFKA::myIntegrationServer1 -u myUsername -p myPassword
For
more information, see mqsisetdbparms command.
- Configure security credentials by using the mqsicredentials command, specifying the username
(--username), password (--password), credential type
(--credential-type), and credential name
(--credential-name). Specify the credential type as
kafka
, and
specify a credential name that matches the value of the Security identifier
parameter that is specified in the node. Alternatively, you can use the default security identity
that is specified by the --set-as-default parameter on the mqsicredentials command. The following example shows how to specify
a username, password, and named Kafka security
identity:
mqsicredentials --create --work-dir workDir --credential-type kafka --credential-name myKafkaSecId --username myUsername --password myPassword
The
following example shows how to specify a username and password, and specifies that the default Kafka
security identity for the integration server will be
used:
mqsicredentials --create --work-dir workDir --credential-type kafka --credential-name myKafkaSecId --username myUsername --password myPassword
mqsicredentials --set-as-default --work-dir workDir --credential-type kafka --credential-name myKafkaSecId
For
more information, see mqsicredentials command.
-
In your message flow, set the following properties on the KafkaConsumer, KafkaRead, and KafkaProducer nodes:
- Set the Security protocol property to
either SASL_PLAINTEXT or SASL_SSL.
If you are using the Event Streams service on IBM Cloud,
the Security protocol property must be set to SASL_SSL.
- If either SSL or SASL_SSL is specified by the
Security protocol property, you must also specify the SSL
protocol to be used.
You can select one of the following values from the
supplied list, or you can specify an alternative value:
- TLSv1
- TLSv1.1
- TLSv1.2
- TLSv1.3
- In the Security identifier property, specify the name of the
security credential that you created in step 1. Alternatively, if you configured a default security
identity in step 1 (for example,
myKafkaSecId
), you can leave the
Security identifier property empty and the default security identity is used.
For more information about the Kafka nodes, see the following topics:
For more information about how to diagnose connection problems between IBM App Connect Enterprise and Kafka, see Resolving problems when using Kafka nodes.
What to do next
You can use the mqsicredentials command or the mqsireportdbparms command to show
information about the credentials that are being used for connecting to a Kafka cluster.