Configuring security credentials for connecting to Kafka

Use the mqsisetdbparms or mqsicredentials command to associate security credentials with a connection to a Kafka cluster, and configure the Kafka nodes to authenticate by using the required username and password.

Before you begin

Read the following topics:

About this task

Before you can connect to a Kafka cluster that requires authentication with a username and password, you must use either the mqsisetdbparms or mqsicredentials command to configure the credentials that the KafkaConsumer, KafkaRead, and KafkaProducer nodes use to authenticate to the Kafka cluster.

To configure the Kafka nodes to authenticate using the username and password, you set the Security protocol property on the node to either SASL_PLAINTEXT or SASL_SSL.

If you are using the IBM Event Streams service on IBM Cloud, the Security protocol property on the Kafka node must be set to SASL_SSL. For more information about configuring the security credentials for connecting to Event Streams, see Using Kafka nodes with IBM Event Streams.

For more information about configuring Kafka nodes to authenticate by using Salted Challenge Response Authentication Mechanism (SCRAM), see Authenticating connections to a Kafka cluster by using SASL/SCRAM.

Procedure

Follow these steps to configure a connection to a secured Kafka cluster:

  1. Use either the mqsisetdbparms or mqsicredentials command to associate a username and password with a connection to a Kafka cluster:
    • Configure security credentials by using the mqsisetdbparms command, specifying the required username (-u), password (-p), and resource name (-n). The resource name is in the form kafka:: followed by the name of the security identity that is specified on the Kafka node; for example, kafka::myKafkaSecId. Alternatively, you can use the default security identity, by specifying a resource name of kafka::KAFKA or kafka::KAFKA::integrationServerName.
      The following example shows how to specify a username, password, and named Kafka security identity:
      mqsisetdbparms -w workDir -n kafka::myKafkaSecId -u myUsername -p myPassword
      The following example shows how to specify a username and password, and specifies that the default Kafka security identity for the integration server will be used:
      mqsisetdbparms -w workDir -n kafka::KAFKA::myIntegrationServer1 -u myUsername -p myPassword

      For more information, see mqsisetdbparms command.

    • Configure security credentials by using the mqsicredentials command, specifying the username (--username), password (--password), credential type (--credential-type), and credential name (--credential-name). Specify the credential type as kafka, and specify a credential name that matches the value of the Security identifier parameter that is specified in the node. Alternatively, you can use the default security identity that is specified by the --set-as-default parameter on the mqsicredentials command.
      The following example shows how to specify a username, password, and named Kafka security identity:
      mqsicredentials --create --work-dir workDir --credential-type kafka --credential-name myKafkaSecId --username myUsername --password myPassword
      The following example shows how to specify a username and password, and specifies that the default Kafka security identity for the integration server will be used:
      mqsicredentials --create --work-dir workDir --credential-type kafka --credential-name myKafkaSecId --username myUsername --password myPassword
      mqsicredentials --set-as-default --work-dir workDir --credential-type kafka --credential-name myKafkaSecId

      For more information, see mqsicredentials command.

  2. In your message flow, set the following properties on the KafkaConsumer, KafkaRead, and KafkaProducer nodes:
    1. Set the Security protocol property to either SASL_PLAINTEXT or SASL_SSL.
      If you are using the Event Streams service on IBM Cloud, the Security protocol property must be set to SASL_SSL.
    2. If either SSL or SASL_SSL is specified by the Security protocol property, you must also specify the SSL protocol to be used.
      You can select one of the following values from the supplied list, or you can specify an alternative value:
      • TLSv1
      • TLSv1.1
      • TLSv1.2
      • TLSv1.3
    3. In the Security identifier property, specify the name of the security credential that you created in step 1. Alternatively, if you configured a default security identity in step 1 (for example, myKafkaSecId), you can leave the Security identifier property empty and the default security identity is used.
    For more information about the Kafka nodes, see the following topics:

    For more information about how to diagnose connection problems between IBM App Connect Enterprise and Kafka, see Resolving problems when using Kafka nodes.

What to do next

You can use the mqsicredentials command or the mqsireportdbparms command to show information about the credentials that are being used for connecting to a Kafka cluster.