Configuring Kafka connections

Configure a Kafka client to connect to your secure instance of IBM® Cloud Pak for Network Automation Orchestration Manager. To access the secure Kafka endpoint, you need the certificate for the SSL connection and a username and password for authentication.

Complete the following steps to configure your Kafka connection:
Get the connection details
  1. Get the hostname for the Kafka route:
    oc get routes cp4na-o-events-kafka-bootstrap -o jsonpath='{.spec.host}' -n <cp4na_namespace>
    where <cp4na_namespace> is the namespace in which the orchestration component is deployed.
  2. Get the self-signed certificate for the Kafka route. Depending on your connection method, you might need this information, for example, to import into a Java™ keystore. Run the following command:
    openssl s_client -connect <host>:443 -servername <host>
    where <host> is the hostname that you retrieved in the previous step.
  3. Copy the output, from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- to a file, for example, ca.crt.
    See the following example snippet of the ca.crt file contents:
    -----BEGIN CERTIFICATE-----
    MIIDUzCCAjugAwIBAgIUfl09B9lxkCNUGrFfgLH7B2BufvowDQYJKoZIhvcNAQEL
    BQAwKDEmMCQGA1UEAxMdVE5DTy1JbnRlcm5hbC1JbnRlcm1lZGlhdGUtQ0EwHhcN
    .....
    kWLLXW45JlIUDashCUug7GdzsSGWlQbbhdCSrdy+2elaDRqY6I72R2LWV1ZnSoDZ
    SZHl3Ic/3B0jnXE2AW4JI+ru/qL7+dWyZy/lMaVEmoaXy2WIOtuR
    -----END CERTIFICATE-----
Get the credentials
  1. Get the password from the Kafka secret. The Kafka secret has the same name as the Kafka user, cp4na-o-kafka-user. Run the following command:
    oc get secret cp4na-o-kafka-user -o jsonpath='{.data.password}' -n <cp4na_namespace> | base64 -d
  2. For Java clients that use the sasl.jaas.config property for authentication, run the following command to get the value for the property:
    oc get secret cp4na-o-kafka-user -o jsonpath='{.data.sasl\.jaas\.config}' -n <cp4na_namespace> | base64 -d
Configure your Kafka client
The configuration varies depending on the Kafka client. The following example configuration is valid for the command-line tools from Apache Kafka:
  1. Add the following configuration to the client's client.properties file:
    security.protocol=SASL_SSL
    sasl.mechanism=SCRAM-SHA-512
    sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="cp4na-o-kafka-user" password="<kafka user password>";
    ssl.truststore.location=truststore.jks
    ssl.truststore.password=<truststore_password>
    where:
    • <kafka user password> is the Kafka password.
    • <truststore_password> is the password for the Java keystore.
  2. Import the certificate for the Kafka route into a Java keystore. For example, the following command imports the certificate into a keystore called truststore.jks:
    keytool -import -trustcacerts -alias root -file ca.crt -keystore truststore.jks -storepass <truststore_password> -noprompt
  3. Verify that the connection is configured correctly. Run the following command to get a list of all Kafka topics:
    kafka-topics.sh --list --bootstrap-server <host>:443 --command-config client.properties
    where <host> is the hostname for the Kafka route.