Configuring Kafka connections
Configure a Kafka client to connect to your secure instance of IBM® Cloud Pak for Network Automation Orchestration Manager. To access the secure Kafka endpoint, you need the certificate for the SSL connection and a username and password for authentication.
Complete the following steps to configure your Kafka connection:
- Get the connection details
-
- Get the hostname for the Kafka
route:
where <cp4na_namespace> is the namespace in which the orchestration component is deployed.oc get routes cp4na-o-events-kafka-bootstrap -o jsonpath='{.spec.host}' -n <cp4na_namespace>
- Get the self-signed certificate for the Kafka route. Depending on your connection method, you
might need this information, for example, to import into a Java™ keystore. Run the following
command:
where <host> is the hostname that you retrieved in the previous step.openssl s_client -connect <host>:443 -servername <host>
- Copy the output, from -----BEGIN CERTIFICATE----- to
-----END CERTIFICATE----- to a file, for example,
ca.crt
.See the following example snippet of theca.crt
file contents:-----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIUfl09B9lxkCNUGrFfgLH7B2BufvowDQYJKoZIhvcNAQEL BQAwKDEmMCQGA1UEAxMdVE5DTy1JbnRlcm5hbC1JbnRlcm1lZGlhdGUtQ0EwHhcN ..... kWLLXW45JlIUDashCUug7GdzsSGWlQbbhdCSrdy+2elaDRqY6I72R2LWV1ZnSoDZ SZHl3Ic/3B0jnXE2AW4JI+ru/qL7+dWyZy/lMaVEmoaXy2WIOtuR -----END CERTIFICATE-----
- Get the hostname for the Kafka
route:
- Get the credentials
-
- Get the password from the Kafka secret. The Kafka secret has the same name as the Kafka user,
cp4na-o-kafka-user
. Run the following command:oc get secret cp4na-o-kafka-user -o jsonpath='{.data.password}' -n <cp4na_namespace> | base64 -d
- For Java clients that use the
sasl.jaas.config
property for authentication, run the following command to get the value for the property:oc get secret cp4na-o-kafka-user -o jsonpath='{.data.sasl\.jaas\.config}' -n <cp4na_namespace> | base64 -d
- Get the password from the Kafka secret. The Kafka secret has the same name as the Kafka user,
- Configure your Kafka client
- The configuration varies depending on the Kafka client. The following example configuration is
valid for the command-line tools from Apache Kafka:
- Add the following configuration to the client's
client.properties
file:
where:security.protocol=SASL_SSL sasl.mechanism=SCRAM-SHA-512 sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="cp4na-o-kafka-user" password="<kafka user password>"; ssl.truststore.location=truststore.jks ssl.truststore.password=<truststore_password>
- <kafka user password> is the Kafka password.
- <truststore_password> is the password for the Java keystore.
- Import the certificate for the Kafka route into a Java
keystore. For example, the following command imports the certificate into a keystore called
truststore.jks
:keytool -import -trustcacerts -alias root -file ca.crt -keystore truststore.jks -storepass <truststore_password> -noprompt
- Verify that the connection is configured correctly. Run the following command to get a list of
all Kafka
topics:
where <host> is the hostname for the Kafka route.kafka-topics.sh --list --bootstrap-server <host>:443 --command-config client.properties
- Add the following configuration to the client's