Manually set up to connect to Kafka broker

Manually set up authentication config file on Scale to connect to the Kafka broker that is deployed by the IBM Fusion CAS service. You must do this set up once for every IBM Fusion cluster for all the data sources. The procedure also requires a Scale admin to run commands to extract all the required keys and certificates to access Kafka that is deployed by CAS. As these steps are done to access the CA certificate, you must repeat them whenever you rotate the certificate.

1. Run the following command to change to CAS project or namespace:

   oc project ibm-cas

2. Run the following extract commands to get the secrets.

   oc extract secret/kafka-cluster-ca-cert --keys=ca.crt --to=-> cluster_ca.crt 
   oc extract secret/cas-user --keys=user.crt --to=-> user.crt
   oc extract secret/cas-user --keys=user.key --to=-> user.key
   

3. Use the OpenSSL tool to convert an X.509 certificate file (user.crt) into the Privacy Enhanced Mail (PEM) format and save the result to a new file.

   openssl x509 -in user.crt -out user.pem -outform PEM

4. Run the following command to get the password for the field CLIENT_KEY_FILE_PASSWORD.

   oc extract secret/cas-user --keys=user.password --to=- 

5. Create a config file with the following fields and specify the Scale directory where you want to save the keys and certificates.
   In this example, create cas.watch.config file within the /var/cas/ directory.

   vi cas.watch.config

   SINK_AUTH_TYPE:CERT
   CA_CERT_LOCATION:/var/cas/cluster_ca.crt
   CLIENT_KEY_FILE_LOCATION:/var/cas/user.key
   CLIENT_PEM_CERT_LOCATION:/var/cas/user.pem
   CLIENT_KEY_FILE_PASSWORD:imr2GAkcOvC3MKvKptYLLxsmKqo9PpZj
   

6. On each node of your Scale cluster, copy the following files to the local Scale directory. In this example, it is /var/cas/.
   • cluster_ca.crt
   • user.crt
   • user.key
   • user.pem
   • cas.watch.config
7. As a Scale administrator, update ConfigMap operator-config in ibm-cas namespace to specify this authentication configuration file:

   apiVersion: v1
   kind: ConfigMap
   metadata:
     name: operator-config
     namespace: ibm-cas
   data:
     KAFKA_AUTHEN: /var/cas/cas.watch.config

   If you want to create the config map from the OpenShift® Container Platform console, go to Workload > Configmap > Create ConfigMap.

8. Restart the ibm-isf-cas-operator-controller-manager-XXX pod.