Configuring SSL/TLS encryption
Configure SSL/TLS to encrypt data in transit between clients and Kafka brokers.
Configuration parameters for SSL connection and server authentication
Set the following configuration parameters for SSL connection and server authentication:
security.protocol = SSLssl.ca.location = /path/to/ca-certssl.certificate.location = /path/to/client-certssl.key.location = /path/to/client-keyssl.key.password = client-key-password
For the COBOL samples that read Kafka configuration from a configuration file, edit the PDSE
<KAFKA_INSTALL_HLQ>.SIXYCFG(CONSCONF) or
<KAFKA_INSTALL_HLQ>.SIXYCFG(PRDSCONF) to include these
configuration parameters. For more information on these configuration parameters, see Configuring global configuration properties.
C/C++ programs
A C/C++ code snippet to configure SSL is provided as
follows:
rd_kafka_conf_t *conf = rd_kafka_conf_new();
rd_kafka_conf_set(conf, "security.protocol", "ssl", errstr, sizeof(errstr));
rd_kafka_conf_set(conf, "ssl.ca.location", "/path/to/ca-cert", errstr, sizeof(errstr));
rd_kafka_conf_set(conf, "ssl.certificate.location", "/path/to/client-cert", errstr, sizeof(errstr));
rd_kafka_conf_set(conf, "ssl.key.location", "/path/to/client-key", errstr, sizeof(errstr));
rd_kafka_conf_set(conf, "ssl.key.password", "client-key-password", errstr, sizeof(errstr));
COBOL programs
A COBOL code snippet to configure SSL/TLS is provided as follows. Define the
configuration parameters in the WORKING-STORAGE section. Adjust the lengths of all the PROP-NAME and
PROP-VALUE variables to the exact lengths of the values passed. End all the PROP-NAME and PROP-VALUE
values with a null terminator
X’00’. 01 CONFIG-DATA OCCURS 6 TIMES.
10 CONFIG-NAME PIC X(1024).
10 CONFIG-VALUE PIC X(1024).
01 KAFKA-HOST-E.
05 PROP-NAME.
10 FILLER PIC X(17) VALUE 'bootstrap.servers'.
10 FILLER PIC X(01) VALUE X'00'.
05 PROP-VAL.
10 FILLER PIC X(25) VALUE
'Kafka broker endpoint url'.
10 FILLER PIC X(01) VALUE X'00'.
01 SEC-PROTOCOL-E.
05 PROP-NAME.
10 FILLER PIC X(17) VALUE 'security.protocol'.
10 FILLER PIC X(01) VALUE X'00'.
05 PROP-VAL.
10 FILLER PIC X(03) VALUE 'SSL'.
10 FILLER PIC X(01) VALUE X'00'.
01 SSL-CA-LOC-E.
05 PROP-NAME.
10 FILLER PIC X(15) VALUE 'ssl.ca.location'.
10 FILLER PIC X(01) VALUE X'00'.
05 PROP-VAL.
10 FILLER PIC X(16) VALUE "/path/to/ca-cert".
10 FILLER PIC X(01) VALUE X'00'.
01 SSL-CERT-LOC-E.
05 PROP-NAME.
10 FILLER PIC X(24)
VALUE 'ssl.certificate.location'.
10 FILLER PIC X(01) VALUE X'00'.
05 PROP-VAL.
10 FILLER PIC X(20) VALUE "/path/to/client-cert".
10 FILLER PIC X(01) VALUE X'00'.
01 SSL-KEY-LOC-E.
05 PROP-NAME.
10 FILLER PIC X(16) VALUE 'ssl.key.location'.
10 FILLER PIC X(01) VALUE X'00'.
05 PROP-VAL.
10 FILLER PIC X(19) VALUE "/path/to/client-key".
10 FILLER PIC X(01) VALUE X'00'.
01 SSL-KEY-PASS-E.
05 PROP-NAME.
10 FILLER PIC X(16) VALUE 'ssl.key.password'.
10 FILLER PIC X(01) VALUE X'00'.
05 PROP-VAL.
10 FILLER PIC X(19) VALUE "client-key-password".
10 FILLER PIC X(01) VALUE X'00'.
01 WS-CNT PIC 9(02) BINARY VALUE 1.
* Input values for Producer program
01 PRODUCER-INPUT.
COPY IXYPRDSI. MOVE PROP-NAME OF KAFKA-HOST-E TO CONFIG-NAME(1)
MOVE PROP-VAL OF KAFKA-HOST-E TO CONFIG-VALUE(1)
MOVE PROP-NAME OF SEC-PROTOCOL-E TO CONFIG-NAME(2)
MOVE PROP-VAL OF SEC-PROTOCOL-E TO CONFIG-VALUE(2)
MOVE PROP-NAME OF SSL-CA-LOC-E TO CONFIG-NAME(3)
MOVE PROP-VAL OF SSL-CA-LOC-E TO CONFIG-VALUE(3)
MOVE PROP-NAME OF SSL-CERT-LOC-E TO CONFIG-NAME(4)
MOVE PROP-VAL OF SSL-CERT-LOC-E TO CONFIG-VALUE(4)
MOVE PROP-NAME OF SSL-KEY-LOC-E TO CONFIG-NAME(5)
MOVE PROP-VAL OF SSL-KEY-LOC-E TO CONFIG-VALUE(5)
MOVE PROP-NAME OF SSL-KEY-PASS-E TO CONFIG-NAME(6)
MOVE PROP-VAL OF SSL-KEY-PASS-E TO CONFIG-VALUE(6)
* Create KAFKA CONF pointer
SET KAFKA-CONF-REF OF KAFKA-CONF-NEW-OUT
TO FUNCTION IXY-KAFKA-CONF-NEW
DISPLAY "KAFKA-CONF-REF "
KAFKA-CONF-REF OF KAFKA-CONF-NEW-OUT
* Create KAFKA SET Configuration
SET KAFKA-CONF-REF OF KAFKA-CONF-SET-IN
TO KAFKA-CONF-REF OF KAFKA-CONF-NEW-OUT
* Set all the Configuration properties
PERFORM UNTIL WS-CNT > 6
* Convert Config name to ASCII
SET EBCDIC-DATA-PTR-31 OF EBCDIC-ASCII-CONV-IN
TO ADDRESS OF CONFIG-NAME(WS-CNT)
MOVE FUNCTION EBCDIC-ASCII-CONV(
EBCDIC-DATA-PTR OF EBCDIC-ASCII-CONV-IN
) TO
ASCII-DATA-PTR OF EBCDIC-ASCII-CONV-OUT
SET ADDRESS OF DATA-TEMP
TO ASCII-DATA-PTR-31 OF EBCDIC-ASCII-CONV-OUT
MOVE DATA-TEMP TO HOST-TEMP
SET PROP-NAME OF KAFKA-CONF-SET-IN
TO ADDRESS OF HOST-TEMP
* Convert Config value to ASCII
SET EBCDIC-DATA-PTR-31 OF EBCDIC-ASCII-CONV-IN
TO ADDRESS OF CONFIG-VALUE(WS-CNT)
MOVE FUNCTION EBCDIC-ASCII-CONV(
EBCDIC-DATA-PTR OF EBCDIC-ASCII-CONV-IN
) TO
ASCII-DATA-PTR OF EBCDIC-ASCII-CONV-OUT
SET ADDRESS OF DATA-TEMP
TO ASCII-DATA-PTR-31 OF EBCDIC-ASCII-CONV-OUT
MOVE DATA-TEMP TO VALUE-TEMP
SET PROP-VALUE OF KAFKA-CONF-SET-IN
TO ADDRESS OF VALUE-TEMP
INITIALIZE ERR-STR
MOVE ERR-LEN TO ERRSTR-SIZE OF KAFKA-CONF-SET-IN
SET ERRSTR-PTR OF KAFKA-CONF-SET-IN TO
ADDRESS OF ERR-STR
MOVE FUNCTION IXY-KAFKA-CONF-SET(
KAFKA-CONF-REF OF KAFKA-CONF-SET-IN
PROP-NAME OF KAFKA-CONF-SET-IN
PROP-VALUE OF KAFKA-CONF-SET-IN
ERRSTR-PTR OF KAFKA-CONF-SET-IN
ERRSTR-SIZE OF KAFKA-CONF-SET-IN
)
TO CONF-RES OF KAFKA-CONF-SET-OUT
ADD 1 TO WS-CNT
END-PERFORM.