Configuring Apache Kafka to enable SASL Authentication

This task discusses how to enable SASL Authentication with Apache Kafka without SSL Client Authentication.

Before you begin

If you are using SASL Authentication with Client Authentication enabled, see Configuring Apache Kafka to enable Client Authentication.

  1. Ensure that the ports that are used by the Kafka server are not blocked by a firewall.
  2. To enable client authentication between the Kafka consumers (QRadar) and a Kafka brokers, a key and certificate for each broker and client in the cluster must be generated. The certificates also need to be signed by a certificate authority (CA).

About this task

In the following steps, you generate a CA, sign the client and broker certificates with it, and add it to the broker truststores. You also generate the keys and certificates by using the Java keytool and OpenSSL. Alternatively, an external CA can be used along with multiple CAs, one for signing broker certificates and another for client certificates.

Procedure

  1. Generate the truststore, keystore, private key, and CA certificate.
    Note: Replace PASSWORD, VALIDITY, SERVER_ALIAS and CLIENT_ALIAS in the following commands with appropriate values.
    1. Generate Server keystore.
      Note:

      The common name (CN) of the broker certificates must match the fully qualified domain name (FQDN) of the server/host. The Kafka Consumer client that is used by QRadar compares the CN with the DNS domain name to ensure that it is connecting to the correct broker instead of a malicious one. Make sure to enter the FQDN for the CN/First and Last name value when you generate the Server keystore.

      keytool -keystore kafka.server.keystore.jks -alias SERVER_ALIAS
 -validity VALIDITY -genkey
      Example
      keytool -keystore kafka.server.keystore.jks -alias server.hostname
 -validity 365 -genkey
    2. Generate CA Certificate.
      Note:

      This CA certificate can be used to sign all broker and client certificates.

      openssl req -new -x509 -keyout ca-key -out ca-cert -days VALIDITY
      Example
      openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
    3. Create Server truststore and import CA Certificate. 
      keytool -keystore kafka.server.truststore.jks -alias CARoot
 -import -file ca-cert
    4. Generate a Server Certificate and sign it using the CA. 
      keytool -keystore kafka.server.keystore.jks -alias SERVER_ALIAS
 -certreq -file cert-file
      openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out
 cert-signed -days VALIDITY -CAcreateserial
      Example
      keytool -keystore kafka.server.keystore.jks -alias server.hostname 
-certreq -file cert-file 
      openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out
 cert-signed -days 365 -CAcreateserial
    5. Import CA Certificate into the Server keystore. 
      keytool -keystore kafka.server.keystore.jks -alias CARoot
 -import -file ca-cert
    6. Import Signed Server Certificate to the Server keystore. 
      keytool -keystore kafka.server.keystore.jks -alias SERVER_ALIAS -import
 -file cert-signed
      Example
      keytool -keystore kafka.server.keystore.jks -alias server.hostname
 -import -file cert-signed
    7. Export the Server Certificate into the binary DER file.
      Note: The keytool -exportcert command uses the DER format by default. Place the certificate in the trusted_certificates/ directory of any EP that communicates with Kafka. You need the server certificate for every bootstrap server that you use in the configuration. Otherwise, QRadar rejects the TLS handshake with the server.
      keytool -exportcert -keystore kafka.server.keystore.jks -alias
 SERVER_ALIAS -file SEVER_ALIAS.der
      Example
      keytool -exportcert -keystore kafka.server.keystore.jks -alias
 server.hostname -file server.hostname.der
  2. Configure Kafka brokers for Client Authentication.
    1. Find the Socket Server Settings section and then change listeners=PLAINTEXT://:<port> to listeners=SSL://:<PORT>.
    2. Add the following properties to force encrypted communication between brokers and between the brokers and clients. Adjust the paths, file names, and passwords as you need them. These properties are the truststore and keystore of the server:

      security.inter.broker.protocol=SASL_SSL

      ssl.client.auth=none

      ssl.keystore.location=/somefolder/kafka.server.keystore.jks

      ssl.keystore.password=test1234

      ssl.key.password=test1234

      ssl.truststore.location=/somefolder/kafka.server.truststore.jks

      ssl.truststore.password=test1234

      Note:

      Since the passwords are stored in plain text in the server.properties, it is advised that access to the file is restricted by way of file system permissions.

    3. Restart the Kafka brokers that had their server.properties modified.