https://github.com/LGouellec/kafka-dotnet-ssl
Securise Cluster
Create Root CA
1.Generate a private key named root.key
openssl genrsa -out root.key
2.Generating a self-signed root CA named root.crt
openssl req -new -x509 -key root.key -out root.crt
Create the Truststore and Keystore
1.Create a truststore file for all of the Kafka brokers. In this example, this truststore only needs to contain the root CA created earlier, as it is used to sign all of the certificates in this example. If you are not using a single CA to sign all of the certificates, add all of the CAs you used to sign the other certificates.
All of the brokers can use the same truststore file.
keytool -keystore kafka.truststore.jks -alias CARoot -import -file root.crt
2.Create a keystore file for the Kafka broker named kafka01. Each broker gets its own unique keystore. The keytool command in the following example adds a Subject Alternative Name (SAN) to act as a fall back when performing SSL authentication. Use the fully-qualified domain name (FQDN) of your Kafka broker as the value for this option and your response to the “What is your first and last name?” prompt. In this example, the FQDN of the Kafka broker is kafka01.mycompany.com. The alias for the keytool is set to localhost, so local connections on the broker can authenticate using SSL.
keytool -keystore kafka01.keystore.jks -alias localhost -validity 365 -genkey -keyalg RSA -ext SAN=DNS:kafka01
3.Export the Kafka broker’s certificate so it can be signed by the root CA.
keytool -keystore kafka01.keystore.jks -alias localhost -certreq -file kafka01.unsigned.crt
4.Sign the Kafka broker’s certificate using the root CA.
openssl x509 -req -CA root.crt -CAkey root.key -in kafka01.unsigned.crt -out kafka01.signed.crt -days 365 -CAcreateserial
5.Import the root CA into the broker’s keystore.
keytool -keystore kafka01.keystore.jks -alias CARoot -import -file root.crt
6.Import the signed Kafka broker certificate into the keystore.
keytool -keystore kafka01.keystore.jks -alias localhost -import -file kafka01.signed.crt
7.Copy truststore and store in each kafka broker configuration folder (/etc/kafka by default)
cp kafka.truststore.jks /etc/kafka/
cp kafka01.keystore.jks /etc/kafka/
Configure Kafka
1.Edit the Kafka Configuration to Use TLS/SSL Encryption
advertised.listeners=SASL_SSL://192.168.56.1:9093
listeners=SASL_SSL://10.0.2.15:9093
ssl.truststore.location=/etc/kafka/kafka.truststore.jks
ssl.truststore.password=123456789
ssl.keystore.location=/etc/kafka/kafka01.keystore.jks
ssl.keystore.password=123456789
ssl.key.password=123456789
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
ssl.client.auth=required
ssl.endpoint.identification.algorithm=
ssl.keystore.type=JKS
ssl.truststore.type=JKS
2.Edit the Kafka Configuration to use SASL PLAIN Authentification
security.inter.broker.protocol=SASL_SSL
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
Test with producer/consumer securised
Create Consumer certificate
1.Create a private key / public key certificate pair for the consumer client
The .NET client is not Java based and consequently doesn’t use Java’s JKS container format for storing private keys and certificates. We will use openssl to create the key / certificate pair for the client, not keytool as we did for the broker.
The first step is to create a Certificate Signing Request (CSR). Note: there is no need to explicitly create a self signed certificate first as we did for the broker.
openssl req -newkey rsa:2048 -nodes -keyout consumer_client.key -out consumer_client.csr
2.Now you have the CSR, you can generate a CA signed certificate as follows
openssl x509 -req -CA root.crt -CAkey root.key -in consumer_client.csr -out consumer_client.crt -days 365 -CAcreateserial
3.Create ConsumerConfig instance and set these property
var config = new ConsumerConfig
{
BootstrapServers = "192.168.56.1:9093",
GroupId= "consumer-group-ssl",
ClientId = "consumer-ssl-01",
SaslMechanism = SaslMechanism.Plain,
SecurityProtocol = SecurityProtocol.SaslSsl,
SaslUsername = "admin",
SaslPassword = "admin",
SslEndpointIdentificationAlgorithm = SslEndpointIdentificationAlgorithm.None,
SslCaLocation = @"[YOUR_PATH]\root.crt",
SslCertificateLocation = @"[YOUR_PATH]\consumer_client.crt",
SslKeyLocation = @"[YOUR_PATH]\consumer_client.key"
};
Create Producer certificate
1.Create a private key / public key certificate pair for the producer client
The .NET client is not Java based and consequently doesn’t use Java’s JKS container format for storing private keys and certificates. We will use openssl to create the key / certificate pair for the client, not keytool as we did for the broker.
The first step is to create a Certificate Signing Request (CSR). Note: there is no need to explicitly create a self signed certificate first as we did for the broker.
openssl req -newkey rsa:2048 -nodes -keyout producer_client.key -out producer_client.csr
2.Now you have the CSR, you can generate a CA signed certificate as follows
openssl x509 -req -CA root.crt -CAkey root.key -in producer_client.csr -out producer_client.crt -days 365 -CAcreateserial
3.Create ProducerConfig instance and set these property
var config = new ProducerConfig
{
BootstrapServers = "192.168.56.1:9093",
ClientId = "producer-ssl-01",
SaslMechanism = SaslMechanism.Plain,
SecurityProtocol = SecurityProtocol.SaslSsl,
SaslUsername = "admin",
SaslPassword = "admin",
SslEndpointIdentificationAlgorithm = SslEndpointIdentificationAlgorithm.None,
SslCaLocation = @"[YOUR_PATH]\root.crt",
SslCertificateLocation = @"[YOUR_PATH]\producer_client.crt",
SslKeyLocation = @"[YOUR_PATH]\producer_client.key"
};