Cannot configure Kafka SASL_SSL security parameters

book

Article ID: 194972

calendar_today

Updated On:

Products

CLOUDTEST CA Application Test CA Cloud Test Mobile MOBILECLOUD Service Virtualization

Issue/Introduction

I am tryin to configure DevTest Apache Kafka Consumer Asset to use SASL_SSL security in the Listen step in the VSM. I cannot figure out where the security credentials/parameters are configured.  I have read the DevTest 10.5 online documentation and tried communities but no luck.   Need some guidance to move forward. 

Environment

Release : 10.5, 10.6

Component : CA Service Virtualization

Resolution

This is not supported at this time.

Currently, we don't support SSL, SASL_SSL options for Kafka in DevTest. We support only plain text connections. This could be an enhancement and needs approval from PO/PM. 

However, I see some of the customers tried configuring SSL properties at JVM level at runtime via the system properties (as shown below) like the way SSL is configured in most of the other applications. But not sure if they are successful.
-Djavax.net.ssl.trustStore=C:\\Users\\example\\DevTest\\Projects\\Data\\ssl\\kafka.truststore.jks
-Djavax.net.ssl.trustStorePassword=********
-Djavax.net.ssl.keyStore=C:\\Users\\example\\DevTest\\Projects\\Data\\ssl\\kafka.keystore.jks
-Djavax.net.ssl.keyStorePassword=*******
-Djavax.net.debug=ssl
-Dssl.key.password=******  
 
But the main problem with this in DevTest is that this reconfigures SSL globally.  It affects every SSL connection made, whether it's from messaging or the web service step. In DevTest, we have separate options to define an SSL Context for messaging steps. Some connection assets, including IBM MQ, RabbitMQ and some of the various JMS providers, have the option to define an SSL Context. An SSL Context is basically a way to encapsulate the key store and trust store information in a way that only applies to a single operation, not globally. With this custom option, we will directly manipulate SSL context and do a few things which will not be possible with the above lines like forgoing the trust store, using specific client key, specifying advanced SSL parameters etc. 
 
Same is the case with SASL_SSL authentication. I think they can try for SASL_SSL in a similar fashion. However, I found the below links which could help them in authenticating using SASL/Kerberos provided their Kerberos setup is working properly. But please note that this is beyond the scope of our support.
https://archive.cloudera.com/kafka/kafka/2/kafka-0.10.0-kafka2.1.1/security.html
https://www.ibm.com/support/knowledgecenter/en/SSWSR9_11.6.0/com.ibm.swg.im.mdmhs.kafka.export.doc/topics/kafka_security_client.html

Hope it helps.