Update the Client Configuration
Use the keytool command to create a trust store with the CA chain used in your certificates. I am using Venafi, so I need to import two CA public keys:
1 2 | keytool -keystore kafka.truststore.jks -alias SectigoRoot -import -file "Sectigo RSA Organization Validation Secure Server CA.crt"keytool -keystore kafka.truststore.jks -alias UserTrustRoot -import -file "USERTrust RSA Certification Authority.crt" |
Update the Client Configuration
Create a producer-ssl.properties or consumer-ssl.properties based on your current producer/consumer properties file. Update the port – 9095 is used for SSL – and append the following lines
1 2 | security.protocol=SSLssl.truststore.location=/path/to/kafka.truststore.jksssl.truststore.password=<WhateverYouSetInThePreviousStep> |
Using the CLI Client Tools
Once you have a property configured properties file, you can invoke either the kafka-console-consumer.sh or kafka-console-producer.sh scripts indicating your new properties file:
1 2 3 | /kafka/bin/kafka-console-consumer.sh --bootstrap-server kafka1586.example.net:9095 --topic LJRTest --consumer.config /kafka/config/consumer-ssl.properties --group LJR5/kafka/bin/kafka-console-producer.sh --bootstrap-server kafka1586.example.net:9095 --topic LJRTest --producer.config /kafka/config/producer-ssl.properties |
To debug SSL communication, set the following KAFKA_OPTS prior to invoking the command line producer/consumer utilities:
1 | export KAFKA_OPTS="-Djavax.net.debug=ssl,handshake" |