Skip to content

Kafka with TLS

Tutorial for creating TLS certificates to secure data using Kafka

Kafka supports encrypting data in transit using transport layer security (TLS) encryption. To configure TLS encryption, the Kafka broker must be configured with TLS settings enabled. See the Confluent guide on authentication for a guide on configuring the broker with a key and certificate to enable TLS encryption.

TLS is the successor SSL

TLS is the newer version of what was previously referred to as secure socket layer (SSL) encryption. The guide above refers to SSL authentication which can be used interchangeably with TLS.

Creating self-signed certificates

This section walks through creating self-signed certificates to use with the broker and consumers. It is recommended that in production an official certificate authority is used to issue these certificates.

Tips for configuring certificates

When creating certificates, most will require a password. It is recommended that a strong password is used and the same password is used for the key and certificate. When configuring the common name (CN) for the certificate, use the external hostname of the target Kafka broker instance when configuring this value.

Typically brokers are configured with a keystore.jks and truststore.jks file. The Java Keystore (JKS) format is a proprietary Java format that is not compatible with the Kafka reader. These certificates can be converted into Rivest-Shamir-Adleman (RSA) encoded Privacy Enhanced Mail (PEM) files. This section walks through converting a keystore and truststore into a certificate authority (CA) root file, a key and a certificate encoded as .pem files.

1. Generate the keystore

# keytool is bundled with the JDK and is used to generate the keystore for this example.
# -keystore <filename>   - output file
# -alias <hostname>      - alias name from the entry process
# -validity <days>       - valid duration of this keystore in days
keytool -genkey -keyalg RSA -keystore keystore.jks -alias localhost -validity 365

2. Generate the certificate authority

The CA file is simply a public-private key pair certificate that will be used to sign other certificates. The CA file needs to be installed in the server key and client certificate to validate the authenticity.

openssl req -new -x509 -keyout ca-key.pem -out ca-cert.pem -days 365

3. Create the truststore from the certificate authority

Generate the truststore for the server using the certificate authority.

keytool -import -keystore truststore.jks -alias CARoot -file ca-cert.pem -trustcacerts

4. Sign the certificates with the certificate authority

Export the certificate from the keystore.

keytool -certreq -keystore keystore.jks -alias localhost -file unsigned.pem -trustcacerts

Sign the certificate with the CA file.

openssl x509 -req -CA ca-cert.pem -CAkey ca-key.pem -in unsigned.pem -out signed.pem -days 365 -CAcreateserial

Import the signed certificate into the server keystore for each alias.

keytool -import -keystore keystore.jks -alias CARoot -file ca-cert.pem -trustcacerts
keytool -import -keystore keystore.jks -alias localhost -file signed.pem -trustcacerts

5. Export the client PEM files

Export the client certificate from the keystore.

keytool -exportcert -alias localhost -keystore keystore.jks -rfc -file cert.pem

Export the key to a Public Key Cryptography Standards 12 (PKCS12) format. This is used as an intermediary format which will be converted to a PEM file.

keytool -importkeystore \
    -srckeystore keystore.jks \
    -destkeystore keystore.p12 \
    -deststoretype PKCS12 \
    -srcalias localhost

Extract the key from the PKCS12 file into a PEM file.

openssl pkcs12 -in keystore.p12 -nocerts -nodes -out key.pem

6. Cleanup intermediate files

A number of the files generated were intermediate files and can now be removed

rm ca-key.pem unsigned.pem signed.pem keystore.p12


At this point we have created the following files.

file description
keystore.jks Kafka broker keystore
truststore.jks Kafka broker truststore
ca-cert.pem CA certificate
cert.pem Client certificate
key.pem Client key

These files will be used in later steps to configure the Kafka client to read from the Kafka broker.

TLS Kafka reader in the Stream Processor

TLS configuration can be set on a Kafka reader or writer by explicitly setting the configuration values in a program file or with environment variables. The following table outlines the available variables that can be used for configuration. For more information on these configuration properties, refer to the librdkafka documentation

environment variable property description example
KXI_SP_KAFKA_SECURITY_PROTOCOL security.protocol Security communication protocol "SSL"
KXI_SP_KAFKA_SSL_CA_LOCATION CA PEM file location "ca.pem"
KXI_SP_KAFKA_SSL_CERTIFICATE_LOCATION ssl.certificate.location Client certificate location "cert.pem"
KXI_SP_KAFKA_SSL_KEY_LOCATION ssl.key.location Client key location "key.pem"
KXI_SP_KAFKA_SSL_KEY_PASSWORD ssl.key.password Client key password "iamseure"
KXI_SP_KAFKA_SSL_VERIFY_CERTIFICATES enable.ssl.certificate.verification Set to "false" to disable server certificate verification. This needs to be set to "false" for self-signed certificates "false"

Example program called spec.q:[.qsp.use (!) . flip (
        (`brokers                  ; "kafka:9092");
        (`topic                    ; "trades");
        (`options; (!) . flip (
            (`security.protocol        ; "SSL");
            (`          ; "/certs/ca-cert.pem");
            (`ssl.certificate.location ; "/certs/cert.pem");
            (`ssl.key.location         ; "/certs/key.pem");
            (`ssl.key.password         ; "iamsecure"))))]
    .qsp.decode.json[][{ flip `time`sym`bid`ask!"PSff"$'flip x }]
    .qsp.write.toProcess[.qsp.use `handle`mode`target!(`:localhost:4000; `function; `publish)]

To see an example Stream Processor deployment using TLS, refer to either the deployment example.