0
0
KafkaHow-ToBeginner · 3 min read

How to Enable SSL in Kafka for Secure Communication

To enable SSL in Kafka, configure the broker's server.properties with SSL settings like ssl.keystore.location and ssl.truststore.location. Then, update the client configuration to use SSL by setting security.protocol=SSL and providing truststore details.
📐

Syntax

Kafka SSL configuration requires setting properties in both broker and client configuration files.

  • Broker SSL properties: Define keystore and truststore locations, passwords, and enable SSL listeners.
  • Client SSL properties: Set the security protocol to SSL and provide truststore details for secure connection.
properties
## Broker server.properties example
listeners=SSL://:9093
ssl.keystore.location=/path/to/kafka.server.keystore.jks
ssl.keystore.password=yourKeystorePassword
ssl.key.password=yourKeyPassword
ssl.truststore.location=/path/to/kafka.server.truststore.jks
ssl.truststore.password=yourTruststorePassword
security.inter.broker.protocol=SSL
ssl.client.auth=required

## Client config example
security.protocol=SSL
ssl.truststore.location=/path/to/client.truststore.jks
ssl.truststore.password=clientTruststorePassword
💻

Example

This example shows a minimal Kafka broker server.properties setup to enable SSL on port 9093 and a client configuration to connect securely.

properties
## server.properties (Kafka Broker)
listeners=SSL://:9093
ssl.keystore.location=/etc/kafka/secrets/kafka.server.keystore.jks
ssl.keystore.password=changeit
ssl.key.password=changeit
ssl.truststore.location=/etc/kafka/secrets/kafka.server.truststore.jks
ssl.truststore.password=changeit
security.inter.broker.protocol=SSL
ssl.client.auth=required

## client.properties (Kafka Client)
security.protocol=SSL
ssl.truststore.location=/etc/kafka/secrets/client.truststore.jks
ssl.truststore.password=changeit
Output
Kafka broker starts listening on SSL port 9093. Client connects securely using SSL protocol.
⚠️

Common Pitfalls

Common mistakes when enabling SSL in Kafka include:

  • Incorrect file paths for keystore or truststore files.
  • Mismatched passwords between keystore and truststore.
  • Not setting security.inter.broker.protocol=SSL causing broker communication failure.
  • Forgetting to configure clients to use security.protocol=SSL.
  • Not enabling SSL listeners with the correct port.
properties
## Wrong: Missing SSL listener
listeners=PLAINTEXT://:9092

## Right: SSL listener enabled
listeners=SSL://:9093
📊

Quick Reference

Remember these key points when enabling SSL in Kafka:

  • Set listeners=SSL://:port on the broker.
  • Configure keystore and truststore locations and passwords.
  • Set security.inter.broker.protocol=SSL for broker communication.
  • Clients must use security.protocol=SSL and truststore settings.
  • Restart Kafka broker after changes.

Key Takeaways

Enable SSL by configuring broker listeners and keystore/truststore properties.
Set security.inter.broker.protocol=SSL to secure broker-to-broker communication.
Clients must use security.protocol=SSL and provide truststore details.
Verify file paths and passwords for keystore and truststore are correct.
Restart Kafka broker after SSL configuration changes.

Related by keyword

What is enable.auto.commit in Kafka: Explanation and UsageConsumerHow to Start Kafka Server: Simple Steps to Run Apache KafkaGetting StartedHow to Use kafka-topics Command in Apache KafkaTopic ManagementHow to Scale Kafka Cluster: Simple Steps to Grow Your Kafka SetupAdministrationHow to Use Kafka for Microservices CommunicationCommon Patterns

Up next

How to Use Kafka Manager: Setup and Basic OperationsWhat is min.insync.replicas in Kafka and How It WorksHow to Configure Kafka Consumer in Spring BootHow to Configure Kafka Producer in Spring Boot

More in Security

How to Configure Authentication in Kafka: Simple StepsHow to Enable SASL Authentication in Apache KafkaHow to Encrypt Data in Kafka: Simple Steps and ExamplesHow to Secure Kafka: Best Practices and Configuration