Enabling SASL Authentication on SSL/TLS

When the Kafka cluster uses the SASL_SSL security protocol, enable the Kafka stage to use SASL authentication on SSL/TLS.

Before you enable Kafka stages to use SASL authentication on SSL/TLS, make sure that you have performed all necessary prerequisite tasks.

Note: The following steps provide details on providing Kerberos credentials using a JAAS file or stage properties. You can use either method or both. Skip the steps that are not relevant to your desired implementation.
  1. To use a Java Authentication and Authorization Service (JAAS) file to provide plain or Kerberos credentials, create a JAAS configuration file on the Data Collector machine.

    The contents of the JAAS configuration file depend on whether you use the PLAIN or GSSAPI (Kerberos) SASL mechanism and depend on your Data Collector installation and authentication type. For details, see Providing PLAIN Credentials or Providing Kerberos Credentials.

  2. If using the GSSAPI (Kerberos) SASL mechanism and a credential store to call keytabs from stage properties, add the Base64-encoded keytabs that you want to use to the credential store.
    Note: Be sure to remove unnecessary characters, such as newline characters, before encoding the keytab.

    If you configured Data Collector to require group secretsrequire group secrets, for each keytab secret that you define, create a group secret and specify a comma-separated list of groups allowed to access the keytab secret.

    Name the group secret based on the keytab secret name, as follows: <keytab secret name>-groups.

    For more information about requiring group secrets, see Group Access to Secrets in the Data Collector documentation. For details on defining secrets, see your credential store documentation.

  3. On the General tab of the Kafka stage, set the Stage Library property to the appropriate Kafka version.

    If configuring a Kafka Consumer origin for a Kafka YARN cluster pipeline, select a stage library for Kafka version 0.10.0.0 or later.

    If using stage properties to define Kafka credentials, select a stage library for Kafka version 0.11.0.0 or later.

  4. On the Security tab of the stage, configure the following properties:
    Security Property Description
    Security Option Set to Kerberos Authentication on SSL/TLS (Security Protocol=SASL_SSL).
    SASL Mechanism SASL mechanism to use:
    • PLAIN (username/password)
    • GSSAPI (Kerberos)
    Kerberos Service Name Kerberos service principal name that the Kafka brokers run as.

    Available when using the GSSAPI (Kerberos) mechanism.
    Provide Keytab at Runtime Enables providing Kerberos credentials in the connection properties.
    Important: Configuring Kerberos credentials in connection properties is not supported in Transformer pipelines nor in Data Collector cluster pipelines at this time.

    Available when using the GSSAPI (Kerberos) mechanism.
    Runtime Keytab Kerberos keytab to use for the connection, specified in one of the following ways:
    • Enter a Base64-encoded keytab.

      Be sure to remove unnecessary characters, such as newline characters, before encoding the keytab.

    • If using a credential store, use the credential:get() or credential:getWithOptions() credential function to retrieve a Base64-encoded keytab.
      Note: The user who starts the pipeline must be in the Data Collector group specified in the credential function. When Data Collector requires a group secret, the user must also be in a group associated with the keytab.

    For more information about using keytabs in a credential store, see Using a Credential Store.

    Available when using the GSSAPI (Kerberos) mechanism.
    Runtime Principal Kerberos principal to use for the connection, specified in the following format: <principal name>/<host name>@<realm>.

    Available when using the GSSAPI (Kerberos) mechanism.
    Truststore File Path to the truststore file. Enter an absolute path to the file or enter the following expression to define the file stored in the Data Collector resources directory:

    ${runtime:resourcesDirPath()}/keystore.jks
    Truststore Password Password to the truststore file.
    Tip: To secure sensitive information such as passwords, you can use runtime resources or credential stores.credential stores. For more information about credential stores, see Credential Stores in the Data Collector documentation.
    Enabled Protocols Comma-separated list of protocols used to connect to the Kafka brokers. Ensure that at least one of these protocols is enabled in the Kafka brokers.
    Note: Older protocols are not as secure as TLSv1.2.
    Truststore Type Type of truststore to use. Use one of the following types:
    • Java Keystore File (JKS)
    • PKCS #12 (p12 file)

    Default is Java Keystore File (JKS).

    In Data Collector Edge pipelines, when you configure a Kafka Producer destination, enter an absolute path for the truststore file that uses the PEM format.