Under Ambari server>Kafka>config> Kafka Broker> Listeners can add the security protocol as: SASL_SSL://localhost:<port>
Since this is a one way SSL communication between client-server, ensure to have enabled the property ssl.client.auth=none. This means that a client authentication is not required. By default this property is set toNone. This can be double checked fromAmbari console>Kafka>Configs. The same can be searched using the filter text box at the top right of the service screen.
Client Side
Create a fileclient.propertieswith the following content:
ssl.truststore.location=<pathToTrustStore> // This file must contain server rootCA
ssl.truststore.password=<trustStore password>
Get a valid Kerberos ticket and execute new producer/consumer API as follows: