Support Questions

Find answers, ask questions, and share your expertise

Nifi - confluent cloud kafka broker connectivity with SASL_SSL without ssl certs

avatar
Master Collaborator

Hello experts,

 

I need to connect to my customer's kafka broker from apache nifi processors.

 

They said security protocol is SASL_SSL (where is SASL is PLAIN) and provided username and password for SASL part.

But they say they dont have any ssl certificate to share for _SSL, they informed they are using clnfluent cloud and that does not need ssl certs to connect.

But when I configure nifi processor with SASL_SSL it mandatorily asks for ssl certificate.

 

Any idea how can I get this ssl certificate to connect to confluent cloud kafka broker ?

Or how Nifi can connect without ssl ?

Any suggestion/help much appreciated

 

Thanks

Mahendra

1 ACCEPTED SOLUTION

avatar
Master Mentor

@hegdemahendra 

SASL_SSL is Simple Authentication and Security Layer over a TLS encrypted connection.

A TLS encrypted connection is going to require that the server (Kafka) has a server certificate.  There are two types of TLS connection (1-way and mutual). Without going very deep in to this process, i'll keep it very high level). 

In a 1-way TLS connection only the server (Kafka in your case) presents information in the TLS exchange.  The client (NiFi Kafka processor in your case) does not present information back to the server. The client will verify if they trust the information provided from the server.  The servers serverAuth certificate will be signed by some certificate authority and the client will verify if that signing authority's trust chain is trusted and if if it is will accept the Server's information allowing the TLS connection to proceed.   Now it is possible for the client to choose to trust the server (unsecure) without verifying the trust chain.  This is unsafe, so NiFi and its components (Processors, controller services, reporting tasks, RPG, etc) will not allow that.  So the processor will require that a SSL Context Service is created.  You'll need to configure that SSL Context Service with a SSL truststore which contains the complete trust chain for the Kafka signed certificate.  No need for configuring the keystore properties.

In a Mutual TLS connection, both sides (server and Client) will present information to each other to identify themselves in order to establish the encrypted TLS connection.  In a mutual TLS exchange, the Client must be capable via its truststore to trust the compete trust chain for the server's certificate issuer.  And the Server must be capable via its truststore to trust the complete trust chain for the clients certificate issuer.

Since you are authenticating via SASL via username and password, you'll only need 1-way TLS encrypted connection.

You can manually create a truststore.jks to use for this.  You should be able to use openssl to get the public keys needed to do this from yoru kafka target:

openssl s_client -connect <kafka hostname>:<kafka port> -showcerts

The output from this should contain all the public keys in the trust chain. Each certificate will look something like this:

-----BEGIN CERTIFICATE-----
MIIFYjCCBE......yilrbCgj8=
-----END CERTIFICATE-----

The "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" are part of the certificate.
You can save each certificate as a "key<num>.pem" file and the import them in to your truststore you when then use in your SSLContextService.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

View solution in original post

2 REPLIES 2

avatar
Master Mentor

@hegdemahendra 

SASL_SSL is Simple Authentication and Security Layer over a TLS encrypted connection.

A TLS encrypted connection is going to require that the server (Kafka) has a server certificate.  There are two types of TLS connection (1-way and mutual). Without going very deep in to this process, i'll keep it very high level). 

In a 1-way TLS connection only the server (Kafka in your case) presents information in the TLS exchange.  The client (NiFi Kafka processor in your case) does not present information back to the server. The client will verify if they trust the information provided from the server.  The servers serverAuth certificate will be signed by some certificate authority and the client will verify if that signing authority's trust chain is trusted and if if it is will accept the Server's information allowing the TLS connection to proceed.   Now it is possible for the client to choose to trust the server (unsecure) without verifying the trust chain.  This is unsafe, so NiFi and its components (Processors, controller services, reporting tasks, RPG, etc) will not allow that.  So the processor will require that a SSL Context Service is created.  You'll need to configure that SSL Context Service with a SSL truststore which contains the complete trust chain for the Kafka signed certificate.  No need for configuring the keystore properties.

In a Mutual TLS connection, both sides (server and Client) will present information to each other to identify themselves in order to establish the encrypted TLS connection.  In a mutual TLS exchange, the Client must be capable via its truststore to trust the compete trust chain for the server's certificate issuer.  And the Server must be capable via its truststore to trust the complete trust chain for the clients certificate issuer.

Since you are authenticating via SASL via username and password, you'll only need 1-way TLS encrypted connection.

You can manually create a truststore.jks to use for this.  You should be able to use openssl to get the public keys needed to do this from yoru kafka target:

openssl s_client -connect <kafka hostname>:<kafka port> -showcerts

The output from this should contain all the public keys in the trust chain. Each certificate will look something like this:

-----BEGIN CERTIFICATE-----
MIIFYjCCBE......yilrbCgj8=
-----END CERTIFICATE-----

The "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" are part of the certificate.
You can save each certificate as a "key<num>.pem" file and the import them in to your truststore you when then use in your SSLContextService.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

avatar
Master Collaborator

@MattWho Thank you so much for this awesome detailed solution !

It worked.