Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Nifi - confluent cloud kafka broker connectivity with SASL_SSL without ssl certs

Labels:
avatar
author-rank hegdemahendra
Master Collaborator

Created ‎07-06-2023 10:56 AM

Hello experts,

 

I need to connect to my customer's kafka broker from apache nifi processors.

 

They said security protocol is SASL_SSL (where is SASL is PLAIN) and provided username and password for SASL part.

But they say they dont have any ssl certificate to share for _SSL, they informed they are using clnfluent cloud and that does not need ssl certs to connect.

But when I configure nifi processor with SASL_SSL it mandatorily asks for ssl certificate.

 

Any idea how can I get this ssl certificate to connect to confluent cloud kafka broker ?

Or how Nifi can connect without ssl ?

Any suggestion/help much appreciated

 

Thanks

Mahendra

1,040 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎07-06-2023 12:06 PM

@hegdemahendra 

SASL_SSL is Simple Authentication and Security Layer over a TLS encrypted connection.

A TLS encrypted connection is going to require that the server (Kafka) has a server certificate.  There are two types of TLS connection (1-way and mutual). Without going very deep in to this process, i'll keep it very high level). 

In a 1-way TLS connection only the server (Kafka in your case) presents information in the TLS exchange.  The client (NiFi Kafka processor in your case) does not present information back to the server. The client will verify if they trust the information provided from the server.  The servers serverAuth certificate will be signed by some certificate authority and the client will verify if that signing authority's trust chain is trusted and if if it is will accept the Server's information allowing the TLS connection to proceed.   Now it is possible for the client to choose to trust the server (unsecure) without verifying the trust chain.  This is unsafe, so NiFi and its components (Processors, controller services, reporting tasks, RPG, etc) will not allow that.  So the processor will require that a SSL Context Service is created.  You'll need to configure that SSL Context Service with a SSL truststore which contains the complete trust chain for the Kafka signed certificate.  No need for configuring the keystore properties.

In a Mutual TLS connection, both sides (server and Client) will present information to each other to identify themselves in order to establish the encrypted TLS connection.  In a mutual TLS exchange, the Client must be capable via its truststore to trust the compete trust chain for the server's certificate issuer.  And the Server must be capable via its truststore to trust the complete trust chain for the clients certificate issuer.

Since you are authenticating via SASL via username and password, you'll only need 1-way TLS encrypted connection.

You can manually create a truststore.jks to use for this.  You should be able to use openssl to get the public keys needed to do this from yoru kafka target:

openssl s_client -connect <kafka hostname>:<kafka port> -showcerts

The output from this should contain all the public keys in the trust chain. Each certificate will look something like this:

-----BEGIN CERTIFICATE-----
MIIFYjCCBE......yilrbCgj8=
-----END CERTIFICATE-----

The "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" are part of the certificate.
You can save each certificate as a "key<num>.pem" file and the import them in to your truststore you when then use in your SSLContextService.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

View solution in original post

1,017 Views
0 Kudos
2 REPLIES 2

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎07-06-2023 12:06 PM

@hegdemahendra 

SASL_SSL is Simple Authentication and Security Layer over a TLS encrypted connection.

A TLS encrypted connection is going to require that the server (Kafka) has a server certificate.  There are two types of TLS connection (1-way and mutual). Without going very deep in to this process, i'll keep it very high level). 

In a 1-way TLS connection only the server (Kafka in your case) presents information in the TLS exchange.  The client (NiFi Kafka processor in your case) does not present information back to the server. The client will verify if they trust the information provided from the server.  The servers serverAuth certificate will be signed by some certificate authority and the client will verify if that signing authority's trust chain is trusted and if if it is will accept the Server's information allowing the TLS connection to proceed.   Now it is possible for the client to choose to trust the server (unsecure) without verifying the trust chain.  This is unsafe, so NiFi and its components (Processors, controller services, reporting tasks, RPG, etc) will not allow that.  So the processor will require that a SSL Context Service is created.  You'll need to configure that SSL Context Service with a SSL truststore which contains the complete trust chain for the Kafka signed certificate.  No need for configuring the keystore properties.

In a Mutual TLS connection, both sides (server and Client) will present information to each other to identify themselves in order to establish the encrypted TLS connection.  In a mutual TLS exchange, the Client must be capable via its truststore to trust the compete trust chain for the server's certificate issuer.  And the Server must be capable via its truststore to trust the complete trust chain for the clients certificate issuer.

Since you are authenticating via SASL via username and password, you'll only need 1-way TLS encrypted connection.

You can manually create a truststore.jks to use for this.  You should be able to use openssl to get the public keys needed to do this from yoru kafka target:

openssl s_client -connect <kafka hostname>:<kafka port> -showcerts

The output from this should contain all the public keys in the trust chain. Each certificate will look something like this:

-----BEGIN CERTIFICATE-----
MIIFYjCCBE......yilrbCgj8=
-----END CERTIFICATE-----

The "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" are part of the certificate.
You can save each certificate as a "key<num>.pem" file and the import them in to your truststore you when then use in your SSLContextService.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

1,018 Views
0 Kudos

avatar
author-rank hegdemahendra
Master Collaborator

Created ‎07-07-2023 09:18 AM

@MattWho Thank you so much for this awesome detailed solution !

It worked.

973 Views
0 Kudos
webinar banner
Announcements
What's New @ Cloudera
Cloudera DataFlow now powers GenAI pipelines and supports ch...
Community Announcements
May 2024 Community Highlights
What's New @ Cloudera
Cloudera Operational Database (COD) supports instance group ...
What's New @ Cloudera
Cloudera Operational Database (COD) has updated the instanc...
What's New @ Cloudera
Cloudera Operational Database (COD) supports configuring roo...
View More Announcements
meetups banner