Kafka Custom Hardening
In this section, you configure Kafka with hardening, incorporating your inputs.
Please follow the guidelines to set the correct settings according to your needs.
NOTE: If this is your first Kafka setup with customized hardening, proceed to step 3. In case you've had Kafka in the past, without hardening, and now you wish to add a hardening configuration, follow the instructions below:
- Stop Kafka
$CONFLUENT_HOME/bin/kafka-server-stop -daemon ~/kafka/server.properties
- Stop Zookeeper
$CONFLUENT_HOME/bin/zookeeper-server-stop -daemon ~/kafka/zookeeper.properties
- Create Kafka certificates
run the following command on a single Kafka node only, set the password per your choice:
/opt/apps/kafka/secure_kafka.sh <PASSWORD>
- Execute the Kafka setup with hardening flags
/opt/apps/kafka/kafka-setup.sh --ips 10.0.0.1,10.0.0.2,10.0.0.3 --replication_factor 3 [KAFKA_SSL_FLAGS]
Below are your KAFKA_SSL_FLAGS options:
Choose Keystore password only
--ssl --keystore_password <keystorePWD>
In this case, both the Truststore password and key password inside the keystore will be defined as the keystore password value.
Choose the Keystore and Truststore values
--ssl --keystore_path </path/to/keystore> --keystore_password <keystorePWD> --truststore_path </path/to/truststore> --truststore_password <truststorePWD>
In this case, the Keystore and Truststore paths are defined differently, where each has a different password.
Choose all SSL flags
--ssl --keystore_path </path/to/keystore> --keystore_password <keystorePWD> --truststore_path </path/to/truststore> --truststore_password <truststorePWD> --keypass <keyPWD>
In this case, Keystore and Truststore paths are defined differently, where each has a different password. Additionally, the Key password inside the keystore differs from the keystore password.
In case you have a cluster, copy the certificate tar.gz file to the whole cluster and repeat the above commands on every node.
Kafka Custom Hardening
In this section, you configure Kafka with hardening, incorporating your inputs.
Please follow the guidelines to set the correct settings according to your needs.
NOTE: If this is your first Kafka setup with customized hardening, proceed to step 3. In case you've had Kafka in the past, without hardening, and now you wish to add a hardening configuration, follow the instructions below:
- Stop Kafka
$CONFLUENT_HOME/bin/kafka-server-stop -daemon ~/kafka/server.properties
- Stop Zookeeper
$CONFLUENT_HOME/bin/zookeeper-server-stop -daemon ~/kafka/zookeeper.properties
- Create Kafka certificates
run the following command on a single Kafka node only, set the password per your choice:
/opt/apps/kafka/secure_kafka.sh <PASSWORD>
- Execute the Kafka setup with hardening flags
/opt/apps/kafka/kafka-setup.sh --ips 10.0.0.1,10.0.0.2,10.0.0.3 --replication_factor 3 [KAFKA_SSL_FLAGS]
Below are your KAFKA_SSL_FLAGS options:
Choose Keystore password only
--ssl --keystore_password <keystorePWD>
In this case, both the Truststore password and key password inside the keystore will be defined as the keystore password value.
Choose the Keystore and Truststore values
--ssl --keystore_path </path/to/keystore> --keystore_password <keystorePWD> --truststore_path </path/to/truststore> --truststore_password <truststorePWD>
In this case, the Keystore and Truststore paths are defined differently, where each has a different password.
Choose all SSL flags
--ssl --keystore_path </path/to/keystore> --keystore_password <keystorePWD> --truststore_path </path/to/truststore> --truststore_password <truststorePWD> --keypass <keyPWD>
In this case, Keystore and Truststore paths are defined differently, where each has a different password. Additionally, the Key password inside the keystore differs from the keystore password.
In case you have a cluster, copy the certificate tar.gz file to the whole cluster and repeat the above commands on every node.
