Menu
Is there any info as to how can I use the AWS MSK details in my Spring Cloud Stream application ?
I believe we need to generate a keystore and truststore and then incorporate the same in our application ? I went through the "Client Authentication" page of the AWS MSK and found that to be very confusing.
Can anyone help me with steps on this ? I am just trying to deploy this application which uses the AWS MSK (3 brokers).
Thank you.
660
5.1 — Create an AWS IAM role with AWS Secrets Manager permissions to allow an AWS IoT Core rule to access the Kafka KeyStore stored in Secrets Manager. a. Open the IAM console, choose Roles from the left navigation pane, and choose Create role. b. For Select type of trusted entity, choose AWS service.
AWS IoT rules for Apache Kafka can be configured to deliver messages to Amazon MSK. In this step you will set up a new Kafka cluster with IoT rule supported client authentication settings. 2.1 — Open the Amazon MSK console and sign in with your AWS account credentials. Verify you are in the same Region as your Private CA.
As of this writing, Amazon Managed Streaming for Apache Kafka (Amazon MSK) supports encryption in transit with TLS and TLS mutual authentication with certificates for client authentication. This code helps automate the process of creating and installing end-entity certificates and renewing them when they expire.
On the clients, you need to generate a Private Key and create a CSR (Certificate Signing Request) that are used to get end-entity certificates issued by the ACM PCA specified for an Amazon MSK cluster. These certificates and their certificate chains are installed in the keystores on the client and are trusted by the Amazon MSK Apache Kafka brokers.
Short answer: Your kafka client will need this in the configuration:
# security settings
security.protocol=SSL
ssl.truststore.location=/tmp/kafka.client.truststore.jks
ssl.truststore.password=
ssl.endpoint.identification.algorithm=
That is if you use the same JVM truststore from the tutorial, and no password. The ssl.endpoint.identification.algorithm turns off the host name verification.
Long answer: I wondered the same thing after going through the tutorial, wondering why the JVM truststore magically works when connecting to MSK. The explanation is this:
If you take a peek at what certificates this truststore imported
keytool --list -v -keystore /tmp/kafka.client.truststore.jks | grep Owner
One of them is Starfield Services Root Certificate Authority, when Amazon purchased the company, the CA became one of Amazon's (see all of them here https://www.amazontrust.com/repository/). Since JVM truststore trusts this CA, it also trusts anything signed by the CA, and the MSK cluster is one of them.
If you would prefer to generate your own truststore, download one of the Amazon's certificate and import
keytool -keystore kafka.client.truststore.jks -alias CARoot -importcert -file {downloaded-cert} -storepass {your-password}
Thanks, Yanan
192
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
