CODEWITHSUNDEEP
node.jssslapache-kafkakafkajs
Mugetsu
Mugetsu

Reputation: 1958

KafkaJS producer ssl certificates

I'm writing a NodeJS Kafka producer with KafkaJS and having trouble understanding how to get the required SSL certificates in order to connect to the Kafka using the SASL-SSL connection. In the KafkaJS documentation there is this configuration for SSL:

ssl: {
    rejectUnauthorized: false,
    ca: [fs.readFileSync('/my/custom/ca.crt', 'utf-8')],
    key: fs.readFileSync('/my/custom/client-key.pem', 'utf-8'),
    cert: fs.readFileSync('/my/custom/client-cert.pem', 'utf-8')
  },

With which I have problem because I don't know how/what certificates I should provide to it.

Do I need to provide all three props (ca, key and cert) ?? If so how to obtain them? We have Kafka cluster configured like so Confluent Security Tutorial Do I have to decode keystore or something in order to obtain proper certs for my KafkaJS producer? I have a bare understanding of all of this.

Upvotes: 1

Views: 7688

Answers (1)

cogitoergosum
cogitoergosum

Reputation: 2471

Does your broker enforce client authentication? If yes, then you will need key and cert. If your client is running on 'standard' computer, then most well known CA will already be present e.g. at /etc/ssl/certs. In such a case, you will only need ssl : true. If you are using a self-signed certificate but not client authentication, then ca needs to be provided.

So, here are your options.

Client authentication

If CA is self-signed, then add ca also (see below).

ssl: {
    key: fs.readFileSync('/my/custom/client-key.pem', 'utf-8'),
    cert: fs.readFileSync('/my/custom/client-cert.pem', 'utf-8')
  }

Self-signed certificate

ssl: {
    rejectUnauthorized: false,
    ca: [fs.readFileSync('/my/custom/ca.crt', 'utf-8')]
  }

The rejectUnauthorized : false will not check against known CA.

See this SO question for more information.

Upvotes: 2

Related Questions