Add Security to Running Kraft Clusters in Confluent Platform

This topic describes how to add security (TLS or SASL) to a running Kraft-based cluster.

Adding security to brokers and clients running TLS or SASL authentication

You can secure a running Confluent Platform cluster using one or more of the supported protocols. This is done in phases:

  1. Incrementally restart the cluster nodes to open additional secured port(s).
  2. Restart Kafka clients using the secured rather than PLAINTEXT port (assuming you are securing the client-broker connection).
  3. Incrementally restart the cluster again to enable broker-to-broker security (if this is required).
  4. A final incremental restart to close the PLAINTEXT port.

The specific steps for configuring security protocols are described in the respective sections for TLS and SASL. Follow these steps to enable security for your desired protocol(s).

The security implementation lets you configure different protocols for both broker-client and broker-broker communication. These must be enabled in separate restarts. A PLAINTEXT port must be left open throughout so brokers and/or clients can continue to communicate.

When performing an incremental restart, take into consideration the recommendations for doing rolling restarts to avoid downtime for end users.

For example, if you want to encrypt both broker-client and broker-broker communication with TLS:

  1. In the first incremental restart, open a TLS port on each node:

    listeners=PLAINTEXT://broker1:9091,SSL://broker1:9092
    

    Note

    In Confluent Platform clusters, you can update some Confluent Server broker configurations without restarting the broker by adding or removing listeners dynamically. When adding a new listener, provide the security configuration of the listener using the listener prefix listener.name.{listenerName}. If the new listener uses SASL, then provide the JAAS configuration property sasl.jaas.config with the listener and mechanism prefix. For more details, refer to JAAS.

  2. Then restart the Kafka clients, changing their configuration to point at the newly-opened, secured port:

    bootstrap.servers=[broker1:9092,...]
    security.protocol=SSL
    ...etc
    

    For more details, refer to Protect Data in Motion with TLS Encryption in Confluent Platform.

  3. In the second incremental server restart, instruct Confluent Platform to use TLS as the broker-broker protocol (which will use the same TLS port):

    listeners=PLAINTEXT://broker1:9091,SSL://broker1:9092
    security.inter.broker.protocol=SSL
    
  4. In the final restart, secure the cluster by closing the PLAINTEXT port:

    listeners=SSL://broker1:9092
    security.inter.broker.protocol=SSL
    

Opening multiple ports

Alternatively, you might choose to open multiple ports so that different protocols can be used for broker-broker and broker-client communication. If you want to use TLS encryption throughout (for example, for broker-broker and broker-client communication), but also want to add SASL authentication to the broker-client connection:

  1. Open two additional ports during the first restart:

    listeners=PLAINTEXT://broker1:9091,SSL://broker1:9092,SASL_SSL://broker1:9093
    
  2. Again, restart the Kafka clients, changing their configuration to point at the newly-opened, SASL and TLS secured port:

    bootstrap.servers=[broker1:9093,...]
    security.protocol=SASL_SSL
    ...etc
    

    For more details, refer to SASL.

  3. The second server restart would switch the cluster to use encrypted broker-broker communication using the TLS port you previously opened on port 9092:

    listeners=PLAINTEXT://broker1:9091,SSL://broker1:9092,SASL_SSL://broker1:9093
    security.inter.broker.protocol=SSL
    
  4. The final restart secures the cluster by closing the PLAINTEXT port:

    listeners=SSL://broker1:9092,SASL_SSL://broker1:9093
    security.inter.broker.protocol=SSL