Librdkafka: Kafka SSL librdkafka c API

Created on 5 Mar 2020  路  2Comments  路  Source: edenhill/librdkafka

Read the FAQ first: https://github.com/edenhill/librdkafka/wiki/FAQ

Description

Assume there is a kafka cluster of 5 brokers and I understand that each broker will have different certificate.

From Producer side, if I want to set up SSL with the cluster I will pass least 2 broker ip's to "bootstrap.servers" and rdkafka takes care of getting all the broker ip's from the cluster within librdkafka third-party code.

Because I have to set 2 broker ip's to "bootstrap.servers", Do I have to pass CA, Cert, Key for each broker to librdkafka producer? If so how do I pass them in below example. Please clarify.

rd_kafka_conf_set(conf, "ssl.certificate.location", , errstr, sizeof(errstr));
rd_kafka_conf_set(conf, "ssl.ca.location", , errstr, sizeof(errstr));
rd_kafka_conf_set(conf, "ssl.key.location", , errstr, sizeof(errstr));

rd_kafka_conf_set(conf, "bootstrap.servers", , errstr, sizeof(errstr));

rk = rd_kafka_new(RD_KAFKA_PRODUCER, conf, errstr, sizeof(errstr));
err = rd_kafka_producev(rk, ...);

Checklist

IMPORTANT: We will close issues where the checklist has not been completed.

Please provide the following information:

question

Most helpful comment

The "ssl.certificate.location" is the certificate for your application - there is only one of these.
The "ssl.key.location" is required only if your application certificate is encrypted - in any case there is only one of these per application certificate.
The "ssl.ca.location" refers to the public key of the certificate authority that signed the broker certificates - there really should be only one of these. (To clarify - although each broker should have its own certificate, they should all be signed by the same CA and it is this CA's certificate that your client application needs to be configured to trust.)

All 2 comments

The "ssl.certificate.location" is the certificate for your application - there is only one of these.
The "ssl.key.location" is required only if your application certificate is encrypted - in any case there is only one of these per application certificate.
The "ssl.ca.location" refers to the public key of the certificate authority that signed the broker certificates - there really should be only one of these. (To clarify - although each broker should have its own certificate, they should all be signed by the same CA and it is this CA's certificate that your client application needs to be configured to trust.)

Thanks @rolandyoung !

Was this page helpful?
0 / 5 - 0 ratings