The following information describes how to use credentials to configure access to the Kafka cluster.
Kafka mTLS authentication
Communication with your Kafka cluster is TLS secured, meaning both the client and the Kafka cluster authenticate each other. The client authenticates the server by verifying the server's certificate, and the server authenticates the client by verifying the client's certificate. As the Kafka cluster does not have publicly signed certificates, you must validate them with the cluster's certificate authority. Authentication happens via mutual TLS (mTLS). Therefore, your cluster maintains a client certificate authority to sign authenticated user certificates.
Get certificates and key
To connect and authenticate to your Kafka cluster, you must fetch the required two certificates and a key from the user's API endpoint. Below are the steps to get the required certificates and key with curl commands for a cluster created in Frankfurt (de-fra) region.
# Get the cluster's CA certificatecurl--locationhttps://kafka.de-fra.ionos.com/clusters/${clusterId}/users/${userId}/access--header"Authorization: Bearer ${personalToken}"|yq-r'.metadata.certificateAuthority'>ca-cert.pem# verifyopensslx509-inca-cert.pem-text-noout# Get the (admin) users client certificatecurl--locationhttps://kafka.de-fra.ionos.com/clusters/${clusterId}/users/${userId}/access--header"Authorization: Bearer ${personalToken}"|yq-r'.metadata.certificate'>admin-cert.pem# verifyopensslx509-inadmin-cert.pem-text-noout# Get the (admin) users client keycurl--locationhttps://kafka.de-fra.ionos.com/clusters/${clusterId}/users/${userId}/access--header"Authorization: Bearer ${personalToken}"|yq-r'.metadata.privateKey'>admin-key.pem# verifyopensslrsa-inadmin-key.pem-check
Convert certificates & key
You will need different file formats for the certificates depending on the consumer/producer's implementation. The following sections show how to create and use them with the Kafka Command-Line Interface (CLI) Tools.
PKCS#12 (.p12 / .pfx)
# Create a ca-cert.p12 (with openssl >3.2 )opensslpkcs12-export-nokeys-inca-cert.pem-outca-cert.p12-passout"pass:changeit"-jdktrustanyExtendedKeyUsage# Create a ca-cert.p12 (with keytool)keytool-importcert-storetypePKCS12-keystoreca-cert.p12-storepasschangeit-aliascluster-ca-fileca-cert.pem-noprompt# verifyopensslpkcs12-info-inca-cert.p12# Create an admin.p12opensslpkcs12-export-inadmin-cert.pem-inkeyadmin-key.pem-outadmin.p12-passout"pass:admin_p12_pass"# verifyopensslpkcs12-info-nodes-inadmin.p12
Your admin.properties files should look like this:
# Create a Java Truststorekeytool-import-aliascluster-ca-fileca-cert.pem-keystoretruststore.jks-storepasschangeit-noprompt# verifykeytool-list-keystoretruststore.jks-rfc-storepasschangeit# Create a Java Keystoreopensslpkcs12-export-inadmin-cert.pem-inkeyadmin-key.pem-outadmin.p12-passout"pass:admin_p12_pass"keytool-importkeystore-srckeystoreadmin.p12-srcstorepassadmin_p12_pass-destkeystoreadmin.ks-storepassadmin_jks_pass# verifykeytool-list-keystoreadmin.ks-rfc-storepassadmin_jks_pass# verify including the keykeytool-importkeystore-srckeystoreadmin.ks-srcstorepassadmin_jks_pass-deststoretypePKCS12-destkeystorefilename.p12-storepassp12_pass; opensslpkcs12-info-nodes-infilename.p12-passin"pass:p12_pass"; rm-ffilename.p12
Your admin.properties files should look similar to the following:
# No need to do anything with the ca-cert.pem it can be used without any modification# verifyopensslx509-inca-cert.pem-text-noout# Create a admin.pem containing key and cert# as the Kafka CLI tool requires the key in PKCS#8 and to be secured with a passphrase we need to convert it firstopensslpkcs8-inadmin-key.pem-passout"pass:admin_pem_pass"-topk8-v1PBE-SHA1-3DES-outadmin.pemcatadmin-cert.pem>>admin.pem# verifyopensslx509-inadmin.pem-text-nooutopensslpkey-inadmin.pem-check
Your admin.properties files should look similar to the following: