Kafka JMX with SSL and user password authentication

By | May 18, 2019

The YUM repositories provide packages for RHEL, CentOS, and Fedora-based distributions. You can install individual Confluent Platform packages or the entire platform. For a list of available packages, see the documentation or you can search the repository (yum search <package-name>).

  1. Install the curl and which tools.sudo yum install curl which Copy
  2. Install the Confluent Platform public key. This key is used to sign packages in the YUM repository.sudo rpm –import https://packages.confluent.io/rpm/5.2/archive.key Copy
  3. Navigate to /etc/yum.repos.d/ and create a file named confluent.repo with these contents. This adds the Confluent repository.[Confluent.dist] name=Confluent repository (dist) baseurl=https://packages.confluent.io/rpm/5.2/7 gpgcheck=1 gpgkey=https://packages.confluent.io/rpm/5.2/archive.key enabled=1 [Confluent] name=Confluent repository baseurl=https://packages.confluent.io/rpm/5.2 gpgcheck=1 gpgkey=https://packages.confluent.io/rpm/5.2/archive.key enabled=1 Copy
  4. Clear the YUM caches and install Confluent Platform.
    • Confluent Platform:sudo yum clean all && sudo yum install confluent-platform-2.12 Copy
    • Confluent Platform using only Confluent Community components:sudo yum clean all && sudo yum install confluent-community-2.12 Copy
    For Confluent Platform your output should resemble:Dependency Installed: confluent-camus.noarch 0:5.2.1-1 confluent-cli.noarch 0:5.2.1-1 confluent-common.noarch 0:5.2.1-1 confluent-control-center.noarch 0:5.2.1-1 confluent-control-center-fe.noarch 0:5.2.1-1 confluent-kafka-2.12.noarch 0:5.2.1-1 confluent-kafka-connect-elasticsearch.noarch 0:5.2.1-1 confluent-kafka-connect-hdfs.noarch 0:5.2.1-1 confluent-kafka-connect-jdbc.noarch 0:5.2.1-1 confluent-kafka-connect-jms.noarch 0:5.2.1-1 confluent-kafka-connect-replicator.noarch 0:5.2.1-1 confluent-kafka-connect-s3.noarch 0:5.2.1-1 confluent-kafka-connect-storage-common.noarch 0:5.2.1-1 confluent-kafka-rest.noarch 0:5.2.1-1 confluent-ksql.noarch 0:5.2.1-1 confluent-rebalancer.noarch 0:5.2.1-1 confluent-rest-utils.noarch 0:5.2.1-1 confluent-schema-registry.noarch 0:5.2.1-1 confluent-support-metrics.noarch 0:5.2.1-1 Complete! Copy

Edit -> /bin/kafka-run-class look for “KAFKA_JMX_OPTS” and add, replace hostname with your host, paths and passwords for you jks files.

KAFKA_JMX_OPTS="
-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.ssl=false
-Djava.rmi.server.hostname=hostname
-Djava.net.preferIPv4Stack=true
-Dcom.sun.management.jmxremote.password.file=/opt/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=/opt/jmxremote.access
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=false
-Djavax.net.ssl.keyStore=/opt/keystore.jks
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=jconsole.truststore
-Djavax.net.ssl.trustStorePassword=password
"

add JMX port into /bin/kafka-server-start file:

export JMX_PORT=${JMX_PORT:-9999}
should look like: 
export JMX_PORT=${JMX_PORT:-9999}
exec $base_dir/kafka-run-class $EXTRA_ARGS io.confluent.support.metrics.SupportedKafka "[email protected]"

generate the SSL certificates:

 keytool -genkey -keyalg RSA -alias selfsigned -keystore /opt/keystore.jks -storepass password -validity 365 -keysize 2048

fill up the information

keytool -list -v -keystore /opt/keystore.jks

check the key alias and:

keytool -export -alias selfsigned  -keystore keystore.jks -file jazz.cer -storepass password
keytool -import -alias jconsole -file jazz.cer -keystore jconsole.truststore -storepass password -noprompt

start your console with:

jconsole -J-Djavax.net.ssl.trustStore=jconsole.truststore -J-Djavax.net.ssl.trustStorePassword=password service:jmx:rmi:///jndi/rmi://host:9999/jmxrmi
or in windows
jconsole.exe -J-Djavax.net.ssl.trustStore=jconsole.truststore -J-Djavax.net.ssl.trustStorePassword=password
Сomments аrchive