Kafka JMX with SSL and user password authentication

By | May 18, 2019

The YUM repositories provide packages for RHEL, CentOS, and Fedora-based distributions. You can install individual Confluent Platform packages or the entire platform. For a list of available packages, see the documentation or you can search the repository (yum search <package-name>).

Install the curl and which tools.sudo yum install curl which Copy

Install the Confluent Platform public key. This key is used to sign packages in the YUM repository.

sudo rpm --import https://packages.confluent.io/rpm/5.2/archive.key 

Navigate to /etc/yum.repos.d/ and create a file named confluent.repo with these contents. This adds the Confluent repository.

[Confluent.dist] 
name=Confluent repository (dist) baseurl=https://packages.confluent.io/rpm/5.2/7 
gpgcheck=1
gpgkey=https://packages.confluent.io/rpm/5.2/archive.key 
enabled=1 
[Confluent]
name=Confluent 
repository baseurl=https://packages.confluent.io/rpm/5.2 
gpgcheck=1 
gpgkey=https://packages.confluent.io/rpm/5.2/archive.key 
enabled=1  

Clear the YUM caches and install Confluent Platform.

Confluent Platform:

sudo yum clean all && sudo yum install confluent-platform-2.12

Confluent Platform using only Confluent Community components:

sudo yum clean all &&  sudo yum install confluent-community-2.12

For Confluent Platform your output should resemble:

Dependency Installed:
confluent-camus.noarch 0:5.2.1-1
confluent-cli.noarch 0:5.2.1-1
confluent-common.noarch 0:5.2.1-1 
confluent-control-center.noarch 0:5.2.1-1   
confluent-control-center-fe.noarch 0:5.2.1-1   
confluent-kafka-2.12.noarch 0:5.2.1-1   
confluent-kafka-connect-elasticsearch.noarch 0:5.2.1-1   
confluent-kafka-connect-hdfs.noarch 0:5.2.1-1   
confluent-kafka-connect-jdbc.noarch 0:5.2.1-1   
confluent-kafka-connect-jms.noarch 0:5.2.1-1   
confluent-kafka-connect-replicator.noarch 0:5.2.1-1   
confluent-kafka-connect-s3.noarch 0:5.2.1-1   
confluent-kafka-connect-storage-common.noarch 0:5.2.1-1   
confluent-kafka-rest.noarch 0:5.2.1-1   
confluent-ksql.noarch 0:5.2.1-1   
confluent-rebalancer.noarch 0:5.2.1-1   
confluent-rest-utils.noarch 0:5.2.1-1   
confluent-schema-registry.noarch 0:5.2.1-1   
confluent-support-metrics.noarch 0:5.2.1-1 
Complete! 

Edit -> /bin/kafka-run-class look for “KAFKA_JMX_OPTS” and add, replace hostname with your host, paths and passwords for you jks files.

KAFKA_JMX_OPTS="
-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.ssl=false
-Djava.rmi.server.hostname=hostname
-Djava.net.preferIPv4Stack=true
-Dcom.sun.management.jmxremote.password.file=/opt/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=/opt/jmxremote.access
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=false
-Djavax.net.ssl.keyStore=/opt/keystore.jks
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=jconsole.truststore
-Djavax.net.ssl.trustStorePassword=password
"

add JMX port into /bin/kafka-server-start file:

export JMX_PORT=${JMX_PORT:-9999}
should look like: 
export JMX_PORT=${JMX_PORT:-9999}
exec $base_dir/kafka-run-class $EXTRA_ARGS io.confluent.support.metrics.SupportedKafka "[email protected]"

generate the SSL certificates:

 keytool -genkey -keyalg RSA -alias selfsigned -keystore /opt/keystore.jks -storepass password -validity 365 -keysize 2048

fill up the information

keytool -list -v -keystore /opt/keystore.jks

check the key alias and:

keytool -export -alias selfsigned  -keystore keystore.jks -file jazz.cer -storepass password
keytool -import -alias jconsole -file jazz.cer -keystore jconsole.truststore -storepass password -noprompt

start your console with:

jconsole -J-Djavax.net.ssl.trustStore=jconsole.truststore -J-Djavax.net.ssl.trustStorePassword=password service:jmx:rmi:///jndi/rmi://host:9999/jmxrmi
or in windows
jconsole.exe -J-Djavax.net.ssl.trustStore=jconsole.truststore -J-Djavax.net.ssl.trustStorePassword=password
Сomments аrchive