View Attach (4) Info

Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
jar
 kafka-clients.jar 9,187.7 kB 2 26-May-2025 10:05 krivacsz
jar
 kafka-streams.jar 2,023.8 kB 2 26-May-2025 10:05 krivacsz
png
 kafka_custom_config.png 214.3 kB 1 05-Dec-2023 05:32 krivacsz
png
 kafka_task.png 79.1 kB 1 05-Dec-2023 05:32 krivacsz

This page (revision-66) was last changed on 09-Jun-2025 03:30 by krivacsz

This page was created on 05-Dec-2023 05:32 by krivacsz

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Difference between version and

At line 1 changed one line
!!Kafka task
!!!Kafka task
At line 57 changed one line
__ KafkaTask SASL properties Explained__:\\
!! KafkaTask SASL properties Explained:\\
At line 82 changed one line
__Kafka Security Protocols__:\\
! Kafka Security Protocols:\\
\\
----
At line 86 added one line
----
At line 109 added one line
----
At line 130 added 28 lines
----
• __SASL with GSSAPI / Kerberos__: SASL/GSSAPI leverages Kerberos to perform strong, mutual authentication: clients obtain a service ticket from the KDC and present it to the broker, eliminating the need to send passwords over the wire. Once authenticated, it can be combined with SSL to provide both encryption and integrity for all Kafka traffic. This mechanism is ideal in enterprise environments where centralized credential management and single‐sign‐on are required.\\
\\
When using CrushFTP’s KafkaTask with Kerberos, you can authenticate via a __keytab__. Example:\\
{{{
# Authentication related settings
security.protocol=SASL_SSL
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka
sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required \
useKeyTab=true \
keyTab="/etc/security/kafka.keytab" \
principal="kafka@LMINT.COM";
# SSL Truststore (to verify the Kafka server cert)
ssl.truststore.location=/etc/security/kafka.server.truststore.jks
ssl.truststore.password=truststorepass
# Optional: mutual TLS if broker demands it
ssl.keystore.location=/etc/security/client.keystore.jks
ssl.keystore.password=clientpass
ssl.key.password=clientpass
}}}\\
__Key points for GSSAPI / Kerberos setups__:\\
1. /etc/krb5.conf must define your realm and KDC.\\
2.Make sure your keytab contains the exact Kafka service principal (in our example kafka@LMINT.COM). Without that entry (and the correct KVNO [Wikipedia :Key Version Number Link|https://en.wikipedia.org/wiki/Kerberos_(protocol)#Key_Version_Number_(KVNO)]), the broker won’t be able to decrypt or verify incoming GSSAPI tickets.\\
3. When you enable ssl.client.auth=required on the broker, every client must present a valid TLS certificate during the handshake. Make sure each client has a keystore containing its private key and signed certificate, and a truststore that includes the CA (or broker) certificate, so both sides can authenticate and encrypt the connection -> SSL keystore/truststore files must exist and match your broker’s certificates.\\
----
Version Date Modified Size Author Changes ... Change note
66 09-Jun-2025 03:30 8.882 kB krivacsz to previous
65 09-Jun-2025 03:29 8.894 kB krivacsz to previous | to last
64 29-May-2025 03:38 8.879 kB krivacsz to previous | to last
63 29-May-2025 03:35 8.766 kB krivacsz to previous | to last
62 29-May-2025 03:31 8.671 kB krivacsz to previous | to last
61 29-May-2025 03:13 8.65 kB krivacsz to previous | to last
« This page (revision-66) was last changed on 09-Jun-2025 03:30 by krivacsz
G’day (anonymous guest)
CrushFTP11 | What's New

Referenced by
...nobody

JSPWiki