Giampaolo, You can set up two listeners on the broker with protocols SSL and SASL_SSL. And set *ssl.client.auth=required*, *security.inter.broker.protocol=SSL*. This performs SSL client authentication on the SSL channel and SASL authentication on the SASL_SSL channel. Inter-broker connections are encrypted and use certificate-based authentication since they are using the SSL channel. Other producers and consumers connecting using the SASL_SSL channel are encrypted and will be authenticated using SASL, so these clients do not require a keystore.
Hope that helps. On Mon, May 9, 2016 at 2:58 PM, Giampaolo Trapasso < giampaolo.trapa...@radicalbit.io> wrote: > Hi to all, > > I successfully put my simple Kafka cluster under TSL following official > documentation. > So in current configuration, inter-broker communication is done through SSL > (security.inter.broker.protocol=SSL) and client authentication is required > ( > ssl.client.auth=required). > > I would like to know if with these options, every broker is also > authenticating itself, besides doing encrypted communication. That is, if > with ssl.client.auth we mean both brokers and consumers/producers. > > Moreover, I would like to know if is it possible to authenticate > consumers/producers through SASL/Kerberos while keeping inter-broker > authentication/communication through TSL. > > I read the Ismael Juma tutorial on this ( > > http://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption > ). > It points in this direction, but there's something I did not fully > understand. For example, if consumer authenticates with kerberos, client > keystore should not be provided in configuration and ssl.client.auth should > be false on server (unless is required for brokers). > > Thank you in advance for any kind of help and explanation. > > Giampaolo > -- Regards, Rajini
