To use SSL encryption, you must do the following:

  • Obtain the bootstrap server endpoint (for the Pinot broker URL)
  • Obtain the server certificate, the client certificate, and the client key

  1. To locate the bootstrap server information to add the broker URL, open the server.properties file.

    The location of the server.properties file varies depending on the operating system being used. Contact your server administrator if you cannot locate this file.

  2. Copy the entire line after bootstrap.servers that contain the list of bootstrap servers and ports. For example, copy hostname1:9092, hostname2:9092 from the line below:

     bootstrap.servers: hostname1:9092, hostname2:9092

  3. If you’re using SSL for authentication, obtain the server certificate, the client certificate, and the client key.

Obtain SSL details for Apache Kafka

To obtain your Certificate Authority (CA) (server certificate), the client certificate, and the client key for Apache Kafka, complete the following steps:

  1. Optional if you already have a Certificate Authority (CA) to sign. To create a CA, run the following command on the Kafka server command line:

    openssl req -new -x509 -keyout ca-key -out ca-cert -days {validity}

  2. To generate the client certificate and client key, do the following:

    a. Enter the following command on the Kafka server command line:

    keytool -keystore {key_store_name}.jks -alias {key_store_name_alias} -keyalg RSA -validity {validity} -genkey

    The alias is just a shorter name for the key store. The same alias needs to be reused throughout the steps. Remember your passwords for each keystore or truststore to use later.

    b. Provide the answers to questions that are displayed on the interactive prompt. For the question What is your first and last name?, enter the CN for your certificate.

    The Common Name (CN) must match the fully qualified domain name (FQDN) of the server to ensure that StarTree connects to the correct server. Refer to this page to find the FQDN based on the server type.

  3. To add the CA to the broker’s truststore, run the following on the Kafka server command line:

    keytool -keystore {broker_trust_store}.jks -alias CARoot -importcert -file ca-cert

  4. To sign the certificates with the CA file, do the following on the Kafka server command line:

    a. Export the certificate from the keystore:

    keytool -keystore {key_store_name}.jks -alias {key_store_name_alias} -certreq -file cert-file

    b. Sign the certificate with the CA:

    openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days {validity} -CAcreateserial -passin pass:{ca-password}

    c. Add the certificates back to the keystore:

       keytool -keystore {key_store_name}.jks -alias CARoot -importcert -file ca-cert

   keytool -keystore {key_store_name}.jks -alias {key_store_name_alias} -importcert -file cert-signed

    d. Extract the client certificate key from keystore.
    i. Convert the keystore file from its existing .jks format to the PKCS12 (.p12) format for interoperability. To do this, enter the following command in the Kafka server command line:

    keytool -v -importkeystore -srckeystore
{key_store_name}.jks -srcalias
{key_store_name_alias} -destkeystore
{key_store_name}.p12 -deststoretype PKCS12

    ii. Extract the client certificate key into a .pem file (the format StarTree Cloud uses):

    openssl pkcs12 -in {key_store_name}.p12 -nocerts -nodes > cert-key.pem

    iii. Go to the Kafka server folder with the Kafka truststore and keystore, and upload the following files to StarTree Cloud:

    • Client certificate: cert-signed
    • Client key: cert-key.pem
    • CA (server certificate): `ca-cert

Renew Kafka SSL certificates

To renew your Apache Kafka SSL certificates, do the following:

  1. Update the SSL certificate entries in your Table configuration using Pinot APIs.
  2. Use the forceCommit API to flush out the current consuming segments and start new Kafka consumers. The SSL certificates are updated.