Configure SSL/TLS for the MongoDB Kafka Connector¶
Overview¶
This guide shows you how to configure your MongoDB Kafka Source or Sink Connector worker to use SSL/TLS certificates to connect to a MongoDB cluster. An SSL/TLS-secured connection encrypts your network communications between your Kafka Connector and your MongoDB cluster. To enable the secure connection, create certificates, store them on the worker host machine, and supply credentials to access the certificates to the connector.
If your MongoDB cluster is hosted by MongoDB Atlas or does not require SSL/TLS certificates for connection explicitly, you can already connect securely and do not need to follow the steps in this guide.
Set up your Trust Store and Key Store¶
Each server you run your Kafka Connector worker instance on needs a key store and trust store to secure your SSL/TLS credentials.
The key store is a password-protected database that contains a private key and a Certificate Authority (CA) signed certificate that is used to verify the client's identity to external hosts.
The trust store is a password-protected database that contains certificates identifying parties that the client trusts such as CA root or intermediate certificates and your MongoDB cluster's end entity certificate.
Key Store¶
If your SSL/TLS configuration requires a client certificate to connect,
generate a secure private key and provide the client certificate bundled
with the intermediate authority certificate. You can use openssl
to
generate a pkcs12 file to store this information
in your key store using the following command:
openssl pkcs12 -export -inkey <private key> -in <bundled certificate> -out <output pkcs12 file>
Trust Store¶
Use the keytool application packaged in your J2SE installation to import certificates of parties that you trust into the trust store with the following command:
keytool -import -trustcacerts -import -file <root or intermediate CA certificate>
If your SSL/TLS configuration requires the end entity certificate for your MongoDB cluster, you can import it into the trust store with the following command:
keytool -import -file <server bundled certificate> -keystore <keystore name>
For more information on how to set up a client key store and trust store for testing purposes, see OpenSSL Client Certificates for Testing.
Configure Your JVM Options¶
The MongoDB Kafka Connector worker processes read JVM options from the
environment variable KAFKA_OPTS
.
Export the following JVM options in the KAFKA_OPTS
variable, substituting
the values for the placeholders before launching your worker instance.
export KAFKA_OPTS="\ -Djavax.net.ssl.trustStore=<path to truststore> \ -Djavax.net.ssl.trustStorePassword=<truststore password> \ -Djavax.net.ssl.keyStore=<path to keystore> \ -Djavax.net.ssl.keyStorePassword=<keystore password>"
After you configure the KAFKA_OPTS
variable, the Connector should attempt
to connect using the SSL/TLS protocol and certificates in your key store
and trust store when run.