17.10 - SSL Support - Access Module

Teradata® Tools and Utilities Access Module Reference

Access Module
Release Number
October 2021
English (United States)
Last Update

The following are the steps used in Teradata's test environment to start the Kafka server and ZooKeeper server with SSL support.

  1. Create a new private key:
    openssl req -new -x509 -keyout <CA_CERT_NAME>.key -out <CA_CERT_NAME> -days <No_of_days> -passin "pass:<password>" -passout "pass:<password>"
  2. Create Truststore and Keystore for Kafka Broker:
    keytool -storepass <password> -keypass <password> -keystore <broker_name>_server.keystore.jks -alias localhost -validity <No_of_days> -genkey
    keytool -storepass <password> -keypass <password> -keystore <broker_name>_server.truststore.jks -alias CARoot -import -file <CA_CERT_NAME>
    keytool -storepass <password> -keypass <password> -keystore <broker_name>_server.keystore.jks -alias localhost -certreq -file <broker_name>_cert-file
    openssl x509 -req -CA <CA_CERT_NAME> -CAkey <CA_CERT_NAME>.key -in <broker_name>_cert-file -out <broker_name>_cert-signed -days <No_of_days> -CAcreateserial -passin pass:<password>
    keytool -storepass <password> -keypass <password> -keystore <broker_name>_server.keystore.jks -alias CARoot -import -file <CA_CERT_NAME>
    keytool -storepass <password> -keypass <password> -keystore <broker_name>_server.keystore.jks -alias localhost -import -file <broker_name>_cert-signed
  3. Create client keys:
    openssl genrsa -des3 -passout pass:<password> -out <client_name>_client.key 1024
    openssl req -passin pass:<password> -passout pass:<password> -key <client_name>_client.key -new -out <client_name>_client.req
    openssl x509 -req -passin pass:<password> -in <client_name>_client.req -CA <CA_CERT_NAME> -CAkey <CA_CERT_NAME>.key -CAserial <CA_CERT_NAME>.srl -out <client_name>_client.pem
    Replace the contents in <> with actual values. Run the commands and provide the necessary values to create the CA certificate.
    Example: Create a new private key
    openssl req -new -x509 -keyout MYCERT.key -out MYCERT -days 365 -passin "pass:abcd1234" -passout "pass:abcd1234"
    Example: Create Truststore and Keystore for Kafka broker:
    keytool -storepass abcd1234 -keypass abcd1234 -keystore sdl10684_server.keystore.jks -alias localhost -validity 365 -genkey
    keytool -storepass abcd1234 -keypass abcd1234 -keystore sdl10684_server.truststore.jks -alias CARoot -import -file MYCERT
    keytool -storepass abcd1234 -keypass abcd1234 -keystore sdl10684_server.keystore.jks -alias localhost -certreq -file sdl10684_cert-file
    openssl x509 -req -CA MYCERT -CAkey MYCERT.key -in sdl10684_cert-file -out sdl10684_cert-signed -days 365 -CAcreateserial -passin pass:abcd1234
    keytool -storepass abcd1234 -keypass abcd1234 -keystore sdl10684_server.keystore.jks -alias CARoot -import -file MYCERT
    keytool -storepass abcd1234 -keypass abcd1234 -keystore sdl10684_server.keystore.jks -alias localhost -import -file sdl10684_cert-signed
    Example: Create client keys
    openssl genrsa -des3 -passout pass:abcd1234 -out sdl14957_client.key 1024
    openssl req -passin pass:abcd1234 -passout pass:abcd1234 -key sdl14957_client.key -new -out sdl14957_client.req
    openssl x509 -req -passin pass:abcd1234 -in sdl14957_client.req -CA MYCERT -CAkey MYCERT.key -CAserial MYCERT.srl -out sdl14957_client.pem
  4. Configure the Kafka broker.

    Update the server property file.

    1. Update the listeners parameter:
      #Normal SSL
      #SSL with Kerboros
    2. Include the following SSL parameters.
                   #Normal SSL
      #SSL with Kerboros
      ssl.protocol = TLS
      ssl.keystore.type = <<Keystore type>> 
      ssl.keystore.location = <<Keystore File Location>>
      ssl.keystore.password = << sslkeystorepassword>>
      ssl.key.password =      <<sslkeypassword>>
      ssl.truststore.type = <<Trust store type >> 
      ssl.truststore.location = <<Truststore File Location>>
      ssl.truststore.password = <<ssltruststorepassword>>
      # To require authentication of clients use "require", else "none" or "request"
      ssl.client.auth = required/none/request
      For example:
      ssl.protocol = TLS
      ssl.keystore.type = JKS
      ssl.keystore.location = /tmp/CA_tests/sdl10684_server.keystore.jks
      ssl.keystore.password = abcd1234
      ssl.key.password = abcd1234
      ssl.truststore.type = JKS
      ssl.truststore.location = /tmp/CA_tests/sdl10684_server.truststore.jks
      ssl.truststore.password = abcd1234
      # To require authentication of clients use "require", else "none" or "request"
      ssl.client.auth = required
  5. Start the Zookeeper and Kafka server.
Update and include the additional SSL parameters of the AccessModuleKafka Initialization string in the TPT script as follows:
#Normal SSL
AccessModuleInitStr = '-X security.protocol=ssl -X ssl.ca.location=<path-for-cacert>/<CA_CERT_NAME> 
                       -X ssl.certificate.location=<path-for-pemfile>/<.pem>
                       -X ssl.key.location=<path-for-clientkey>/<clientkey> -X ssl.key.password=<password>'
#SSL with Kerboros

AccessModuleInitStr = '-X security.protocol=SASL_SSL 
                       -X sasl.kerberos.keytab=/etc/security/keytabs/CLIENT_HOST.keytab 
                       -X sasl.kerberos.principal=CLIENT_NAME/CLIENT_HOST_FQDN 
                       -X ssl.ca.location=<path-for-cacert>/<CA_CERT_NAME> 
                       -X ssl.certificate.location=<path-for-pemfile>/<.pem>
                       -X ssl.key.location=<path-for-clientkey>/<clientkey> -X ssl.key.password=<password>'
For example:
AccessModuleInitStr = '-X security.protocol=ssl -X ssl.ca.location=/tmp/CA_tests/MYCERT 
                       -X ssl.certificate.location=/tmp/CA_tests/sdl14957_client.pem
                       -X ssl.key.location=/tmp/CA_tests/sdl14957_client.key -X ssl.key.password=abcd1234'