17.10 - SSL Support - Access Module

Teradata® Tools and Utilities Access Module Reference

Product
Access Module
Release Number
17.10
Published
October 2021
Language
English (United States)
Last Update
2021-11-02
dita:mapPath
uur1608578381725.ditamap
dita:ditavalPath
obe1474387269547.ditaval

The following are the steps used in Teradata's test environment to start the Kafka server and ZooKeeper server with SSL support.

  1. Create a new private key:
    openssl req -new -x509 -keyout <CA_CERT_NAME>.key -out <CA_CERT_NAME> -days <No_of_days> -passin "pass:<password>" -passout "pass:<password>"
  2. Create Truststore and Keystore for Kafka Broker:
    keytool -storepass <password> -keypass <password> -keystore <broker_name>_server.keystore.jks -alias localhost -validity <No_of_days> -genkey
    keytool -storepass <password> -keypass <password> -keystore <broker_name>_server.truststore.jks -alias CARoot -import -file <CA_CERT_NAME>
    keytool -storepass <password> -keypass <password> -keystore <broker_name>_server.keystore.jks -alias localhost -certreq -file <broker_name>_cert-file
    openssl x509 -req -CA <CA_CERT_NAME> -CAkey <CA_CERT_NAME>.key -in <broker_name>_cert-file -out <broker_name>_cert-signed -days <No_of_days> -CAcreateserial -passin pass:<password>
    keytool -storepass <password> -keypass <password> -keystore <broker_name>_server.keystore.jks -alias CARoot -import -file <CA_CERT_NAME>
    keytool -storepass <password> -keypass <password> -keystore <broker_name>_server.keystore.jks -alias localhost -import -file <broker_name>_cert-signed
  3. Create client keys:
    openssl genrsa -des3 -passout pass:<password> -out <client_name>_client.key 1024
    openssl req -passin pass:<password> -passout pass:<password> -key <client_name>_client.key -new -out <client_name>_client.req
    openssl x509 -req -passin pass:<password> -in <client_name>_client.req -CA <CA_CERT_NAME> -CAkey <CA_CERT_NAME>.key -CAserial <CA_CERT_NAME>.srl -out <client_name>_client.pem
    Replace the contents in <> with actual values. Run the commands and provide the necessary values to create the CA certificate.
    Example: Create a new private key
    openssl req -new -x509 -keyout MYCERT.key -out MYCERT -days 365 -passin "pass:abcd1234" -passout "pass:abcd1234"
    Example: Create Truststore and Keystore for Kafka broker:
    keytool -storepass abcd1234 -keypass abcd1234 -keystore sdl10684_server.keystore.jks -alias localhost -validity 365 -genkey
    keytool -storepass abcd1234 -keypass abcd1234 -keystore sdl10684_server.truststore.jks -alias CARoot -import -file MYCERT
    keytool -storepass abcd1234 -keypass abcd1234 -keystore sdl10684_server.keystore.jks -alias localhost -certreq -file sdl10684_cert-file
    openssl x509 -req -CA MYCERT -CAkey MYCERT.key -in sdl10684_cert-file -out sdl10684_cert-signed -days 365 -CAcreateserial -passin pass:abcd1234
    keytool -storepass abcd1234 -keypass abcd1234 -keystore sdl10684_server.keystore.jks -alias CARoot -import -file MYCERT
    keytool -storepass abcd1234 -keypass abcd1234 -keystore sdl10684_server.keystore.jks -alias localhost -import -file sdl10684_cert-signed
    Example: Create client keys
    openssl genrsa -des3 -passout pass:abcd1234 -out sdl14957_client.key 1024
    openssl req -passin pass:abcd1234 -passout pass:abcd1234 -key sdl14957_client.key -new -out sdl14957_client.req
    openssl x509 -req -passin pass:abcd1234 -in sdl14957_client.req -CA MYCERT -CAkey MYCERT.key -CAserial MYCERT.srl -out sdl14957_client.pem
  4. Configure the Kafka broker.

    Update the server property file.

    1. Update the listeners parameter:
      #Normal SSL
         listeners=SSL://<<BROKER>>:<<PORT-NO>>
      
      #SSL with Kerboros
         listeners=SASL_SSL://<<BROKER>>:<<PORT-NO>>
          
    2. Include the following SSL parameters.
                   #Normal SSL
      security.inter.broker.protocol=SSL
      
      #SSL with Kerboros
      security.inter.broker.protocol=SASL_SSL
                 
      ssl.protocol = TLS
      ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
      ssl.keystore.type = <<Keystore type>> 
      ssl.keystore.location = <<Keystore File Location>>
      ssl.keystore.password = << sslkeystorepassword>>
      ssl.key.password =      <<sslkeypassword>>
      ssl.truststore.type = <<Trust store type >> 
      ssl.truststore.location = <<Truststore File Location>>
      ssl.truststore.password = <<ssltruststorepassword>>
      # To require authentication of clients use "require", else "none" or "request"
      ssl.client.auth = required/none/request
      For example:
      security.inter.broker.protocol=SSL
      ssl.protocol = TLS
      ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
      ssl.keystore.type = JKS
      ssl.keystore.location = /tmp/CA_tests/sdl10684_server.keystore.jks
      ssl.keystore.password = abcd1234
      ssl.key.password = abcd1234
      ssl.truststore.type = JKS
      ssl.truststore.location = /tmp/CA_tests/sdl10684_server.truststore.jks
      ssl.truststore.password = abcd1234
      # To require authentication of clients use "require", else "none" or "request"
      ssl.client.auth = required
  5. Start the Zookeeper and Kafka server.
Update and include the additional SSL parameters of the AccessModuleKafka Initialization string in the TPT script as follows:
#Normal SSL
AccessModuleInitStr = '-X security.protocol=ssl -X ssl.ca.location=<path-for-cacert>/<CA_CERT_NAME> 
                       -X ssl.certificate.location=<path-for-pemfile>/<.pem>
                       -X ssl.key.location=<path-for-clientkey>/<clientkey> -X ssl.key.password=<password>'
                                 
#SSL with Kerboros

AccessModuleInitStr = '-X security.protocol=SASL_SSL 
                       -X sasl.kerberos.keytab=/etc/security/keytabs/CLIENT_HOST.keytab 
                       -X sasl.kerberos.principal=CLIENT_NAME/CLIENT_HOST_FQDN 
                       -X ssl.ca.location=<path-for-cacert>/<CA_CERT_NAME> 
                       -X ssl.certificate.location=<path-for-pemfile>/<.pem>
                       -X ssl.key.location=<path-for-clientkey>/<clientkey> -X ssl.key.password=<password>'
                                 
For example:
AccessModuleInitStr = '-X security.protocol=ssl -X ssl.ca.location=/tmp/CA_tests/MYCERT 
                       -X ssl.certificate.location=/tmp/CA_tests/sdl14957_client.pem
                       -X ssl.key.location=/tmp/CA_tests/sdl14957_client.key -X ssl.key.password=abcd1234'