SSL Support - Access Module

Teradata® Tools and Utilities Access Module Reference

Product
Access Module
Release Number
16.20
Published
November 2020
Language
English (United States)
Last Update
2020-11-18
dita:mapPath
igy1527114222333.ditamap
dita:ditavalPath
igy1527114222333.ditaval
dita:id
B035-2425
lifecycle
previous
Product Category
Teradata Tools and Utilities

The following are the steps used in Teradata's test environment to start the Kafka server and ZooKeeper server with SSL support.

  1. Create a new private key:
    openssl req -new -x509 -keyout <CA_CERT_NAME>.key -out <CA_CERT_NAME> -days <No_of_days> -passin "pass:<password>" -passout "pass:<password>"
  2. Create Truststore and Keystore for Kafka Broker:
    keytool -storepass <password> -keypass <password> -keystore <broker_name>_server.keystore.jks -alias localhost -validity <No_of_days> -genkey
    keytool -storepass <password> -keypass <password> -keystore <broker_name>_server.truststore.jks -alias CARoot -import -file <CA_CERT_NAME>
    keytool -storepass <password> -keypass <password> -keystore <broker_name>_server.keystore.jks -alias localhost -certreq -file <broker_name>_cert-file
    openssl x509 -req -CA <CA_CERT_NAME> -CAkey <CA_CERT_NAME>.key -in <broker_name>_cert-file -out <broker_name>_cert-signed -days <No_of_days> -CAcreateserial -passin pass:<password>
    keytool -storepass <password> -keypass <password> -keystore <broker_name>_server.keystore.jks -alias CARoot -import -file <CA_CERT_NAME>
    keytool -storepass <password> -keypass <password> -keystore <broker_name>_server.keystore.jks -alias localhost -import -file <broker_name>_cert-signed
  3. Create client keys:
    openssl genrsa -des3 -passout pass:<password> -out <client_name>_client.key 1024
    openssl req -passin pass:<password> -passout pass:<password> -key <client_name>_client.key -new -out <client_name>_client.req
    openssl x509 -req -passin pass:<password> -in <client_name>_client.req -CA <CA_CERT_NAME> -CAkey <CA_CERT_NAME>.key -CAserial <CA_CERT_NAME>.srl -out <client_name>_client.pem
    Replace the contents in <> with actual values. Run the commands and provide the necessary values to create the CA certificate.
    Example: Create a new private key
    openssl req -new -x509 -keyout MYCERT.key -out MYCERT -days 365 -passin "pass:abcd1234" -passout "pass:abcd1234"
    Example: Create Truststore and Keystore for Kafka broker:
    keytool -storepass abcd1234 -keypass abcd1234 -keystore sdl10684_server.keystore.jks -alias localhost -validity 365 -genkey
    keytool -storepass abcd1234 -keypass abcd1234 -keystore sdl10684_server.truststore.jks -alias CARoot -import -file MYCERT
    keytool -storepass abcd1234 -keypass abcd1234 -keystore sdl10684_server.keystore.jks -alias localhost -certreq -file sdl10684_cert-file
    openssl x509 -req -CA MYCERT -CAkey MYCERT.key -in sdl10684_cert-file -out sdl10684_cert-signed -days 365 -CAcreateserial -passin pass:abcd1234
    keytool -storepass abcd1234 -keypass abcd1234 -keystore sdl10684_server.keystore.jks -alias CARoot -import -file MYCERT
    keytool -storepass abcd1234 -keypass abcd1234 -keystore sdl10684_server.keystore.jks -alias localhost -import -file sdl10684_cert-signed
    Example: Create client keys
    openssl genrsa -des3 -passout pass:abcd1234 -out sdl14957_client.key 1024
    openssl req -passin pass:abcd1234 -passout pass:abcd1234 -key sdl14957_client.key -new -out sdl14957_client.req
    openssl x509 -req -passin pass:abcd1234 -in sdl14957_client.req -CA MYCERT -CAkey MYCERT.key -CAserial MYCERT.srl -out sdl14957_client.pem
  4. Configure the Kafka broker.

    Update the server property file.

    1. Update the listeners parameter:
      #Normal SSL
         listeners=SSL://<<BROKER>>:<<PORT-NO>>
      
      #SSL with Kerboros
         listeners=SASL_SSL://<<BROKER>>:<<PORT-NO>>
          
    2. Include the following SSL parameters.
                   #Normal SSL
      security.inter.broker.protocol=SSL
      
      #SSL with Kerboros
      security.inter.broker.protocol=SASL_SSL
                 
      ssl.protocol = TLS
      ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
      ssl.keystore.type = <<Keystore type>> 
      ssl.keystore.location = <<Keystore File Location>>
      ssl.keystore.password = << sslkeystorepassword>>
      ssl.key.password =      <<sslkeypassword>>
      ssl.truststore.type = <<Trust store type >> 
      ssl.truststore.location = <<Truststore File Location>>
      ssl.truststore.password = <<ssltruststorepassword>>
      # To require authentication of clients use "require", else "none" or "request"
      ssl.client.auth = required/none/request
      For example:
      security.inter.broker.protocol=SSL
      ssl.protocol = TLS
      ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
      ssl.keystore.type = JKS
      ssl.keystore.location = /tmp/CA_tests/sdl10684_server.keystore.jks
      ssl.keystore.password = abcd1234
      ssl.key.password = abcd1234
      ssl.truststore.type = JKS
      ssl.truststore.location = /tmp/CA_tests/sdl10684_server.truststore.jks
      ssl.truststore.password = abcd1234
      # To require authentication of clients use "require", else "none" or "request"
      ssl.client.auth = required
  5. Start the Zookeeper and Kafka server.
Update and include the additional SSL parameters of the AccessModuleKafka Initialization string in the TPT script as follows:
#Normal SSL
AccessModuleInitStr = '-X security.protocol=ssl -X ssl.ca.location=<path-for-cacert>/<CA_CERT_NAME> 
                       -X ssl.certificate.location=<path-for-pemfile>/<.pem>
                       -X ssl.key.location=<path-for-clientkey>/<clientkey> -X ssl.key.password=<password>'
                                 
#SSL with Kerboros

AccessModuleInitStr = '-X security.protocol=SASL_SSL 
                       -X sasl.kerberos.keytab=/etc/security/keytabs/CLIENT_HOST.keytab 
                       -X sasl.kerberos.principal=CLIENT_NAME/CLIENT_HOST_FQDN 
                       -X ssl.ca.location=<path-for-cacert>/<CA_CERT_NAME> 
                       -X ssl.certificate.location=<path-for-pemfile>/<.pem>
                       -X ssl.key.location=<path-for-clientkey>/<clientkey> -X ssl.key.password=<password>'
                                 
For example:
AccessModuleInitStr = '-X security.protocol=ssl -X ssl.ca.location=/tmp/CA_tests/MYCERT 
                       -X ssl.certificate.location=/tmp/CA_tests/sdl14957_client.pem
                       -X ssl.key.location=/tmp/CA_tests/sdl14957_client.key -X ssl.key.password=abcd1234'