Depending on the environment, Conduktor might need to access external services like Kafka clusters, SSO servers, database, or object-storage that require custom certificate for SSL/TLS communication.
The following table gives you an overview of what's currently supported and the methods to configure it:
- From the UI (recommended): From Conduktor Console, you can manage you certificates in a dedicated screen. You can also configure SSL authentication from the broker setup wizard.
- Volume mount: This method is only required if you have LDAPS. Do not use it for Kafka or Kafka components.
|Schema Registry / Kafka Connect
|SSL to secure data in transit
|SSL to authenticate the client
- Using the Conduktor Certificate Store
- Recommended for Kafka, Kafka Connect and Schema Registry connections
- Mounting Custom Truststore
- Recommended for SSO, DB or other external services requiring SSL/TLS communication
- Client Certificate Authentication
- Recommended for mTLS; import your keystore file
Using the Conduktor Certificate Store
You can manage custom certificates for Kafka, Kafka Connect and Schema Registry through the Console UI. This enables you to import and parse the certificates as text or files. The supported file formats are:
Uploading certificates in the cluster configuration screen
Assuming you have appropriate permissions, you can add cluster configurations from within Admin. When you add the bootstrap server to your configuration, a check will be made to validate if the certificate is issued by a valid authority.
If the response indicates the certificate is not issued by a valid authority, you have two options:
- Skip SSL Check: This will skip validation of the SSL certificate on your server. This is an easy option for development environments with self-signed certificates
- Upload Certificate: This option will enable you to upload the certificate (.crt, .pem, .jks or .p12 files), or paste the certificate as text
Upon uploading the certificate, you should then see the green icon indicating connection is secure.
Adding certificates in the dedicated certificates screen
Provided you have permissions, you can also manage organization certificates via the Certificates tab within Admin.
Simply add all of your certificates by uploading them or pasting them as text. In doing this, the SSL context will be derived when you configure Kafka, Kafka Connect and Schema Registry connections.
Mounting Custom Truststore
1.5.0 Conduktor supports SSL/TLS connections using Java Truststore. The below details how to mount a custom truststore when starting Conduktor.
Create TrustStore (jks) from certificate in pem format
If you already have a truststore, you can ignore this step.
For that you need a
keytool program that is usually packaged on JDK distributions and a certificate in PEM format (
-keystore ./truststore.jks \ # Output truststore jks file
-alias "my-domain.com" \ # Certificate alias inside the truststore (usually the certificate subject)
-file ./my-certificate-file.pem \ # Input certificate file
-storepass changeit \ # Truststore password
Configure custom truststore on Conduktor Console
For that we need to mount the truststore file into the conduktor-platform container and pass the correct environment variables for locating truststore file inside the container and password if needed.
Assuming that truststore file is named
truststore.jks with password
We mount truststore file into
/opt/conduktor/certs/truststore.jks inside the container.
If run from docker :
docker run --rm \
--mount "type=bind,source=$PWD/truststore.jks,target=/opt/conduktor/certs/truststore.jks" \
-e CDK_SSL_TRUSTSTORE_PATH="/opt/conduktor/certs/truststore.jks" \
-e CDK_SSL_TRUSTSTORE_PASSWORD="changeit" \
From docker-compose :
- type: bind
Client Certificate Authentication
This mechanism uses TLS protocol to authenticate the client. Other names include:
- Mutual SSL, Mutual TLS, mTLS
- Two-Way SSL, SSL Certificate Authentication
- Digital Certificate Authentication, Public Key Infrastructure (PKI) Authentication
Using the UI (keystore method)
Your Kafka Admin or your Kafka Provider gave you a keystore file (.jks or .p12 format).
Click the "Import from keystore" button to select a keystore file from your filesystem.
Fill in the required keystore password and key password and click "Import".
You'll get back to the cluster screen with the content of your keystore extracted into Access key and Access certificate.
Using the UI (Access key & Access certificate method)
Your Kafka Admin or your Kafka Provider gave you 2 files for authentication.
- An Access key (.key file)
- An Access certificate (.pem or .crt file)
Here's an example with Aiven:
You can paste the 2 file's contents into Conduktor, or alternatively import from keystore.
Using Volume Mount (Alternate method)
You can mount the keystore file in 'conduktor-platform' image:
- type: bind
And then from the UI, choose the SSL Authentication method "Keystore file is mounted on the volume" and fill in the required fields