search

SAP / kafka-connect-sap

Kafka Connect SAP is a set of connectors, using the Apache Kafka Connect framework for reliably connecting Kafka with SAP systems
Apache License 2.0
119 stars 54 forks source link

SSL properties are not being passed to the producer #95

Closed ThomasDangleterre closed 2 years ago

ThomasDangleterre commented 2 years ago

Hi,

I have created a connector thanks to debezium that successfully connect to my broker with ssl. We can see in producer and consumer ssl properties correctly initialized :

    ssl.keystore.location = /etc/config/kafka.keystore.p12
    ssl.keystore.password = [hidden]
    ssl.keystore.type = PKCS12
    ssl.protocol = TLSv1.3
    ssl.trustmanager.algorithm = PKIX
    ssl.truststore.location = /etc/config/kafka.truststore.jks
    ssl.truststore.password = [hidden]

But the properties of the sap hana connector producer in source mode are not being passed well : 

    ssl.keystore.location = null
    ssl.keystore.password = null
    ssl.keystore.type = JKS
    ssl.protocol = TLSv1.3
    ssl.provider = null
    ssl.secure.random.implementation = null
    ssl.trustmanager.algorithm = PKIX
    ssl.truststore.certificates = null
    ssl.truststore.location = null
    ssl.truststore.password = null
    ssl.truststore.type = JKS

It seems like only the bootstrap server is present in producer's config so I'm getting this warning : Bootstrap broker <broker-host> - (id: -1 rack: null) disconnected [org.apache.kafka.clients.NetworkClient] even tho the connection to SAP Hana database seems up : Returning 100 records for IncrColTableQuerier{...

I have tried many ways to override those properties, as environnement variables directly and also on connector's configuration when creating it.

    "producer.security.protocol": "SSL",
    "producer.ssl.key.password": 
    "producer.ssl.keystore.location": "/etc/config/kafka.keystore.p12",
    "producer.ssl.keystore.password": 
    "producer.ssl.keystore.type": "PKCS12",
    "producer.ssl.truststore.location": "/etc/config/kafka.truststore.jks",
    "producer.ssl.truststore.password": 

    "security.protocol": "SSL",
    "ssl.key.password":
    "ssl.keystore.location": "/etc/config/kafka.keystore.p12",
    "ssl.keystore.password": 
    "ssl.keystore.type": "PKCS12",
    "ssl.truststore.location": "/etc/config/kafka.truststore.jks",
    "ssl.truststore.password": 

    "connect.security.protocol": "SSL",
    "connect.ssl.key.password":
    "connect.ssl.keystore.location": "/etc/config/kafka.keystore.p12",
    "connect.ssl.keystore.type": "PKCS12",
    "connect.ssl.truststore.location": "/etc/config/kafka.truststore.jks",
    "connect.ssl.truststore.password":

i removed passwords from config

Could you please tell me if there is a way to use SSL in the producer config ?

ThomasDangleterre commented 2 years ago

The correct configuration was : 

     "connect.producer.security.protocol": "SSL",
    "connect.producer.ssl.key.password": 
    "connect.producer.ssl.keystore.location": "/etc/config/kafka.keystore.p12",
    "connect.producer.ssl.keystore.password": 
    "connect.producer.ssl.keystore.type": "PKCS12",
    "connect.producer.ssl.truststore.location": "/etc/config/kafka.truststore.jks",
    "connect.producer.ssl.truststore.password":
elakito commented 2 years ago

@Thomas-Dangleterre I wanted to reply but you resolved it on your own. But it is strange what you observed.

When the broker is running on TLS, the connector needs its series of ssl.xxxxx properties set for its bootstrap server connection. In addition, the series of producer.ssl.xxxx and consumer.ssl.xxxx properties just need to be set for the sink and source connectors, respectively. And that should be sufficient. https://docs.confluent.io/platform/current/kafka/encryption.html#kconnect-long