Created , Updated


Summary

This document will help users who wish to enable and configure ACLs between Apache Kafka and z/IRIS:

  • Necessary configuration for the Kafka Cluster.

  • Necessary configuration for the Kafka Producer (z/IRIS z/OS Client).

  • Necessary configuration for the Kafka Consumer (z/IRIS IronTap).


Prerequisites


Kafka Cluster

The following proposed configurations are just illustrative examples. Change the used parameter values according to your needs.

Configure Kafka Broker properties to enable ACL authorization

Add the following parameters in all Kafka Broker properties files which are used to start up the Kafka Brokers of the Kafka Cluster

authorizer.class.name=org.apache.kafka.metadata.authorizer.StandardAuthorizer
super.users=User:CN=broker1;User:CN=<brokerX>
CODE
Configure the Kafka Confluent Image to enable ACL authentication

Add the following environment variables for all involved Kafka Brokers of the Cluster.

DOCKER_KAFKA_AUTHORIZER_CLASS_NAME: 'org.apache.kafka.metadata.authorizer.StandardAuthorizer'
DOCKER_KAFKA_SUPER_USERS: 'User:CN=broker1;User:CN=<brokerX>'
CODE

Kafka Producer (z/IRIS z/OS Client)

The following proposed configurations are just illustrative examples. Change the used parameter values according to your needs.

Configure write permission

The z/IRIS z/OS Clients need a write permission to a Kafka Topic (e.g. smf) in order to send SMF records. This can be granted via the Kafka CLI.

kafka-acls --bootstrap-server <broker-ip>:9094 --add --allow-principal User:CN=ziris --operation Write --topic <topic-name> --command-config /tmp/ssl/broker-ssl-cli.properties 
CODE

Hereby, the provided properties file /tmp/ssl/broker-ssl-cli.properties contains the following parameters

security.protocol=SSL
ssl.endpoint.identification.algorithm=
ssl.keystore.location=/tmp/ssl/broker1.keystore.jks
ssl.keystore.password=test1234
ssl.truststore.location=/tmp/ssl/broker1.truststore.jks
ssl.truststore.password=test1234
ssl.key.password=test1234
CODE

Kafka Consumer (z/IRIS IronTap)

The following proposed configurations are just illustrative examples. Change the used parameter values according to your needs.

Configure read permission

The consumer group (e.g. smf-group) for the z/IRIS IronTap instances need a read permission to a Kafka Topic (e.g. smf) in order to read SMF records. This can be granted via the Kafka CLI.

kafka-acls --bootstrap-server <broker-ip>:9094 --add --allow-principal User:CN=irontap --operation Read --topic smf --group smf-group --command-config /tmp/ssl/broker-ssl-cli.properties 
CODE

Hereby, the provided properties file /tmp/ssl/broker-ssl-cli.properties contains the following parameters

security.protocol=SSL
ssl.endpoint.identification.algorithm=
ssl.keystore.location=/tmp/ssl/broker1.keystore.jks
ssl.keystore.password=test1234
ssl.truststore.location=/tmp/ssl/broker1.truststore.jks
ssl.truststore.password=test1234
ssl.key.password=test1234
CODE