Enable TLS between Kafka and z/IRIS
Created , Updated
Prerequisites
Java 11 or newer
JKS truststore (and keystore if mTLS is required) for z/IRIS z/OS Client and z/IRIS IronTap. To setup the required resources, you can refer to Confluent's 'Encrypt and Authenticate with TLS' site, for instance, which provides details and guides.
z/IRIS z/OS Client (Kafka Producer)
See Configure z/IRIS Clients | Customizing Kafka producer properties to customize the producer properties for the z/IRIS z/OS Client with the following parameters to enable TLS:
CODE
security.protocol='SSL'
ssl.truststore.location='/path/to/truststore.jks'
ssl.truststore.password='changeMe'To enable mTLS, the following configuration options are also required:
CODE
ssl.key.password='changeMe'
ssl.keystore.location='/path/to/keystore.jks'
ssl.keystore.password='changeMe'z/IRIS IronTap (Kafka Consumer)
Add the following parameters to the z/IRIS IronTap configuration to enable TLS:
CODE
irontap.sources.kafka.consumer.security.protocol='SSL'
irontap.sources.kafka.consumer.ssl.truststore.location='/path/to/truststore.jks'
irontap.sources.kafka.consumer.ssl.truststore.password='changeMe'In addition, to enable mTLS, the following configuration options are also required:
CODE
irontap.sources.kafka.consumer.ssl.key.password='changeMe'
irontap.sources.kafka.consumer.ssl.keystore.location='/path/to/keystore.jks'
irontap.sources.kafka.consumer.ssl.keystore.password='changeMe'