This topic describes how to enable the Secure Sockets Layer (SSL) feature of an E-MapReduce (EMR) Kafka cluster and access Kafka over SSL.

Prerequisites

An EMR Kafka cluster is created.

For more information about how to create a cluster, see Create a cluster.

Enable SSL

SSL is disabled for Kafka clusters by default. You can perform the following steps to enable SSL:

  1. Go to the Cluster Overview page.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
  2. In the left-side navigation pane, choose Cluster Service > Kafka.
  3. On the Kafka service page, click the Configure tab.
  4. Modify parameters.
    1. Enter kafka.ssl.enable in the search box and click the Search icon.
    2. In the Service Configuration section, set kafka.ssl.enable to true.
    3. Click Save.
    4. In the Confirm Changes dialog box, specify Description, turn on Auto-update Configuration, and then click OK.
  5. Restart the Kafka service.
    1. In the upper-right corner of the page, choose Actions > Restart All Components.
    2. In the Cluster Activities dialog box, specify Description and click OK.
    3. In the Confirm message, click OK.

Access Kafka over SSL

To access Kafka over SSL, you must configure security.protocol, ssl.truststore.password, and ssl.keystore.password.

For example, if you use the Producer and Consumer programs of Kafka to run jobs in the Kafka cluster for which the high-security mode is disabled, you can perform the following steps:
  1. Create a configuration file named ssl.properties and add the following configuration items:
    security.protocol=SSL
    ssl.truststore.location=/etc/ecm/kafka-conf/truststore
    ssl.truststore.password=${password}
    ssl.keystore.location=/etc/ecm/kafka-conf/keystore
    ssl.keystore.password=${password}
    Note You can obtain the value of ${password} from the server.properties file in the /etc/ecm/kafka-conf/ directory of the Kafka cluster. If you run jobs outside your Kafka cluster, copy the truststore and keystore files in the /etc/ecm/kafka-conf/ directory for a node of the Kafka cluster to the runtime environment. Then, configure the required information.
  2. Create a topic.
    /usr/lib/kafka-current/bin/kafka-topics.sh --partitions 10 --replication-factor 2 --zookeeper emr-header-1:2181 /kafka-1.0.0 --topic test --create
  3. Use the SSL configuration file to generate data.
    kafka-producer-perf-test.sh --topic test --num-records 123456 --throughput 10000 --record-size 1024 --producer-props bootstrap.servers=emr-worker-1:9092 --producer.config ssl.properties
  4. Use the SSL configuration file to consume data.
    kafka-consumer-perf-test.sh --broker-list emr-worker-1:9092 --messages 100000000 --topic test --consumer.config ssl.properties