SSL/TLS and X.509 Certificates
On this page
Overview
In this guide, you can learn how to secure communications between your MongoDB Kafka Connector worker and your MongoDB cluster.
To secure your connection, you must perform the following tasks:
Note
If you host your MongoDB cluster on MongoDB Atlas or your cluster does not explicitly require certificates, you can already communicate securely and do not need to follow the steps in this guide.
Prerequisites
This guide requires prior knowledge of the following concepts:
Store Certificates on the Worker
Store your certificates in a keystore and truststore to secure your certificate credentials for each server you run your connector worker instance on.
Keystore
You can use a keystore to store private keys and identity certificates. The keystore uses the key and certificate to verify the client's identity to external hosts.
If your SSL/TLS configuration requires a client certificate to connect
to your worker instance, generate a secure private key and include the
client certificate bundled with the intermediate CA. Then, store this
information in your keystore by using the following openssl
command
to generate a PKCS 12 file:
openssl pkcs12 -export -inkey <your private key> \ -in <your bundled certificate> \ -out <your output pkcs12 file>
Truststore
You can use a truststore to store certificates from a CA. The truststore uses the certificates to identify parties the client trusts. Some examples of these certificates are a root CA, intermediate CA and your MongoDB cluster's end entity certificate.
Import the certificates of parties that you trust into your truststore
by using the following keytool
command:
keytool -import -trustcacerts -import -file <your root or intermediate CA>
If your SSL/TLS configuration requires the end entity certificate for your MongoDB cluster, import it into your truststore with the following command:
keytool -import -file <your server bundled certificate> -keystore <your keystore name>
For more information on how to set up a client keystore and truststore for testing purposes, see OpenSSL Client Certificates for Testing.
Add Credentials to the Connector
The connector worker processes JVM options from your KAFKA_OPTS
environment variable. The environment variable contains the path and
password to your keystore and truststore.
Export the following JVM options in your KAFKA_OPTS
variable:
export KAFKA_OPTS="\ -Djavax.net.ssl.trustStore=<your path to truststore> \ -Djavax.net.ssl.trustStorePassword=<your truststore password> \ -Djavax.net.ssl.keyStore=<your path to keystore> \ -Djavax.net.ssl.keyStorePassword=<your keystore password>"
When the worker processes the JVM options, the connector attempts to connect by using the SSL/TLS protocol and certificates in your keystore and truststore.