[UBA] Keystore and Trustore used in Cassandra and Kafka

CASSANDRA_USE_SSL_ENV if true:

  • CASSANDRA_KEYSTORE_ENV - JKS - string encoded in /etc/default/veridiumid/uba_variables

  • TRUSTSTORE_ENV - PEM - string encoded in /etc/default/veridiumid/uba_variables

  • CASSANDRA_KEYSTORE_PASS_ENV - string encoded in /etc/default/veridiumid/uba_variables


Kafka:

Starting with 2.7.6, the KeyStore and TrustStore format are:

For java services:

  • KAFKA_PRODUCER_SSL_KEYSTORE_PATH_ENV: KeyStore.jks

  • KAFKA_PRODUCER_SSL_KEYSTORE_PWD_ENV: <because KeyStore format is jks>

  • KAFKA_PRODUCER_SSL_TRUSTSTORE_PATH_ENV: TrustStore.pem

For python services:

  • ssl.ca.location → TrustStore.pem

  • ssl.keystore.location-> KeyStore.jks

  • ssl.keystore.password-> <because KeyStore format is jks>

Before 2.7.6, the configuration was:

For python services:

  • ssl.ca.location → TrustStore.pem

Use the ssl.ca.location to specify the path to your CA certificate (PEM or DER format)

The ssl.ca.location configuration in Kafka cannot directly be a JKS (Java KeyStore) file in Python Kafka clients (such as those using confluent_kafka or kafka-python).

JKS is a keystore format commonly used in Java-based applications. However, Kafka clients in Python typically expect the CA certificates to be in PEM format (text-based format) or, to a lesser extent, DER format (binary).

  • ssl.keystore.location: Path to the PKCS12 or JKS keystore file.

  • ssl.keystore.password: The password for accessing the keystore


For java services:

YAML
KAFKA_PRODUCER_SSL_KEYSTORE_PATH_ENV: "/opt/veridiumid/uba/KeyStore.jks"
KAFKA_PRODUCER_SSL_KEYSTORE_PWD_ENV: "CASSANDRA_KEYSTORE_ENV_PASS_REPLACE_BY_INSTALLER"
KAFKA_PRODUCER_SSL_TRUSTSTORE_PATH_ENV: "/opt/veridiumid/uba/TrustStore.jks"
KAFKA_PRODUCER_SSL_TRUSTSTORE_PWD_ENV: "CASSANDRA_KEYSTORE_ENV_PASS_REPLACE_BY_INSTALLER"
  • PEM files are typically used as plain text files and do not require a password for access.

  • JKS and PKCS12 formats, on the other hand, are binary formats and often require passwords to access the keystore or truststore.

Last updated: