Mutual TLS

Mutual TLS

Mutual TLS (mTLS) is the default method used to authenticate clients connections to Apache Kafka, Schema Registry and other platform components. It ensures that the parties at each side of the network connection are who they claim to be by verifying that they use the correct private key.

Broker

Axual Brokers are configured to use mTLS out of the box. Below you find instructions on how to override TLS Protocols and Cipher Suites, if you have the need to do so.

Configuring TLS protocol versions or cipher suites

From 2021.3, Brokers only accept TLSv1.2 connections by default.
TLSv1.0 and TLSv1.1 are deprecated due to known security vulnerabilities.

If you still want to enable old TLS protocol versions, you can add it by setting a configuration as mentioned below:

Using Axual CLI

Add or modify the following configuration in the Broker config file for the cluster.

platform-config/clusters/{cluster-name}/broker.sh
# Enabling old TLS protocol versions along with version TLSv1.2
BROKER_SSL_ENABLED_PROTOCOLS="TLSv1.2,TLSv1.1,TLSv1"

# A cipher suite is a named combination of authentication, encryption, MAC, and key exchange algorithm
# used to negotiate the security settings for a network connection (using TLS or SSL network protocol).
# If not configured, all the available cipher suites are supported.
BROKER_SSL_CIPHER_SUITES=

Using Axual Helm Charts

Brokers only support TLSv1.2 & TLSv1.3 protocols.

Discovery API

Per Mutual TLS, the endpoints are secured and can be accessed when provided with a client certificate signed by a certificate authority trusted in the instance. This is disabled by default, but can be activated per cluster.

See the Deployment page for more information about the different service types, like cluster and instance services.

Enabling mTLS with a client certificate

Using Axual CLI

Add or modify the following configuration in the Discovery API config file for the tenant instance.

platform-config/tenants/{tenant-name}/instances/{instance-name}/discovery-api.sh
# Disables mTLS for clusters cluster1 and enables it for the cluster2 cluster. These clusters are defined in this config as well
DISCOVERYAPI_SERVER_SSL_CLIENT_AUTH=cluster1:false,cluster2:true

Using Axual Helm Charts

Open the values.yaml for your instance and add the following configuration and update

platform:
    instance:
      discoveryapi:
        tls:
          clientAuth: true

Configuring TLS protocol versions or cipher suites

From 2021.3, Discovery-API only accepts TLSv1.2 connections by default.
TLSv1.0 and TLSv1.1 are deprecated due to known security vulnerabilities.

If you still want to enable old TLS protocol versions, you can add it by setting a configuration as mentioned below:

Using Axual CLI

Add or modify the following configuration in the Discovery API config file for the cluster.

platform-config/clusters/{cluster-name}/discovery-api.sh
# Enabling old TLS protocol versions along with version TLSv1.2
DISCOVERYAPI_SERVER_SSL_PROTOCOLS="TLSv1.2,TLSv1.1,TLSv1"

# By default all JAVA 11 cipher suites are supported
DISCOVERYAPI_SERVER_SSL_CIPHER_SUITES="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,..."

Using Axual Helm Charts

Edit the values.yaml for your instance and add the following configuration

platform:
    instance:
      discoveryapi:
        security:
          protocols: TLSv1.2,TLSv1.1,TLSv1
          # By default all JAVA 11 cipher suites are supported
          ciphers: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,...