Configure Java SSL keystore and truststore to access Apache Kafka®#
Aiven for Apache Kafka® utilises TLS (SSL) to secure the traffic between its services and client applications. This means that clients must be configured with the right tools to be able to communicate with the Aiven services.
Keystores and truststores are password-protected files accessible by the client that interacts with the service. To create these files:
Log into the Aiven web console and select your Aiven for Apache Kafka service.
Download the Access Key, Access Certificate and CA Certificate. The resulting
ca.pemare going to be used in the following steps.
opensslutility to create the keystore with the
service.certfiles downloaded previously:
openssl pkcs12 -export \ -inkey service.key \ -in service.cert \ -out client.keystore.p12 \ -name service_key
The format has to be
PKCS12 , which is the default since Java 9.
Enter a password to protect the keystore and the key, when prompted
In the folder where the certificates are stored, use the
keytoolutility to create the truststore with the
ca.pemfile as input:
keytool -import \ -file ca.pem \ -alias CA \ -keystore client.truststore.jks
Enter a password to protect the truststores, when prompted
Reply to yes to confirm trusting the CA certificate, when prompted
The result are the keystore named
client.keystore.p12 and truststore named
client.truststore.jks that can be used for client applications configuration.
You can use Aiven CLI
avn service user-kafka-java-creds to automate the creation of both the keystore and the truststore. Check the dedicated page for more details.