7.7 ZooKeeper Encryption

ZooKeeper connections that use mutual TLS are encrypted. Beginning with ZooKeeper version 3.5.7 (the version shipped with Kafka version 2.5) ZooKeeper supports a sever-side config ssl.clientAuth (case-insensitively: want/need/none are the valid options, the default is need), and setting this value to none in ZooKeeper allows clients to connect via a TLS-encrypted connection without presenting their own certificate. Here is a sample (partial) Kafka Broker configuration for connecting to ZooKeeper with just TLS encryption. These configurations are described above in Broker Configs.

  1. # connect to the ZooKeeper port configured for TLS
  2. zookeeper.connect=zk1:2182,zk2:2182,zk3:2182
  3. # required to use TLS to ZooKeeper (default is false)
  4. zookeeper.ssl.client.enable=true
  5. # required to use TLS to ZooKeeper
  6. zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
  7. # define trust stores to use TLS to ZooKeeper; ignored unless zookeeper.ssl.client.enable=true
  8. # no need to set keystore information assuming ssl.clientAuth=none on ZooKeeper
  9. zookeeper.ssl.truststore.location=/path/to/kafka/truststore.jks
  10. zookeeper.ssl.truststore.password=kafka-ts-passwd
  11. # tell broker to create ACLs on znodes (if using SASL authentication, otherwise do not set this)
  12. zookeeper.set.acl=true