Skip to main content

Striim Platform 5.4.0 documentation

confluent-schema-registry-configure-connection-profile

Configure the following properties to create a connection profile for Confluent Schema Registry.

  • Connection Profile Name: Assign a unique name to identify the Confluent Schema Registry connection profile.

  • Namespace: Select the namespace where the connection profile will be stored. Ensure all users have READ and SELECT permissions for the chosen namespace.

  • Endpoint Type: Choose Confluent Schema Registry.

Configuring connection properties

Configure the following connection property:

  • Authentication Type: Select the type of authentication you want to use, then set the properties for that type as described below.

Setting Confluent Cloud API authentication properties

Confluent Cloud API Keys are credentials used to authenticate clients connecting to Confluent Cloud services. Schema Registry in Confluent Cloud uses HTTPS with Basic Auth (API key/secret). The API Key serves as a public identifier (like a username), and the API Secret serves as a private credential (like a password).

Prerequisites

Before configuring Confluent Cloud API authentication, ensure you have the following:

  • Confluent Cloud Kafka Cluster.

  • API Key and Secret.

Creating a Schema Registry API Key

Follow these steps to create an API Key in Confluent Cloud.

  1. Navigate to Confluent Cloud Console, select Clusters, and choose your cluster.

  2. On the left menu, click Schema Registry.

  3. Click API Access in the top-right of the Schema Registry page.

  4. Click Create Key.

  5. Configure the API Key and API Secret in the Schema Registry Connection Profile.

Setting Basic authentication properties

Basic authentication means clients authenticate with Schema Registry using a username and password, sent as a Base64-encoded string in the HTTP Authorization header.

Note

Basic authentication is not supported on Confluent Cloud Schema Registry.

Prerequisites

For detailed information on configuring HTTP Basic authentication for Schema Registry, see Confluent Documentation: HTTP Basic Authentication for Schema Registry.

Configuring the connection profile

Configure the Username and Password in the Schema Registry Connection Profile.

Setting Mutual TLS authentication properties

Use SSL is disabled by default. We recommend enabling it to ensure data confidentiality over the network.When Use SSL is enabled, configure SSL as follows.

Mutual TLS authentication requires both the server to trust the client certificate (mutual authentication) and the client to present a valid certificate signed by a trusted CA.

Note

Mutual TLS is currently not supported for Confluent Cloud Schema Registry.

Server certificate setup

Follow these steps to set up the server certificate for Mutual TLS authentication.

  1. Create the CA:

    openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -x509 -new -key ca-key.pem -sha256 -days 1826 -out ca-cert.pem

  2. Create server certificate configuration. Create server.conf with the certificate details and SAN entries:

    [req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = State
L = City
O = Organization
OU = OrgUnit
CN = kafka-server

[v3_req]
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = kafka-server
DNS.3 = your-hostname.com
IP.1 = 127.0.0.1
IP.2 = 192.168.1.100

    Note

    In the alt_names section, add the IP or domain where the server is hosted.

  3. Generate server private key and CSR:

    openssl genpkey -algorithm RSA -out server.key -aes256
openssl req -new -key server.key -out server.csr -config server.conf

  4. Create extension file. Create server.ext (defines SAN usage, same as config):

    authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = kafka-server
DNS.3 = your-hostname.com
IP.1 = 127.0.0.1
IP.2 = 192.168.1.100

  5. Create server certificate:

    openssl x509 -req -in server.csr \
-CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial \
-out server.crt -days 825 -sha256 -extfile server.ext

  6. Create server keystore:

    openssl pkcs12 -export -in server.crt -inkey server.key \
    -certfile ca-cert.pem -out server.keystore.p12 -name kafka-server

keytool -importkeystore \
    -destkeystore server.keystore.jks \
    -srckeystore server.keystore.p12 \
    -srcstoretype PKCS12 \
    -alias kafka-server

  7. Create server truststore (trust client CA):

    keytool -import -alias myCA -file ca-cert.pem -keystore server.truststore.jks
Configuring Schema Registry for local deployment

Configure the following properties in schema-registry.properties:

ssl.client.auth=required

ssl.keystore.location=/path/to/server.keystore.jks  
ssl.keystore.password=changeit  
ssl.key.password=changeit

ssl.truststore.location=/path/to/server.truststore.jks  
ssl.truststore.password=changeit
Configuring the connection profile

Configure the client's Keystore and Truststore in the Schema Registry Connection Profile using the following properties:

  • SSL Keystore Location.

  • SSL Keystore Password.

  • SSL Truststore Location.

  • SSL Truststore Password.

  • SSL Key Password (if required).

Note

You can use Vault to securely configure authentication settings (SSL Certificates).

Note

Striim provides the facility for certificate rotation for enhanced security via Connection Profile only. The rotated certificates will be used by the adapters when the adapter hits some exception and retries or on application restart.

Setting no authentication properties

When no authentication is configured, Schema Registry is open to all requests without validating identity.

Configure the following property in schema-registry.properties:

authentication.method=NONE
In this section: