Authentication and CA

When connecting producers and consumers to a topic within Exoscale Managed Kafka, the sole supported connection mechanism is through SSL certificate validation. This robust security measure ensures that both data integrity and confidentiality are maintained throughout the transmission process.

SSL Certificate Validation

Exoscale Managed Kafka uses SSL/TLS for encryption and authentication, which requires each producer and consumer to present a valid SSL certificate before a connection can be established. This authentication method prevents unauthorized access and guarantees that only verified entities can interact with the Kafka cluster.

  • Certificate Authority (CA)
    Exoscale provides a trusted Certificate Authority that issues SSL certificates. Clients must use a certificate signed by this CA for successful authentication. This CA acts as a trusted third party, vouching for the identity of the participating entities.

  • Client Configuration
    Each client (producer or consumer) is required to maintain a keystore containing the SSL certificate and private key. This keystore is crucial for establishing the client’s identity during the SSL handshake process.
    Clients must also configure a truststore that contains the CA certificate provided by Exoscale. The truststore is used to validate the server’s certificate during the SSL handshake, ensuring that the client is communicating with an authentic Kafka broker.

  • Connection Setup:
    When a client attempts to connect to a Kafka broker, an SSL handshake occurs. During this handshake, the client presents its certificate, and the broker validates it against the CA. Simultaneously, the broker presents its certificate, which the client validates using its truststore. Once both parties’ certificates are verified, a secure SSL connection is established, enabling the client to produce or consume messages securely.

Benefits of SSL

  • Security
    By using SSL certificate validation, Exoscale Managed Kafka ensures a high level of security, protecting data from eavesdropping, tampering, and forgery.
  • Trust
    Leveraging a trusted Certificate Authority provides assurance that the entities interacting with the Kafka cluster are verified and trusted.
  • Compliance
    SSL certificate validation helps meet compliance requirements for data protection and privacy standards, making Exoscale Managed Kafka suitable for handling sensitive data.