Setup

Run the CloudFormation template to create the VPC and the Cloud9 Bastion environment

  • Make sure you have created an EC2 KeyPair as shown in the Prerequisites section.
    Note: Create a pem file irrespective of using MAC or Windows.

  • Right click on Launch Stack and open it in a new tab to execute the CloudFormation template. You can download the CloudFormation template here.




  • Choose the EC2 KeyPair that you created in the Prerequisites step.

  • Click Next.

  • Click Next on the next page.

  • Scroll down, check the checkboxes next to I acknowledge that AWS CloudFormation might create IAM resources with custom names and I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND in the Capabilities section and click on Create stack.


    The stack creates:

    1. A VPC with 1 Public subnet and 3 Private subnets and the required plumbing including a NAT Gateway.
    2. A Cloud9 environment that can be used as a jump box.
    3. 1 Apache Kafka client EC2 instance.

Setup AWS Certificate Manager (ACM) Private Certificate Authority (PCA)

  • Go to the AWS Cloud9 console.

  • Click on Open IDE.


  • In the Getting started section, click on Upload Files…


  • Click on Select files. Pick the EC2 pem file that you created in the Prerequisites section. Click Open. The file will be copied to the /home/ec2-user/environment dir and will also be visible in the left pane.


  • Go to the bash pane at the bottom and type in the following commands to setup the ssh environment so that you can access the KafkaClientEC2Instance.

    chmod 600 <pem file>
    eval `ssh-agent`
    ssh-add -k <pem file>
    
  • Create the ACM PCA. Execute the following commands at the bash prompt.

    aws acm-pca create-certificate-authority --certificate-authority-configuration '{"KeyAlgorithm":"RSA_2048","SigningAlgorithm":"SHA256WITHRSA","Subject":{"Country":"US","Organization":"Amazon","OrganizationalUnit":"AWS","State":"New York","CommonName":"MyMSKPCA","Locality":"New York City"}}' --revocation-configuration '{"CrlConfiguration":{"Enabled":false}}' --certificate-authority-type "ROOT" --idempotency-token 12345
    
  • The expected output is

  • Copy the ARN (Amazon Resource Name) of the PCA you just created to a notepad application.

  • Install a self signed certificate in the ACM PCA just created. A certificate needs to be installed in the ACM PCA for the PCA to be able to issue and sign end-entity certificates.

    • Go to the AWS ACM Console.

    • Click on Private CAs in the left pane or click on Get started if doing it the first time.

    • Select the PCA you just created. It should display a message saying Before issuing certificates with your CA, you need to import a CA certificate.


    • Click on the link Install a CA certificate to activate your CA. Accept the defaults and click on Next.
      Note: The default validity is 10 years. You can change the validity here but do not set it to a very low value.


    • Click on Confirm and install


    • Go to the Permissions tab. We will authorize ACM to renew certificates issued by this CA. Click on Edit.
      Note: ACM can renew the certificates issued by the PCA before they expire but the PCA has to authorize ACM to be able to do so. If allowed, ACM can renew the certificates and the clients can re-download the issued certificates to their keystores before they expire to continue to successfully authenticate.


    • Click on Authorize ACM to use this CA for renewals. Click on Save.



Run the CloudFormation template to create the MSK cluster

  • Right click on the following link and open it in a new tab to execute the CloudFormation template. You can download the CloudFormation template here.
    Warning: Ensure you create the CloudFormation stack in the same region as the ACM PCA that you created earlier.




  • Click Next.

  • You can change the version of Apache Kafka from the MSKKafkaVersion drop down.

  • For PCAARN, Specify the ARN of the PCA that you created and copied earlier.

  • Click on the dropdown for TLSMutualAuthentication and select true.

  • For BastionStack, specify the name of the Cloud9 Bastion CloudFormation stack that you created earlier.

  • For VPCStack, Go to the CloudFormation console, Click on the Cloud9 Bastion CloudFormation stack that you created earlier, go to the Outputs tab and copy the Value for the key VPCStackName.


  • Click Next

  • Click Next on the next page.

  • Scroll down and click on Create stack.

    It could take up to 15 minutes for the stack to run. Once the status of the stack changes to CREATE_COMPLETE, the stack is done creating. Please wait for the stack to complete and then proceed further.

    The stack creates:

    1. An Amazon MSK cluster that allows both TLS and PLAINTEXT client connections to the Amazon MSK Apache Kafka cluster.

Get the Amazon MSK cluster information

  • Go to the Amazon MSK console. Click on the MSK cluster that was created by CloudFormation.

  • Click on View client information on the top right side of the page under Cluster summary.


  • Click on the Copy icon under Bootstrap servers for both TLS andd Plaintext and paste it in a notepad application.

  • Click on the Copy icon under Zookeeper connect and paste it in a notepad application. Click on Done.


Setup Keystore and Truststore in the Apache Kafka client EC2 instance

  • Go to the Cloudformation console.

  • Click on the stack you created in the previous section for the MSK Cluster. Go to the Outputs tab and copy the Value next to the key SSHKafkaClientEC2Instance.

  • Go to the AWS Cloud9 console.

  • Click on Open IDE.


  • Go to the bash pane at the bottom and ssh to the KafkaClientEC2Instance created by the Cloud9 Bastion CloudFormation stack. Paste the copied ssh command.
    Note: If you get a message saying Are you sure you want to continue connecting (yes/no)?, type yes.

    ssh -A ec2-user@<internal-dns-name>
    
  • Enter the following commands to setup the Amazon MSK environment variables.

    cd /tmp/kafka
    . ./setup_env <Cloudformation Stack Name of the MSK cluster>
    
  • Go to the /tmp/kafka dir and run the AuthMSK-1.0-SNAPSHOT.jar jar file. The sample code is available at github.

    Parameters:

    • –help (or -h): help to get list of parameters
    • -caa (or –certificateAuthorityArn) (mandatory): The Arn of the Private Certificate Authority in ACM to issue the end-client certificates. Use the ARN of the PCA that you copied in the Setup section.
    • -ksp (or –keystorePassword) (mandatory): The keystore password.
    • -ksa (or –alias)(Default msk): The alias of the key entry in the keystore.
    • -pem (or –createPEMFiles): Optional flag to create PEM files for the Private Key and the issued client certificate to be used by clients in python, node.js etc.

    Note: The default region for the ACM PCA in the AuthMSK-1.0-SNAPSHOT.jar application is us-east-1. If you created the ACM PCA in a different region, add -reg <region-name> to the command below.

    cd /tmp/kafka
    java -jar AuthMSK-1.0-SNAPSHOT.jar -caa <arn of the ACM PCA that you copied before> -ksp <specify a keystore password> -ksa <specify an alias> -pem
    

    This will do the following:

    • generate a Private Key.
    • create a Java Keystore with the password provided for Keystore.
    • store the Private Key in the keystore with the password provided for Keystore.
    • convert the Private Key to PEM and store it in a pem file at /tmp/private_key.pem.
    • generate a CSR (Certificate Signing Request) for the Private Key.
    • Connect to the ACM PCA provided and get a certifciate issued from the CSR.
    • Connect to the ACM PCA provided and get the issued certificate.
    • Store the issued certificate in the Java Keystore.
    • Convert the issued certificate to PEM and store it in a pem file at /tmp/client_cert.pem.
  • Go to the /home/ec2-user/kafka dir and create a couple of topics. The topic test will be used to test successfully accessing a topic with the right ACL authorization while the topic testaclfail will be used to test failure in accessing a topic without ACL authorization.

    cd /home/ec2-user/kafka
    bin/kafka-topics.sh --create --zookeeper $zoo --replication-factor 3 --partitions 1 --topic test
    bin/kafka-topics.sh --create --zookeeper $zoo --replication-factor 3 --partitions 1 --topic testaclfail
    

At this point you’re ready to use both TLS encryption in-transit and TLS mutual authentication with your Amazon MSK cluster.