AMQ Streams on RHEL - Example Kerberos set up configuration

This article describes example configuration to set up Kerberos server, adding users for Kafka brokers and ZooKeeper nodes, and a Kerberos client on Kafka broker hosts.
How you deploy Kerberos depends on your operating system.
Red Hat recommends using Identity Management (IdM) when setting up Kerberos on Red Hat Enterprise Linux.

If you are using an Oracle or IBM JDK, you will need a Java Cryptography Extension (JCE).

Disclaimer

This article has been successfully tested for the following RHEL and streams for Apache Kafka versions:

1. RHEL 6, OpenJDK 8, streams for Apache Kafka versions before 2.4
2. RHEL 7, OpenJDK 11, streams for Apache Kafka versions 2.7

The procedure in 2 slightly differs from the procedure in 1. The changes will be pointed out in the article by adding "Changes for Java 11"

On RHEL 8+, pam_krb5 is no longer supported, and SSSD replaces it.
This solution note explains migrating from pam_krb5 to SSSD.

Set up a Kerberos server

1. Select an available RHEL host for installation of the Kerberos KDC (Key Distribution Center).

2. If not already installed, install the Kerberos server and dependency packages for the KDC:

    yum install krb5-server krb5-libs krb5-workstation pam_krb5
   

3. Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf files to set up the domain, realms and mappings.

   Example /etc/krb5.conf configuration:

    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
    default_realm = EXAMPLE.REDHAT.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
   
    [realms]
    EXAMPLE.REDHAT.COM = {
    kdc = services.example.redhat.com
    admin_server = services.example.redhat.com
    }
   
    [domain_realm]
    .example.redhat.com = EXAMPLE.REDHAT.COM
    example.redhat.com = EXAMPLE.REDHAT.COM
   

   For Java 11: Add this option to the [libdefaults] section: allow_weak_crypto = yes

   Example /var/kerberos/krb5kdc/kdc.conf configuration:

    [kdcdefaults]
    kdc_ports = 88
    kdc_tcp_ports = 88
   
    [realms]
    EXAMPLE.REDHAT.COM = {
    #master_key_type = aes256-cts
    acl_file = /var/kerberos/krb5kdc/kadm5.acl
    dict_file = /usr/share/dict/words
    admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
    supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
    }
   

4. Initialize the Kerberos KDC database:

    kdb5_util create -s
   

Add users to the Kerberos server

1. Create an administrator user and keytab for administration of the Kerberos KDC:

    kadmin.local -q "ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin"
   

2. Start the Kerberos ticket server with the following commands:

    systemctl start krb5kdc.service
    systemctl start kadmin.service
   

3. When the service is running, create broker users (principals) and keytabs.

   Create a user for each of the broker nodes and ZooKeeper nodes in the form {user}/{fqhostname}@{domain}.

   For example, for Kafka node1:

    sudo kadmin.local -e "des3-hmac-sha1:normal"
   
    kadmin.local:  addprinc kafka/node1.example.redhat.com
    kadmin.local:  ktadd -k /tmp/kafka-node1.keytab kafka/node1.example.redhat.com
   

   For:

    kafka/node1.example.redhat.com@EXAMPLE.REDHAT.COM
   

   For Java 11: Add the option -e des-cbc-md5 to the ktadd section, after the -k <keytab-path> option:

4. Copy each of the generated keytab files to the corresponding broker host and place it in a location accessible by the Kafka process owner.

5. In addition to creating a broker principal and keytab for each broker and ZooKeeper node in the kafka cluster, create a principal and keytab for use with the example client:

   For example, for kafka-client:

    kadmin.local:  addprinc kafka-client
    kadmin.local:  ktadd -k /tmp/kafka-client.keytab kafka-client
   

6. Copy the client keytab to a location accessible to the client application/user on the client host.

Configure a Kerberos client on the broker hosts

1. Install a Kerberos client on each kafka broker host, configured to use the Kerberos domain for your Kerberos server.

    yum install krb5-workstation
   

2. Configure each of the Kafka broker and ZooKeeper hosts to use the domain KDC as the ticket server by editing /etc/krb5.conf to add the domain and realm:

   For example:

    includedir /etc/krb5.conf.d/
   
    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
   
    [libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = false
    allow_weak_crypto = yes
    ticket_lifetime = 24h
    default_realm = EXAMPLE.REDHAT.COM
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
    default_ccache_name = KEYRING:persistent:%{uid}
   
    [realms]
    EXAMPLE.REDHAT.COM = {
    kdc = services.example.redhat.com
    admin_server = services.example.redhat.com
    }
   
    [domain_realm]
    .example.redhat.com = EXAMPLE.REDHAT.COM
    example.redhat.com = EXAMPLE.REDHAT.COM
   
    [kdc]
    profile = /var/kerberos/krb5kdc/kdc.conf
   
    [pam]
    debug = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    krb4_convert = false
   

   The KDC and admin server for the configured realm point to the fully-qualified hostname of the Kerberos server configuration.

   The domain-realm mappings associate full or partial domain names with the Kerberos realm used for authentication.

What next?

After you have set up the Kerberos server and clients, you can configure the Kafka brokers and ZooKeeper cluster to use Kerberos authentication.