Cloud Platform


This is an IBM Automation portal for Cloud Platform products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Add a new idea Subscribe
Status Functionality already exists
Workspace WebSphere Liberty
Created by Guest
Created on Oct 16, 2023

RELATED IDEAS

Client Authentication for Kafka Producer in Liberty Server

Our problem

We want to run multiple java programmes (in current use case Kafka-Producers) in a single CICS Liberty Server. Authentication on Kafka-Broker side (hosted on our on-premise cloud) is done by client certificates. Our security department requires that we use separate certificates to distinguish different applications. However CICS Liberty Server supports one universal certificate for a given IP-Adress+Port combination, i.e. our Kafka-Broker.

Our suggestion

Each Kafka Producer (i.e. Java program on Liberty) can configure/manage its own certificate decentrally, without a central certificate in Liberty Server.

When creating Kafka events by the producer, it can be configured in the keystores. Here is the documentation for the Confluent Kafka that describes the attributes: https://docs.confluent.io/platform/current/connect/security.html

The keystore is set using the variables: 

ssl.keystore.location=/var/private/ssl/kafka.source.keystore.jks
ssl.keystore.password=connector1234
ssl.key.password=connector1234

From this keystore the first certificate is grabbed to authenticate and encrypt the connection. This keystore must be password protected, the key in it must also be password protected.

It should be possible to change these properties in different places, but basically everything seems to converge in one place: The Producer is given a Properties object in the Java program when it is created via the constructor Producer(Properties p). This Properties can be given before over these variables. 

Properties props = new Properties();
props.put("ssl.keystore.location", "/path/to/keystore.jks");
props.put("ssl.keystore.password", "keystorepassword ");
props.put("ssl.key.password ", "keystorepassword ");
 
Producer producer = new Producer(props);

This is also described in the producer documentation: https://kafka.apache.org/20/javadoc/org/apache/kafka/clients/producer/KafkaProducer.html

Idea priority Medium
  • Admin
    Graham Charters
    Reply
    |     Nov 16, 2023

    Thank you for the suggestion. Based on the previous comment, we recommend looking at MicroProfile Reactive Messaging as the way to address this requirement. We are therefore choosing to close this request. If you would like to discuss this decision further, please contact Graham Charters <charters@uk.ibm.com>.

  • Guest
    Reply
    |     Nov 14, 2023

    Thank you proposing the idea! It is indeed an issue for configuring different certificates per producer in one application when directly using Kafka producers. The good news that the feature MicroProfile Reactive Messaging offered by Liberty can easily achieve what you want. Here has the information regarding how to do it. If you have not used MicroProfile Reactive Messaging, please refer to this guide to see how it works. We will update our Open Liberty doc to document the `how` bit soon, which is applicable to WebSphere Liberty.

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.