Please provide complete information as applicable to your setup.
• Hardware Platform - Jetson / GPU • DeepStream Version - 6.0 • Issue Type - questions • Requirement details - 1-way TLS Authentication for kafka client using nvmsgbroker plugin
I have a custom application something similar to the deepstream sample app 4 with nvmsgbroker plugin configured with deepstreams kafka adaptor. My application runs fine with PLAINTEXT kafka massages with the kakka broker. My kafka broker is also setup with 1-way TLS authentication and I want to enble security at my application side. I have only one “.pem” to setup deepstream kafka clients configurations. But the deepstream 2-way TLS requires following config files which I dnt have.
I have the private key and signed certificate generated for the client by the kafka broker server.
This is what I pass to the nvmsgbroker config file.
[message-broker]
proto-cfg = "security.protocol=ssl;ssl.certificate.location=/opt/client.crt;ssl.key.location=/opt/privatekey.pem;debug=broker,security"
#proto-cfg = "security.protocol=ssl;ssl.ca.location=<path to your ca>/ca-client-cert;ssl.certificate.location=<path to your certificate >/client1_cert.pem;ssl.key.location=<path to your private key>/client1_private_key.pem;ssl.key.password=test1234;debug=broker,security
"
The error message I recieve from the kafka broker.
I set the CA file path provided by the kafka broker inside nvmsgbroker config file and the SSL enabled communication was successful for my deepstream kafka metadata producer.
I think i don’t need to set ssl.certificate.location and ssl.key.location since I have the CA file with me.
Verified the connection using test_kafka_proto_sync app inside deepstream sources/libs/kafka_protocol_adaptor.
Output until the SSL authentication is as follows.
root@tensorbook:/opt/nvidia/deepstream/deepstream-6.0/sources/libs/kafka_protocol_adaptor# ./test_kafka_proto_sync
Refer to nvds log file for log output
Adapter protocol=KAFKA , version=2.0
connection signature queried=
%7|1652091041.813|SSL|rdkafka#producer-1| [thrd:app]: Loading CA certificate(s) from file /opt/kafkaCa.pem
%7|1652091041.814|BRKMAIN|rdkafka#producer-1| [thrd::0/internal]: :0/internal: Enter main broker thread
%7|1652091041.814|STATE|rdkafka#producer-1| [thrd::0/internal]: :0/internal: Broker changed state INIT -> UP
%7|1652091041.814|BROKER|rdkafka#producer-1| [thrd:app]: ssl://10.X.X.X:29092/bootstrap: Added new broker with NodeId -1
%7|1652091041.814|BRKMAIN|rdkafka#producer-1| [thrd:ssl://10.X.X.X:29092/bootstrap]: ssl://10.X.X.X:29092/bootstrap: Enter main broker thread
%7|1652091041.814|CONNECT|rdkafka#producer-1| [thrd:ssl://10.X.X.X:29092/bootstrap]: ssl://10.X.X.X:29092/bootstrap: broker in state INIT connecting
%7|1652091041.814|CONNECT|rdkafka#producer-1| [thrd:ssl://10.X.X.X:29092/bootstrap]: ssl://10.X.X.X:29092/bootstrap: Connecting to ipv4#10.X.X.X:29092 (ssl) with socket 10
%7|1652091041.814|STATE|rdkafka#producer-1| [thrd:ssl://10.X.X.X:29092/bootstrap]: ssl://10.X.X.X:29092/bootstrap: Broker changed state INIT -> CONNECT