How to enable 1-way TLS Authentication for deepstream kafka client using nvmsgbroker plugin

Please provide complete information as applicable to your setup.

• Hardware Platform - Jetson / GPU
• DeepStream Version - 6.0
• Issue Type - questions
• Requirement details - 1-way TLS Authentication for kafka client using nvmsgbroker plugin

I have a custom application something similar to the deepstream sample app 4 with nvmsgbroker plugin configured with deepstreams kafka adaptor. My application runs fine with PLAINTEXT kafka massages with the kakka broker. My kafka broker is also setup with 1-way TLS authentication and I want to enble security at my application side. I have only one “.pem” to setup deepstream kafka clients configurations. But the deepstream 2-way TLS requires following config files which I dnt have.

[message-broker]
proto-cfg = “security.protocol=ssl;
ssl.ca.location=ca-client-cert;
ssl.certificate.location=client1_cert.pem;
ssl.key.location=client1_private_key.pem;
ssl.key.password=test1234;
ssl.key. password=abcdefgh;
ssl.cipher.suites=ECDHE-RSA-AES256-GCM-SHA384;
debug=broker,security”

How can I enable 1-way TSL authentication for deepstream kafka client using a single .pem file?

Which one you do not have?

I have the private key and signed certificate generated for the client by the kafka broker server.

This is what I pass to the nvmsgbroker config file.

[message-broker]
proto-cfg = "security.protocol=ssl;ssl.certificate.location=/opt/client.crt;ssl.key.location=/opt/privatekey.pem;debug=broker,security"
#proto-cfg = "security.protocol=ssl;ssl.ca.location=<path to your ca>/ca-client-cert;ssl.certificate.location=<path to your certificate >/client1_cert.pem;ssl.key.location=<path to your private key>/client1_private_key.pem;ssl.key.password=test1234;debug=broker,security

"

The error message I recieve from the kafka broker.

root@tensorbook:/opt/nvidia/deepstream/deepstream-6.0/sources/libs/kafka_protocol_adaptor# ./test_kafka_proto_sync 
Refer to nvds log file for log output
Adapter protocol=KAFKA , version=2.0
connection signature queried= 
%7|1652088801.218|SSL|rdkafka#producer-1| [thrd:app]: Loading certificate from file /opt/client.crt
%7|1652088801.219|SSL|rdkafka#producer-1| [thrd:app]: Loading private key file from /opt/privatekey.pem
%3|1652088801.219|SSL|rdkafka#producer-1| [thrd:app]: ../crypto/asn1/tasn_dec.c:1149: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag: 
%3|1652088801.219|SSL|rdkafka#producer-1| [thrd:app]: ../crypto/asn1/tasn_dec.c:309: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error: Type=X509_ALGOR
%3|1652088801.219|SSL|rdkafka#producer-1| [thrd:app]: ../crypto/asn1/tasn_dec.c:646: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error: Field=pkeyalg, Type=PKCS8_PRIV_KEY_INFO
%3|1652088801.219|SSL|rdkafka#producer-1| [thrd:app]: ../crypto/pem/pem_pkey.c:88: error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib: 
Connect failed. Exiting

I set the CA file path provided by the kafka broker inside nvmsgbroker config file and the SSL enabled communication was successful for my deepstream kafka metadata producer.
I think i don’t need to set ssl.certificate.location and ssl.key.location since I have the CA file with me.

Verified the connection using test_kafka_proto_sync app inside deepstream sources/libs/kafka_protocol_adaptor.
Output until the SSL authentication is as follows.

root@tensorbook:/opt/nvidia/deepstream/deepstream-6.0/sources/libs/kafka_protocol_adaptor# ./test_kafka_proto_sync 
Refer to nvds log file for log output
Adapter protocol=KAFKA , version=2.0
connection signature queried= 
%7|1652091041.813|SSL|rdkafka#producer-1| [thrd:app]: Loading CA certificate(s) from file /opt/kafkaCa.pem
%7|1652091041.814|BRKMAIN|rdkafka#producer-1| [thrd::0/internal]: :0/internal: Enter main broker thread
%7|1652091041.814|STATE|rdkafka#producer-1| [thrd::0/internal]: :0/internal: Broker changed state INIT -> UP
%7|1652091041.814|BROKER|rdkafka#producer-1| [thrd:app]: ssl://10.X.X.X:29092/bootstrap: Added new broker with NodeId -1
%7|1652091041.814|BRKMAIN|rdkafka#producer-1| [thrd:ssl://10.X.X.X:29092/bootstrap]: ssl://10.X.X.X:29092/bootstrap: Enter main broker thread
%7|1652091041.814|CONNECT|rdkafka#producer-1| [thrd:ssl://10.X.X.X:29092/bootstrap]: ssl://10.X.X.X:29092/bootstrap: broker in state INIT connecting
%7|1652091041.814|CONNECT|rdkafka#producer-1| [thrd:ssl://10.X.X.X:29092/bootstrap]: ssl://10.X.X.X:29092/bootstrap: Connecting to ipv4#10.X.X.X:29092 (ssl) with socket 10
%7|1652091041.814|STATE|rdkafka#producer-1| [thrd:ssl://10.X.X.X:29092/bootstrap]: ssl://10.X.X.X:29092/bootstrap: Broker changed state INIT -> CONNECT

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.