Note
This connector is subject to the Snowflake Connector Terms.
Snowflake Openflow Connector for Kafka: Configuring mTLS Authentication¶
mTLS (mutual Transport Layer Security) authentication requires both the client and server to present certificates for mutual authentication.
Prerequisites¶
Before configuring mTLS authentication, ensure you have:
- Generated and configured the necessary certificates for both the connector and the Kafka broker.
- Created a keystore containing the connector’s private key and certificate.
- (Optional) Created a truststore containing the Kafka broker certificate or a certificate in the certification chain. This step is only required if the broker certificate is not signed by a trusted Certificate Authority (CA).
- The supported keystore/truststore formats are PKCS12, JKS, and BCFKS.
Step 1: Configure SSL Context Service¶
From the Openflow NiFi canvas, access the Controller Services configuration:
- Double-click on the connector’s processing group.
- Right-click on the canvas and select Controller Services.
Add a new StandardSSLContextService:
- Select + to add a new controller service.
- Select StandardSSLContextService from the list.
- Select Add.
Configure the SSL Context Service properties:
| Property | Value |
|---|---|
| Keystore Filename | Full path to your keystore file (for example, /path/to/client-keystore.p12), or Asset reference |
| Keystore Password | Password for the keystore |
| Keystore Type | Keystore format (PKCS12, JKS, or BCFKS) |
| Key Password | Password for the private key (if the key is encrypted) |
| Truststore Filename | Full path to your truststore file (for example, /path/to/client-truststore.p12), or Asset reference |
| Truststore Password | Password for the truststore |
| Truststore Type | Truststore format (PKCS12, JKS, or BCFKS) |
Enable the SSL Context Service:
- Select Enable for the service.
- Confirm that the service status shows as Enabled.
Configuring PEM-encoded SSL context¶
If your certificates and keys are in PEM format (.pem, .crt, .key) rather than in a JKS or PKCS12 keystore, use the PEMEncodedSSLContextProvider controller service instead of StandardSSLContextService.
- In the Controller Services tab, select + to add a new controller service.
- Select PEMEncodedSSLContextProvider from the list.
- Select Add.
- Configure the service properties:
| Property | Value |
|---|---|
| Certificate | Path to your PEM-encoded certificate file (.pem, .crt), or Asset reference (see Ops parameters and assets) |
| Private Key | Path to your PEM-encoded private key file (.key), or Asset reference |
| CA Certificate | Path to the CA certificate file, or Asset reference. Required only if the broker certificate is not signed by a trusted CA. |
- Enable the service.
- In Step 2, set SSL Context Service to this
PEMEncodedSSLContextProviderinstead of theStandardSSLContextService.
Step 2: Configure Kafka3Connection Service¶
- In the same Controller Services tab, locate the Kafka3Connection service.
- Configure the following properties:
| Property | Value |
|---|---|
| Security Protocol | SSL |
| SSL Context Service | Select the SSL Context Service you created in Step 1: Configure SSL Context Service |
- Keep all other Kafka3Connection service settings unchanged.
- Verify the Kafka3Connection service:
- Select Verify for the service.
- Confirm that the service status shows as Verified.