Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The profile consists of three tabs: General, Advanced, and External Keystore.

General Tab

Keystore Settings

The following settings are available:

...

Info
titleExample - How to create a client-specific Keystore file

To create a client-specific Java Keystore file, you can use the keytool command with the required variables. In this example the generated file will be for a specific client and contain only their certificate and public key. 

Code Block
languagebash
titleCode Block
$ keytool -export -alias server -keystore ./server.jks -file ./server.cer
...
$ keytool -import -alias client -file ./server.cer -keystore ./client.jks
...

Note: Execution of these commands will present password entry prompts, you will need to remember the entered passphrase. 

Truststore Settings

The following settings are available:

FieldDescription
Type

You can select from the following options: 

  • Java Truststore
  • Use Java Keystore
  • External Truststore
  • Use External Keystore
  • <None>

Selecting Use Java Keystore disables the rest of the truststore settings and the keystore specified in Keystore Settings is used.

Selecting External Truststore or Use External Keystore disables the rest of the truststore settings and will require more input in External Keystore tab.

Selecting <None> disables the rest of the truststore settings.

Path

Enter the location of the truststore that you want to use. 
PasswordEnter the relevant truststore password.

Advanced Tab

The Advanced tab enables you to make more detailed configurations for which cipher suites to accept. 

...

FieldDescription
Enable TLS Settings

If you want to change the TLS security parameters, select this check box. The default setting is to use the settings from the Java installation.

Accepted Protocols

You can select if you want agents using this profile to accept only TLS version 1.3 or any TLS version. The default setting is to only accept version 1.3.

Used Cipher Suites

You can select if you want agents using this profile to use only suites that are enabled by default, or any suites. The default setting is to only use suites that are enabled by default.

Cipher Suite Must Match

In this field you can enter any characters that you want the cipher suites to match. You can also enter lists of regular expression, one per row, that you want the cipher suites to match. Suites not matching your entry are greyed out in the Result on this JVM field.

Cipher Suite Must Not Match

If you want to exclude cipher suites, you can enter any characters in this field which excludes suites matching the characters. You can also enter lists of regular expression, one per row, for cipher suites to exclude.

Result on this JVMThis field displays the cipher suites available on the current JVM.

External Keystore Tab

The External Keystore tab enables you to store your SSL certificates in one secure location. Currently, it can be stored in Azure KeyVault or HashiCorp Vault.

Note
titleNote!

Using the Security profile with External Keystore configured with Kafka agents is not supported.

Azure KeyVault

You need to already have created an Azure KeyVault, refer to https://azure.microsoft.com/en-us/products/key-vault for more information.

OptionDescription
Azure KeyVault Profile

Choose a Azure KeyVault Profile to use for the credentials.

Certificate name

The name of the Azure KeyVault certificate.

HashiCorp Vault

You need to already have created an HashiCorp vault, but you can refer to https://learn.hashicorp.com/vault for more information.

...

FieldDescription
Auth Methods

The authentication method for accessing the vault.

Address

Enter the vault address. The format of the address starts with the hyper text transfer protocol, either HTTP or HTTPS, followed by the IP address of the vault and the TCP port.

Info
titleExample

https://127.0.0.1:8200


Username

Enter the vault username.

Password

Enter the vault password.

Path

The full path of the vault secret engine that contains the keystore or truststore.

Info
titleExample

secret/digitalroute/mz/security/server


Uploading a keystore into your vault

will Image Added will require certain criteria to be met when uploading the keystore into your vault. The following command will help show you how to upload.

...

FieldValue Format

filecontent

Base64 String

keyalias

String

keypassword

String

password

String

Uploading a truststore into your vault

Image Added requires certain criteria to be met when uploading the truststore into your vault. The following command shows you how to upload.

...