6928 documentation of mp reactive messaging stream operators 3-7

6928 documentation of mp reactive messaging stream operators 3-7 #6928
OpenLiberty · Feb 23, 2024 · cac8358 · cac8358
1 parent f3fab7a
commit cac8358
Show file tree

Hide file tree

Showing 4 changed files with 151 additions and 133 deletions.
diff --git a/modules/ROOT/pages/class-loader-library-config.adoc b/modules/ROOT/pages/class-loader-library-config.adoc
@@ -28,6 +28,7 @@ If you configure class loading to override the default settings, you cannot depl
 - <<Access third-party APIs from an application>>
 - <<Configure an application to use a Java library that is on an Open Liberty server>>
 
+[#shrdLib]
 == Configure applications to use a shared library
 
 In containerized environments, typically only one application runs on an Open Liberty server. However, some non-containerized configurations might run multiple applications on a single server. In such cases, Java libraries can be shared across multiple applications. All the applications can use the same classes at run time or each application can use a separate copy of those classes that is loaded from the same location. Common libraries, which are used by multiple applications on the server, are specified by the `commonLibraryRef` element. Private libraries, which copy the library classes from the server for use by a single application, are specified by the `privateLibraryRef` element. Private library class paths are appended to the application class loader class path, while a common library has its own class loader that the application delegates to.

diff --git a/modules/ROOT/pages/liberty-kafka-connector-channel-properties.adoc b/modules/ROOT/pages/liberty-kafka-connector-channel-properties.adoc
@@ -55,7 +55,7 @@ If the value of `fast.ack` is `true`, and the acknowledgment is reported as comp
  {empty} +
 This setting specifies the Context Service that is used for Asynchronous tasks.
 
-|
+|<any other property>
 |Uses the Kafka Client default
 |All other properties are passed directly as config parameters to the KafkaConsumer API. A list of required and optional properties can be found in the http://kafka.apache.org/documentation.html#consumerconfigs[Kafka documentation].
 
@@ -80,7 +80,7 @@ This setting specifies the Context Service that is used for Asynchronous tasks.
  {empty} +
 This setting specifies the Context Service that is used for Asynchronous tasks.
 
-|
+|<any other property>
 |Uses the Kafka Client default
 |All other properties are passed directly as config parameters to the KafkaProducer API. A list of required and optional properties can be found in the http://kafka.apache.org/documentation.html#producerconfigs[Kafka documentation].
 

diff --git a/modules/ROOT/pages/liberty-kafka-connector-config-security.adoc b/modules/ROOT/pages/liberty-kafka-connector-config-security.adoc
@@ -0,0 +1,108 @@
+// Copyright (c) 2024 IBM Corporation and others.
+// Licensed under Creative Commons Attribution-NoDerivatives
+// 4.0 International (CC BY-ND 4.0)
+//    https://creativecommons.org/licenses/by-nd/4.0/
+//
+// Contributors:
+// IBM Corporation
+//
+:page-layout: general-reference
+:page-type: general
+:page-description: For configuring the Kafka connector and security in Open Liberty, you can focus on the distinction between channel-specific and connector-wide properties for tailored messaging behavior. 
+:page-categories: MicroProfile Reactive Messaging
+:seo-title: Kafka connector configuration and security
+:seo-description: The integration of MicroProfile Reactive Messaging with Apache Kafka in Open Liberty applications is a significant development in cloud-native microservice designs as it provides an efficient method of asynchronous communication.
+
+
+[#kcconfsec]
+= Kafka connector configuration and security
+
+For configuring the Kafka connector and security in Open Liberty, you can focus on the distinction between channel-specific and connector-wide properties for tailored messaging behavior. 
+
+Connector-wide properties, like `bootstrap.servers` apply globally, whereas channel-specific properties, such as `topic` or `group.id`, customize the individual channel behavior. 
+
+For security, Open Liberty supports multiple authentication methods: 
+
+* <<#ssl,Secure Sockets Layer (SSL)>>
+* <<#sasl,Simple Authentication and Security Layer/PLAIN (SASL/PLAIN)>>
+* <<#mtls,Mutual TLS (mTLS)>>
+
+To make sure of secure communication with Kafka brokers, you can set the appropriate security properties within the `microprofile-config.properties` file, facilitating the support of any of the authentication methods.
+
+[#ssl]
+== Secure Sockets Layer (SSL)
+
+The following example demonstrates how to configure a Kafka client for secure SSL communication with Kafka brokers in the `microprofile-config.properties` file. The following configuration enables SSL-based authentication so that the client can securely verify the identity of the Kafka server it connects to. 
+
+----
+mp.messaging.connector.liberty-kafka.bootstrap.servers=SSL\://kafka-server\:34691
+mp.messaging.connector.liberty-kafka.security.protocol=SSL
+mp.messaging.connector.liberty-kafka.ssl.truststore.password=kafka-teststore
+mp.messaging.connector.liberty-kafka.ssl.truststore.location=kafka-truststore.jks
+----
+
+[#sasl]
+== Simple Authentication and Security Layer/PLAIN (SASL/PLAIN)
+
+The following example demonstrates the setup of SASL_SSL (Simple Authentication and Security Layer over SSL) for authentication with either the Kafka Plain Login Module or the Open Liberty Kafka Login Module.
+
+This configuration enables encrypted communication and authentication with Kafka brokers. It uses properties set in the `microprofile-config.properties` file to support different authentication methods, including password encryption with Open Liberty xref:reference:command/securityUtility-encode.adoc[securityUtility encode]. Applications can maintain the confidentiality and integrity of messages, making sure that secure data flow across distributed systems.
+
+- Authenticating with Open Liberty's Kafka Login Module that can use passwords encoded by Open Liberty xref:reference:command/securityUtility-encode.adoc[securityUtility encode] on a per channel basis.
+----
+mp.messaging.incoming.aes-test-in.connector=liberty-kafka
+mp.messaging.incoming.aes-test-in.bootstrap.servers=SASL_SSL\://kafka-boostrap-server\:39643
+mp.messaging.incoming.aes-test-in.security.protocol=SASL_SSL
+mp.messaging.incoming.aes-test-in.sasl.mechanism=PLAIN
+mp.messaging.incoming.aes-test-in.ssl.truststore.password=kafka-teststore
+mp.messaging.incoming.aes-test-in.sasl.jaas.config=com.ibm.ws.kafka.security.LibertyLoginModule required username\="test" password\="{aes}<encoded password>";
+mp.messaging.incoming.aes-test-in.ssl.truststore.location=kafka-truststore.jks
+mp.messaging.incoming.aes-test-in.group.id=group-id-1
+mp.messaging.incoming.aes-test-in.auto.offset.reset=earliest
+
+mp.messaging.outgoing.aes-test-out.connector=liberty-kafka
+mp.messaging.outgoing.aes-test-out.bootstrap.servers=SASL_SSL\://kafka-boostrap-server\:39643
+mp.messaging.outgoing.aes-test-out.security.protocol=SASL_SSL
+mp.messaging.outgoing.aes-test-out.sasl.mechanism=PLAIN
+mp.messaging.outgoing.aes-test-out.sasl.jaas.config=com.ibm.ws.kafka.security.LibertyLoginModule required username\="test" password\="{aes}<encoded password>";
+mp.messaging.outgoing.aes-test-out.ssl.truststore.location=kafka-truststore.jks
+mp.messaging.outgoing.aes-test-out.ssl.truststore.password=kafka-teststore
+----
+
+- Authenticating with Kafka's Plain Login Module
+----
+mp.messaging.connector.liberty-kafka.security.protocol=SASL_SSL
+mp.messaging.connector.liberty-kafka.bootstrap.servers=SASL_SSL\://kafka-boostrap-server\:34696
+mp.messaging.connector.liberty-kafka.ssl.truststore.location=kafka-truststore.jks
+mp.messaging.connector.liberty-kafka.sasl.mechanism=PLAIN
+mp.messaging.connector.liberty-kafka.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username\="test" password\="test-QmCFfb";
+mp.messaging.connector.liberty-kafka.ssl.truststore.password=kafka-teststore
+----
+
+[#mtls]
+== Mutual TLS (mTLS)
+
+Mutual TLS is an enhanced security protocol that requires both the client and server to authenticate each other, providing a two-way SSL authentication. Each channel uses a separate keystore to authenticate itself with the Kafka Bootstrap server.
+
+The following example configures each channel with its own keystore to authenticate itself with the Kafka bootstrap server, as detailed in the configuration settings. With the `mp.messaging.connector.liberty-kafka` and specific channel configurations, the example demonstrates how to establish a secure, encrypted channel by using SSL. 
+Mutual TLS not only secures the data in transit but also makes sure that each communication partner is authenticated, thus adding another layer of security. 
+
+----
+mp.messaging.connector.liberty-kafka.bootstrap.servers=SSL\://kafka-boostrap-server\:39647
+mp.messaging.connector.liberty-kafka.security.protocol=SSL
+mp.messaging.connector.liberty-kafka.ssl.truststore.location=kafka-truststore.jks
+mp.messaging.connector.liberty-kafka.ssl.truststore.password=kafka-teststore
+mp.messaging.connector.liberty-kafka.ssl.truststore.location=kafka-truststore.jks
+
+mp.messaging.incoming.test-in.connector=liberty-kafka
+mp.messaging.incoming.test-in.ssl.keystore.location=kafka-keystore.jks
+mp.messaging.incoming.test-in.ssl.keystore.password=kafka-teststore
+mp.messaging.incoming.test-in.group.id=group-id-1
+mp.messaging.incoming.test-in.topic=incoming-topic
+mp.messaging.incoming.test-in.auto.offset.reset=earliest
+
+mp.messaging.outgoing.test-out.connector=liberty-kafka
+mp.messaging.outgoing.test-out.topic=outgoing-topic
+mp.messaging.outgoing.test-out.ssl.keystore.location=kafka-keystore2.jks
+mp.messaging.outgoing.test-out.ssl.keystore.password=kafka-teststore
+----