https://community.qlik.com/t5/Qlik-Replicate/Replicate-Kafka-target-with-publicly-trusted-TLS-SSL-certificate/m-p/1732641#M361 <P>In Replicate Kafka endpoint we use librdkafka as our client library. We truly and mandatory verify the existence of the CA file. The new librdkafka allows you to set the<EM> ssl.sa.location</EM> as <EM><STRONG>probe&nbsp;</STRONG></EM>and it allows you to use known CA cert paths.</P><P>Quoting librdkafka v1.5:&nbsp;</P><P><EM><FONT face="impact,chicago"><FONT face="terminal,monaco">If OpenSSL is linked statically, or&nbsp;ssl.ca.location=<STRONG>probe&nbsp;</STRONG>is configured,</FONT><BR /><FONT face="terminal,monaco">librdkafka will probe known CA certificate paths and automatically use the</FONT><BR /><FONT face="terminal,monaco">first one found. This should alleviate the need to configure</FONT><BR /><FONT face="terminal,monaco">ssl.ca.location&nbsp;when the statically linked OpenSSL's OPENSSLDIR differs</FONT><BR /><FONT face="terminal,monaco">from the system's CA certificate path.</FONT></FONT></EM></P><P>Currently, our compiled librdkafka is v1.3, which does not support this option.</P><P>I think this is a legitimate request and I suggest you add it as a "new idea" (in Community &gt; Qlik Product Insight &amp; Ideas), where the PM can gather votes and then consider pushing it into the work-plan. Eventually, we will upgrade our librdkafka to the most innovative and open this option for the users, but this "new idea" may promote it and may focus us on the list of recently supported features that our customers really need.</P><P>&nbsp;</P> Sun, 02 Aug 2020 15:49:58 GMT EyalSilner 2020-08-02T15:49:58Z https://community.qlik.com/t5/Qlik-Replicate/Replicate-Kafka-target-with-publicly-trusted-TLS-SSL-certificate/m-p/1709315#M244 <P>I have a question about using a Replicate Kafka target, which is protected with TLS/SSL with a publicly-trusted X.509 certificate - that is, one that your web-browser would trust if it were talking HTTPS, since the certificate is ultimately signed by a trusted root certificate.&nbsp; Example of such a service - Confluent Cloud Kafka cluster endpoints.</P><P>If I connect to this endpoint using e.g. openssl, on Linux this will load a standard set of trusted root cacerts, and the handshake will be trusted.</P><P>In Replicate Kafka target, if using TLS/SSL, the "CA file" field becomes mandatory - is there any option to avoid the need to locate a PEM-encoded certificate-chain, instead trusting via a local root-certificate store?</P><P>This question extends to using the excellent Replicate Test Drive - if I want to connect from that hosted environment to a Confluent Cloud TLS Kafka bootstrap/broker - is there any path on the server that will work for "CA path" which includes the trusted roots, or if not, can I upload one?</P> Tue, 09 Jun 2020 09:08:01 GMT https://community.qlik.com/t5/Qlik-Replicate/Replicate-Kafka-target-with-publicly-trusted-TLS-SSL-certificate/m-p/1709315#M244 brett 2020-06-09T09:08:01Z https://community.qlik.com/t5/Qlik-Replicate/Replicate-Kafka-target-with-publicly-trusted-TLS-SSL-certificate/m-p/1732641#M361 <P>In Replicate Kafka endpoint we use librdkafka as our client library. We truly and mandatory verify the existence of the CA file. The new librdkafka allows you to set the<EM> ssl.sa.location</EM> as <EM><STRONG>probe&nbsp;</STRONG></EM>and it allows you to use known CA cert paths.</P><P>Quoting librdkafka v1.5:&nbsp;</P><P><EM><FONT face="impact,chicago"><FONT face="terminal,monaco">If OpenSSL is linked statically, or&nbsp;ssl.ca.location=<STRONG>probe&nbsp;</STRONG>is configured,</FONT><BR /><FONT face="terminal,monaco">librdkafka will probe known CA certificate paths and automatically use the</FONT><BR /><FONT face="terminal,monaco">first one found. This should alleviate the need to configure</FONT><BR /><FONT face="terminal,monaco">ssl.ca.location&nbsp;when the statically linked OpenSSL's OPENSSLDIR differs</FONT><BR /><FONT face="terminal,monaco">from the system's CA certificate path.</FONT></FONT></EM></P><P>Currently, our compiled librdkafka is v1.3, which does not support this option.</P><P>I think this is a legitimate request and I suggest you add it as a "new idea" (in Community &gt; Qlik Product Insight &amp; Ideas), where the PM can gather votes and then consider pushing it into the work-plan. Eventually, we will upgrade our librdkafka to the most innovative and open this option for the users, but this "new idea" may promote it and may focus us on the list of recently supported features that our customers really need.</P><P>&nbsp;</P> Sun, 02 Aug 2020 15:49:58 GMT https://community.qlik.com/t5/Qlik-Replicate/Replicate-Kafka-target-with-publicly-trusted-TLS-SSL-certificate/m-p/1732641#M361 EyalSilner 2020-08-02T15:49:58Z https://community.qlik.com/t5/Qlik-Replicate/Replicate-Kafka-target-with-publicly-trusted-TLS-SSL-certificate/m-p/1741122#M459 <P>To connect Qlik Replicate with Confluent Cloud, what you need to do is use the default root CA pem file for your openssl version next to the checked SSL box where it says CA Path.</P><P>You can get this by doing:</P><PRE><SPAN class="pln">openssl version </SPAN><SPAN class="pun">-</SPAN><SPAN class="pln">a</SPAN></PRE><P>On linux boxes the path will be <STRONG>/etc/pki/tls/cert.pem</STRONG></P><P>Make sure you have an up to date version of Attunity (Qlik Replicate) where you can specify SASL/PLAIN as the Authentication type.</P><P>The same path is used for Schema Registry.</P><P>Just transferred 1.8M rows in about 1 minute, works like a champ.</P><P>&nbsp;</P><P>Chris</P> Thu, 03 Sep 2020 20:27:48 GMT https://community.qlik.com/t5/Qlik-Replicate/Replicate-Kafka-target-with-publicly-trusted-TLS-SSL-certificate/m-p/1741122#M459 chrislarsen3 2020-09-03T20:27:48Z