IICS Fall '20 October Release - Upcoming Changes for Kafka connector with SSL and FQDN

Version 1

    Hope you are equally excited about our upcoming IICS Fall 2020 Release. Please be aware of the changes related to Kafka connector in the upcoming release and you may act ahead if you use SSL security with Fully Qualified Domain Name.

     

    FAQ:

     

    1. Who will be Impacted:

     

    Only customers who are using SSL Security will be impacted if they are not using fully qualified domain name (FQDN) in connection properties and in certificates.

     

    1. What is the impact:

     

    The Test connection, Mapping, Mapping task is going to fail with “SSL Handshake Error”

     

    1. Solution for the impact:

     

    Use the fully qualified domain name (FQDN) as stated in point1 to avoid “SSL Handshake Error”.

    1. E.g.- if you are using broker details as abcxyz2cld000:9092 then you have to replace it with abcxyz2cld000.informatica.com:9092

     

    Note: Solution can be implemented now only to avoid any upgrade issue in R35.

     

     

    Description of the change

    As per the changes made by Apache Kafka after Kafka version 2.0 host name verification of servers is enabled by default. Please refer below section to know about the changes.

    http://kafka.apache.org/24/documentation.html#security_confighostname

    Configuring Host Name Verification

    From Kafka version 2.0.0 onwards, host name verification of servers is enabled by default for client connections as well as inter-broker connections to prevent man-in-the-middle attacks. Server host name verification may be disabled by setting ssl.endpoint.identification.algorithm to an empty string. For example,

    1

    1. ssl.endpoint.identification.algorithm=

    For dynamically configured broker listeners, hostname verification may be disabled using kafka-configs.sh. For example,

    1

    bin/kafka-configs.sh --bootstrap-server localhost:9093 --entity-type brokers --entity-name 0 --alter --add-config "listener.name.internal.ssl.endpoint.identification.algorithm="

    For older versions of Kafka, ssl.endpoint.identification.algorithm is not defined by default, so host name verification is not performed. The property should be set to HTTPS to enable host name verification.

    1

    1. ssl.endpoint.identification.algorithm=HTTPS

    Host name verification must be enabled to prevent man-in-the-middle attacks if server endpoints are not validated externally.

    Configuring Host Name In Certificates

    If host name verification is enabled, clients will verify the server's fully qualified domain name (FQDN) against one of the following two fields:

    1. Common Name (CN)
    2. Subject Alternative Name (SAN)


    Both fields are valid, RFC-2818 recommends the use of SAN however. SAN is also more flexible, allowing for multiple DNS entries to be declared. Another advantage is that the CN can be set to a more meaningful value for authorization purposes. To add a SAN field append the following argument
    -ext SAN=DNS:{FQDN} to the keytool command:

    1

    keytool -keystore server.keystore.jks -alias localhost -validity {validity} -genkey -keyalg RSA -ext SAN=DNS:{FQDN}

    The following command can be run afterwards to verify the contents of the generated certificate:

    1

    keytool -list -v -keystore server.keystore.jks

     

    For more information on the upcoming release please refer:

     

    https://network.informatica.com/docs/DOC-18766