Tanzu Greenplum Streaming Server 2.0

PDF
2.0 1.11 1.10

Accessing an SSL-Secured Schema Registry

Last Updated February 26, 2025

You must specify certain configuration properties when your Kafka data load operation accesses a secured Confluent Schema Registry service. GPSS exposes these properties in the AVRO_OPTION: block of the version 2 Kafka load configuration file, and the avro: block of the version 3 (beta) Kafka load configuration file.

About the Configuration Properties

You can specify the following version 2 configuration properties to identify the certificates and keys required to access an SSL-secured schema registry service:

The version 3 configuration property names are lowercase.

  • SCHEMA_CA_ON_GPDB - The file system path to the CA certificate that GPSS uses to verify the peer.
  • SCHEMA_CERT_ON_GPDB - The file system path to the client certificate that GPSS uses to connect to the HTTPS schema registry.
  • SCHEMA_KEY_ON_GPDB - The file system path to the private key file that GPSS uses to connect to the HTTPS schema registry.
  • SCHEMA_MIN_TLS_VERSION - The minimum transport layer security (TLS) version that GPSS requests on the connection to the registry. The default minimum TLS version is 1.0; you can specify 1.0, 1.1, 1.2, or 1.3.

The schema registry's ssl.client.auth property controls client authentication requirements for the service:

  • When ssl.client.auth=false for the registry, you need only specify the SCHEMA_CA_ON_GPDB.
  • When ssl.client.auth=true for the registry, you must also specify SCHEMA_CERT_ON_GPDB and SCHEMA_KEY_ON_GPDB in addition to the SCHEMA_CA_ON_GPDB.

All certificate and key files must reside in the specified location on all VMware Tanzu Greenplum segment hosts.

Be sure to also specify the SCHEMA_MIN_TLS_VERSION if the default value of 1.0 is not sufficient for your requirements.

Additional Considerations

Take the following into consideration when you use GPSS to access an SSL-secured Kafka schema registry:

  • Even though you can specify multiple registry addresses in SCHEMA_REGISTRY_ADDRESS, GPSS supports specifying only a single set of SSL certificate and key properties. GPSS uses the specified (same) CA, certificate, and key regardless of the registry accessed.
  • The file system paths that you specify for the CA, certificate, and key are limited to 64 characters each.