"The Norwegian health care sectors success is dependent on the security and availability of enormous amounts of critical data. The state of affairs is that data does not flow. At Norsk helsenett we have recently started using Kafka to secure this flow.
Our critical data is your critical data, and a matter of life and death. This I how we do that:
- Redundancy to us starts with the number 3, creating the infrastructure and using it to manage ""always available"" services and data, working towards zero downtime and data loss.
- Security is paramount, how did we implement mTLS?
- How do we monitor and support usage of data we cannot look at using the benefits of .Net and SignalR in Blazor together with Kafka."
2. About Us
Simon Randby
• Master in AI 2015
• Worked for Norsk helsenett
since
• Worked with Kafka for ≈ 3 years
• Follow me on pouët.net:
https://www.pouet.net/user.ph
p?who=100886
Fredrik Bekkevold
• 20+ years' experience
• Multiple complex domains
• ≈ 6 years with Kafka
• Follow me on X: @fbekkevold
(https://twitter.com/FBekkevold)
3. Todays topic
• How we ensure our services are reachable
• How we secure the communication
• How we enable support to figure out what's wrong without seeing
more data than needed
6. Norway today
• 5.5 million people
• Living in ≈ 400 municipalities
• 400 000 are health care personell (not counting administrative staff)
• Work across 4 health care regions
• Having ≈ 80 hospitals
• Totalling 17 000 organizations individuall purchasing systems to
collaborate with each other
36. Using the Brokers mTLS Certificates
• Once you enable mTLS for auth, all API usage has to be authed, even
from the CLI on a given broker to the broker itself
• Because you have access to the password in plaintext at this time,
now is a convenient time to create the bootstrap config file should
you need it for e.g. fixing ACLs from the CLI
38. Broker mTLS resources
• Artifacts from this process you want to keep for later use
• The CA certificate
• The PFX bundle
• The Password
• The Bootstrap Config file
45. Create Admin Client Config file for User
printf '%sn'
'security.protocol=SSL'
'ssl.keystore.location=demo_user.pfx'
'ssl.keystore.password=DemoUserPassword'
'ssl.keystore.type=PKCS12'
'ssl.truststore.type=PEM'
'ssl.truststore.location=My_cool_example_CA_public_key' > ./demo_user.adminclient-configs.conf
46. User mTLS resources
• Artifacts from this process you want to keep for later use
• The CA certificate
• The PEM key
• The PEM certificate
• The PFX bundle
• The Password
• The Admin Client Config file
47. Full example in docker compose
• https://github.com/NorskHelsenett/Kafka/tree/main/GetStarted/MultiBro
kerClusterWithAuthAndMtls
• Features
• Full cluster with 3 brokers
• ACLs
• Schema registry
• Demo CLI producer (using schema)
• Demo consumer (using schema)
• Demo dotnet consumer (using schema)
• Kafka UI
• mTLS for all
• And more, packed in a mere 2345 lines of compose!
61. Support app Blazor UI
• The only frontend work I do is in F5 BIG-IP, Simon
• Easy to setup and work with
• SignalR support for seamless C/S integration
• Almost no context shift between client and server code
• Server-Side Rendering, a safety-feature (Hold my beer!)
65. Takaways
• Sometimes delivering data is more important that delivering it
blazingly fast
• Distributed systems are hard, Kafka is not
• Don't fear the mTLS
• https://github.com/NorskHelsenett/Kafka/tree/main/GetStarted/MultiBroker
ClusterWithAuthAndMtls
• Be thoughtful about the ones supporting the data processing
• Event driven systems are cool, also in .NET!