When Securing Access to Data is About Life and Death

When Securing Access to Data is About
Life and Death

About Us
Simon Randby
• Master in AI 2015
• Worked for Norsk helsenett
since
• Worked with Kafka for ≈ 3 years
• Follow me on pouët.net:
https://www.pouet.net/user.ph
p?who=100886
Fredrik Bekkevold
• 20+ years' experience
• Multiple complex domains
• ≈ 6 years with Kafka
• Follow me on X: @fbekkevold
(https://twitter.com/FBekkevold)

Todays topic
• How we ensure our services are reachable
• How we secure the communication
• How we enable support to figure out what's wrong without seeing
more data than needed

Can you reach prod?
The data must flow

Norway today
• 5.5 million people
• Living in ≈ 400 municipalities
• 400 000 are health care personell (not counting administrative staff)
• Work across 4 health care regions
• Having ≈ 80 hospitals
• Totalling 17 000 organizations individuall purchasing systems to
collaborate with each other

SMTP
Norsk helsenett
Lab
results
The
web
portal
Prescri
ptions
Journals

SQL
A
Service Bus
NoSQL
A'
NoSQL
A'
NoSQL
A'

B
A
A
Producer
A
Consumer
B
Producer
B
Consumer
A
Consumer

mTLS for Kafka
A hands on journey

Private Key
Public Key
Password
Key Pair (.key file)
Public Key
Certificate (.crt file)
Metadata
• Signatures
• Usages (e.g. IsCa)
• Issued to/CN
• Alternative
DNSNames
• IP Addresses
CertificateAuthority
CA
Secures
Private Key
Public Key
Password
Key Pair (.key file)
Public Key
Certificate (.crt file)
Metadata
• Signatures
• Issued to/CN
• Alternative
DNSNames
• IP Addresses
New Credentials Creation Flow
Create
Password
Create
Keys
Create
CSR
Config
CSR Confg
• Alternative
DNSNames
• IP Addresses
Create
CSR
Public Key
Certificate Signing Request (.csr file)
Metadata)
• Issued to/CN
CSR Confg
• Alternative
DNSNames
• IP Addresses
Issue
Certificate
Private Key
Public Key
Key Pair
Public Key
Certificate
Metadata
• Signatures
• Issued to/CN
• Alternative
DNSNames
• IP Addresses
Password
PKCS12 Bundle (.pfx file)
Create
PKCS12
Bundle
Secures
S
e
c
u
r
e
s

Create resources needed for the
Certificate Authority (CA)

Create CA
DEMO_CA_PASSWORD="BestDemoPassrod"
echo $DEMO_CA_PASSWORD > './My_cool_example_CA_private_key_password.txt'
openssl req
-new
-x509
-keyout "./My_cool_example_CA_private_key.key"
-newkey "rsa:1024"
-out "./My_cool_example_CA_public_key.crt"
-days "36"
-subj "/CN=my_cool_example_CA.example.com"
-passin "pass:$DEMO_CA_PASSWORD"
-passout "file:My_cool_example_CA_private_key_password.txt" 2> /dev/null

ZooKeepers
It's been a bussy year, we havent had time to migrate to K-Raft

Create ZooKeeper Certs – Private key
ZOOKEEPER_1_PASSWORD='ZooKeeper_demo_password'
echo $ZOOKEEPER_1_PASSWORD > './zookeeper_password.txt'
openssl genrsa
-passout file:./zookeeper_password.txt
-out ./zookeeper.key 1024

Create ZooKeeper Certs – Certificate Signing
Request (CSR) Config
printf '%sn'
'[req]'
'default_bits = 1024'
'prompt = no'
'default_md = sha512'
'distinguished_name = req_distinguished_name'
'x509_extensions = v3_req'
''
'[req_distinguished_name]'
''
'[v3_req]'
'basicConstraints=CA:FALSE'
'subjectAltName = @alt_names'
''
'[alt_names]'
'DNS.1 = zookeeper'
'DNS.2 = zookeeper.localhost'
'IP.1 = 172.21.82.11'
'IP.2 = 2001:2181:2181::11' > ./zookeeper.csr.config

Create ZooKeeper Certs – Create Certificate
Signing Request
openssl req
-new
-key ./zookeeper.key
-subj '/CN=zookeeper.localhost'
-out ./zookeeper.csr
-config ./zookeeper.csr.config

Create ZooKeeper Certs – Sign Certificate
Signing Request and issue Certificate
openssl x509
-req
-CA ./My_cool_example_CA_public_key.crt
-CAkey ./My_cool_example_CA_private_key.key
-passin file:My_cool_example_CA_private_key_password.txt
-in ./zookeeper.csr
-out ./zookeeper.crt
-days 35
-CAcreateserial
-extensions v3_req
-extfile ./zookeeper.csr.config

Create ZooKeeper Certs – PKCS12 Bundle
openssl pkcs12
-inkey ./zookeeper.key
-in ./zookeeper.crt
-passin pass:ZooKeeper_demo_password
-passout pass:ZooKeeper_demo_password
-export
-out ./zookeeper.pfx

ZooKeeper mTLS resources
• Artifacts from this process you want to keep for later use
• The CA certificate
• The PFX bundle
• The Password

Brokers

Create Broker Certs - Private key
BROKER_1_PASSWORD='Broker_demo_password'
echo $BROKER_1_PASSWORD > './broker.password.txt'
openssl genrsa
-passout file:./broker.password.txt
-out ./broker.key 1024

Create Broker Certs – Certificate Signing
printf '%sn'
'[req]'
'prompt = no'
''
''
'[v3_req]'
'basicConstraints=CA:FALSE'
'subjectAltName = @alt_names'
''
'[alt_names]'
'DNS.1 = broker'
'DNS.2 = broker.localhost'
'DNS.3 = localhost'
'IP.1 = 172.90.92.11'
'IP.2 = 2001:9092:9092::11'
'IP.3 = 172.21.82.21'
'IP.4 = 2001:2181:2181::21'
'IP.5 = 172.80.80.11'
'IP.6 = 2001:8080:8080::11' > ./broker.csr.config

Create Broker Certs – Create Certificate
Signing Request
openssl req
-new
-key ./broker.key
-subj '/CN=broker.localhost'
-out ./broker.csr
-config ./broker.csr.config

Create Broker Certs – Sign Certificate Signing
Request and issue Certificate
openssl x509
-req
-in ./broker.csr
-out ./broker.crt
-days 35
-CAcreateserial
-extensions v3_req
-extfile ./broker.csr.config

Create Broker Certs – PKCS12 Bundle
openssl pkcs12
-inkey ./broker.key
-in ./broker.crt
-passin pass:Broker_demo_password
-passout pass:Broker_demo_password
-export
-out ./broker.pfx

Using the Brokers mTLS Certificates
• Once you enable mTLS for auth, all API usage has to be authed, even
from the CLI on a given broker to the broker itself
• Because you have access to the password in plaintext at this time,
now is a convenient time to create the bootstrap config file should
you need it for e.g. fixing ACLs from the CLI

Create Bootstrap Config file for Broker
printf '%sn'
'security.protocol=SSL'
'ssl.keystore.location=broker.pfx'
'ssl.keystore.password=Broker_demo_password'
'ssl.keystore.type=PKCS12'
'ssl.truststore.type=PEM'
'ssl.truststore.location=My_cool_example_CA_public_key.crt' > broker.bootstrap.conf

Broker mTLS resources
• The PFX bundle
• The Password
• The Bootstrap Config file

Create User Certs - Private key
DEMO_USER_PASSWORD="DemoUserPassword"
echo $DEMO_USER_PASSWORD > './demo_user.password.txt'
openssl genrsa
-passout file:./demo_user.password.txt
-out ./demo_user.key 1024

Create User Certs – Certificate Signing
printf '%sn'
'[req]'
'prompt = no'
''
''
'[v3_req]'
'basicConstraints=CA:FALSE' > ./demo_user.csr.config

Create Broker Certs – Create Certificate
Signing Request
openssl req
-new
-key ./demo_user.key
-subj '/CN=demo-user'
-out ./demo_user.csr
-config ./demo_user.csr.config

Create User Certs – Sign Certificate Signing
Request and issue Certificate
openssl x509
-req
-in ./demo_user.csr
-out ./demo_user.crt
-days 36
-CAcreateserial
-extensions v3_req
-extfile ./demo_user.csr.config

Create User Certs – PKCS12 Bundle
openssl pkcs12
-inkey ./demo_user.key
-in ./demo_user.crt
-passin pass:DemoUserPassword
-passout pass:DemoUserPassword
-export
-out ./demo_user.pfx

Create Admin Client Config file for User
printf '%sn'
'security.protocol=SSL'
'ssl.keystore.location=demo_user.pfx'
'ssl.keystore.password=DemoUserPassword'
'ssl.keystore.type=PKCS12'
'ssl.truststore.type=PEM'
'ssl.truststore.location=My_cool_example_CA_public_key' > ./demo_user.adminclient-configs.conf

User mTLS resources
• The PEM key
• The PEM certificate
• The PFX bundle
• The Password
• The Admin Client Config file

Full example in docker compose
• https://github.com/NorskHelsenett/Kafka/tree/main/GetStarted/MultiBro
kerClusterWithAuthAndMtls
• Features
• Full cluster with 3 brokers
• ACLs
• Schema registry
• Demo CLI producer (using schema)
• Demo consumer (using schema)
• Demo dotnet consumer (using schema)
• Kafka UI
• mTLS for all
• And more, packed in a mere 2345 lines of compose!

A
IO
A
Producer
A
Consumer
State
A's Topic

A
Interface
A
Producer
A
Consumer
State
A
Support
Tool
WebUi
A's Topic
Support
Tool
Consumer

Code Examples
• Producer
• ConsumerService
• LocalState
• REST API
• Support-tool Web-UI (Blazor)

Main app also
consumes
• Consume is continues, so
we use BackgroundService

REST Api
Controller
• State & Producer is
injected
• GET & POST
• Simple, easy

Simple Rest
API POST
• Error state if send fails
• Returns the sent Obj

Using Model to remove confidential info

Support app Blazor UI
• The only frontend work I do is in F5 BIG-IP, Simon
• Easy to setup and work with
• SignalR support for seamless C/S integration
• Almost no context shift between client and server code
• Server-Side Rendering, a safety-feature (Hold my beer!)

LocalState in
SupportApp
• EventHandler, invoked
when new obj are added
• Meets the functional
needs

Takaways
• Sometimes delivering data is more important that delivering it
blazingly fast
• Distributed systems are hard, Kafka is not
• Don't fear the mTLS
• https://github.com/NorskHelsenett/Kafka/tree/main/GetStarted/MultiBroker
ClusterWithAuthAndMtls
• Be thoughtful about the ones supporting the data processing
• Event driven systems are cool, also in .NET!

When Securing Access to Data is About Life and Death

Recommended

Recommended

More Related Content

Similar to When Securing Access to Data is About Life and Death

Similar to When Securing Access to Data is About Life and Death (20)

More from HostedbyConfluent

More from HostedbyConfluent (20)

Recently uploaded

Recently uploaded (20)

When Securing Access to Data is About Life and Death