IBM Event Streams and IBM Event Automation

 View Only

Connecting App Connect Enterprise to Event Streams

By Dale Lane posted Sat June 18, 2022 09:27 PM

  

Configuring IBM App Connect Enterprise to produce or consume messages from Kafka topics in IBM Event Streams requires careful configuration. In this post, I’ll share the steps I use that help me to avoid missing any required values.

To illustrate this, I’ll create a simple App Connect flow that implements a REST API, where any data I POST to the REST API is sent to a Kafka topic.

The key to getting this to work correctly first time is to make sure that values are accurately copied from Event Streams to App Connect.

To help with this, I use a grid like the one below.

The instructions in this post start with Event Streams, and explain how to populate the grid with the information you need.

Then the instructions will switch to App Connect, and explain how to use the values in the grid to set up your App Connect flow.

    
What this is
Values you will see in my screenshots
Your value
A Topic name
THIS.IS.MY.TOPIC
                         
B Bootstrap address
kafkadev-kafka-bootstrap-demo.itzroks-120000f8p4-f9nd74-6ccd7f378ae819553d37d5f2ee142bd6-0000.eu-gb.containers.appdomain.cloud:443

kafkadev-kafka-bootstrap.demo.svc:9093

kafkadev-kafka-bootstrap.demo.svc:9092
C SASL mechanism
SCRAM-SHA-512
D SASL config
org.apache.kafka.common.security.scram.ScramLoginModule required;
E Security protocol
SASL_SSL

SASL_PLAINTEXT

SSL

PLAINTEXT
F Certificate
es-cert.jks
G Certificate password
wo05RndLJQgI
H Username
app-connect-enterprise
I Password
AIYJjrM2bSic
J Policy project name
demo-policies
K Policy name
demo-eventstreams-policy
L Security identity name
kafka-credentials
M Truststore identity name
kafka-truststore


Note: To see screenshots in more detail, you can click on them to open a higher-resolution version.

Pre-requisites

There are some things you will need before you can start following the instructions. This post is already long enough, so I will skip any detail on these steps.

You need an OpenShift cluster.

You need to install the Operators for App Connect and Event Streams.

You need to create a secret with your key for the Entitled Registry.

You need an Event Streams cluster.

You need a topic that you want App Connect to send messages to.

Step 1
Collecting values you need from Event Streams

A – the topic name

Get the name of the topic you want Event Streams to send messages to.

Fill this in the grid as value A.

B – the bootstrap address

Get the bootstrap address that you want App Connect to use to connect to the Kafka cluster.

The addresses you have to choose from will depend on how you have configured your Event Streams instance.

If you have enabled external listeners, you could choose an external address.

If you have enabled internal listeners, you could choose an internal address.

Whichever address you choose, fill it in the grid as value B.

C – security mechanism

Look next to the bootstrap address that you chose for value B.

If you see a reference to “SCRAM”, that means the Kafka listener you have chosen to use for App Connect is configured to require authentication, with credentials provided using the SASL/SCRAM mechanism.

If that is the case, fill SCRAM-SHA-512 in the grid as value C.

If you see a reference that credentials aren’t required, that means the Kafka listener you have chosen to use for App Connect is configured to not require authentication.

If that is the case, leave value C empty.

D – security config

If value C is SCRAM-SHA-512, then set value D in the grid to

org.apache.kafka.common.security.scram.ScramLoginModule required;

Otherwise, leave value D empty.

E – security protocol

You need to identify whether the Kafka listener is configured to require encryption.

If you chose an external listener, this is simple – encryption is always required for external listeners.

If you chose an internal listener, you will need to find the spec for the listener. One way to do this is to look at the spec for your Event Streams cluster in the OpenShift Console.

Find the listener that you chose in .status.kafkaListeners.

If the type of the listener you chose is tls or external then encryption is required.

Otherwise (if the type is plain), then encryption is not required.

Use the table below to work out what you need to fill in the grid as value E.

 if value C is…?   is encryption required?   then set value E to… 
SCRAM-SHA-512 yes SASL_SSL
SCRAM-SHA-512 no SASL_PLAINTEXT
(empty) yes SSL
(empty) no PLAINTEXT

F – SSL certificate

If the Kafka listener is configured to require encryption, you need to download the CA certificate for the listener.

You can download the PKCS12 certificate from Event Streams.

Keep this file safe, and make a note of the file name in the grid as value F.

G – SSL certificate password

When you download the PKCS12 certificate, the password will be displayed.

Fill it in the grid as value G.

H/I – username / password

If the Kafka listener is configured to require SCRAM credentials, you need to create a username and password for App Connect to use.

(If no credentials are required, you can skip this step and leave values H and I empty.)

Choose a username. Enter it into the grid as value H.

Click on the Generate SCRAM credentials button.

Use the name from value H as the name for your credentials.

Make sure you include the permission that App Connect will need (“consume” if you want App Connect to be able to receive messages, “produce” if you want App Connect to be able to send messages).

Use the topic name from value A when specifying the permissions for the credentials.

Enter the generated password into the grid as value I.

Step 1(b) – Workaround step

At the time of writing, if you have a p12 file in value E, you will need to convert it to a JKS file because of the issue described in the Event Streams support docs. Follow the instructions on that page to create the JKS file.

If you do this, update value F in the grid with the new jks file name.

Step 2 – Choose some App Connect names

You will create some resources in App Connect.

Choose a name for your App Connect policy project.
Enter it into the grid as value J.

Choose a name for your App Connect policy.
Enter it into the grid as value K.

If you have a SCRAM username/password, choose a name for the security identity.
Enter it into the grid as value L.

If you have a truststore file (p12 file, or jks file, depending on whether the workaround is still required), choose a name for the truststore identity.
Enter it into the grid as value M.

Step 3 – Creating your App Connect policy

Use the App Connect Enterprise toolkit to create a new Policy project.

Use the name from value J in the grid for the name.

Create a policy in your new project. Use value K from the grid as the file name.

Make sure that the policy name matches value K from the grid.

Set the policy Type and Template both to “Kafka”.

Fill in the rest of the policy using values from the grid.

Set Bootstrap servers (<bootstrapServers>) to value B from the grid.

Set Security protocol (<securityProtocol>) to value E from the grid.

Set SASL Mechanism (<saslMechanism>) to value C from the grid.

Set Security identity (<securityIdentity>) to value L from the grid.

Set SASL config (<saslConfig>) to value D from the grid.

If you have a filename in value F in the grid, set SSL truststore location (<sslTruststoreLocation>) to /home/aceuser/truststores/ followed by your filename.
(e.g. /home/aceuser/truststores/es-cert.jks).
Otherwise, leave SSL truststore location blank.

If you have a filename in value F in the grid, set SSL truststore type (<sslTruststoreType>) to JKS (if you have a jks file) or PKCS12 (if you have a p12 file).

Set SSL truststore security identity
(<sslTruststoreSecurityIdentity>) to value M from the grid.

Set SSL certificate hostname checking
(<sslEnableCertificateHostnameChecking>) to false.

A few examples of how this could look, depending on some of the choices you could have made…


Export the policy project to a zip file.

The file name you use isn’t significant, so choose any name that you like.

Step 4 – Creating your App Connect flow

To illustrate how to use the grid, I’ll create a flow that sends data received over HTTP to the Kafka topic. You could configure a Kafka consumer node in a similar way.

I’m using an HTTP input node with a path of /demo

Configure the Kafka node, starting with the “Basic” tab.

Set Topic name to value A from the grid.

The Bootstrap servers value won’t be used, but it’s a required value, so put any value in there. I use “not-used” for this to avoid confusion.

Set Client ID to something that can be used to identify App Connect in Event Streams monitoring.

Next, fill in the “Security” tab.

Set Security identity to value L from the grid.

Set Security protocol to value E from the grid.

Finally, fill in the “Policy” tab.

Set Policy using value J and value K from the grid. It should look like {valueJ}:valueK.

Export the app with your flow to a BAR file.

Step 5 – Set up App Connect

Create an App Connect dashboard

This will make it easier to deploy your App Connect flow.

Add the Configurations to the dashboard

Use the Dashboard to create Configurations.

If you have a filename in value F in the grid, create a new Configuration.
Set the Type to “Truststore” and upload your truststore file.

Create another new Configuration.
Set the Type to “Policy project” and upload your exported policy project zip file.

If you have values for any of value H, value I, value F in the grid, create another new Configuration.
Set the Type to “setdbparms.txt”.

If you have values for value H and value I, add a line with kafka:: followed by the security identity name, then a space, then the username and password.

kafka::valueL valueH valueI

If you have a filename in value F in the grid, add a line with truststore:: followed by the truststore identity name, then a space, then an unused placeholder value, then the truststore password.

truststore::valueM notused valueG

Depending on how your Event Streams listener is configured, you should now have between one and three configurations.

Upload the BAR file to the dashboard

Use the Dashboard to upload a bar file.

Import the bar file that you created with the Kafka message flow.

Step 6 – Deploy the message flow

Use the Dashboard to create a new integration server.

If you are using a truststore, note that creating an integration server with CPU and memory limits that are too small can result in SSL handshake errors when connecting to Kafka. If this happens, try different CPU and memory limits. For example, setting CPU limit to at least 1 and memory to at least 512Mi may help.

Choose your BAR file

Enable all of the Configurations that you created

Name the integration and click Create.

Step 6(b) – a gotcha

If you are using an internal Kafka listener, and your App Connect integration server is running in a different namespace to the Event Streams cluster, then you may need to create a NetworkPolicy to give the integration server permission to make the connection to a different namespace.

Step 7 – Try it out!

Try using curl to send some text to the message flow.

You should see the text appear in a message on your Kafka topic.

Finished! Using a grid like the one detailed here should hopefully ensure that you have it working first time, without a lot of time-consuming errors and debugging.









0 comments
138 views

Permalink