diff --git a/modules/security/pages/index.adoc b/modules/security/pages/index.adoc index cb460c686..a251b38a2 100644 --- a/modules/security/pages/index.adoc +++ b/modules/security/pages/index.adoc @@ -36,6 +36,101 @@ TigerGraph Server meets the following security compliance standards as certified * https://www.tigergraph.com/soc-2/[SOC 2 Compliance] * https://www.tigergraph.com/compliance/[PCI-DSS] +== Configuring TLS for Internal Kafka. + +This feature introduces SSL/TLS encryption for TigerGraph’s internal Kafka. It addresses the lack of native encryption and authentication for data in transit within the TigerGraph cluster. + +=== Basic Setup Workflow + +[source,bash] +---- +gadmin config set Kafka.Security.SSL.Certificate @/path/to/cert.pem +---- + +* Set certificate-chain in PEM format. + +[source,bash] +---- +gadmin config set Kafka.Security.SSL.PrivateKey @/path/to/prikey.pem +---- + +* Set private-key in PEM format. + +[source,bash] +---- +gadmin config set Kafka.Security.SSL.Passphrase @/path/to/passphrase +---- + +* Set passphrase for private key. Java keystore requires passphrase. + +[source,bash] +---- +gadmin config set Kafka.Security.SSL.Enable true +---- + +[source,bash] +---- +gadmin config apply -y +---- + +[source,bash] +---- +gadmin restart -y kafka +---- + +Kafka restarts with the new configurations. + +=== Configuration Reference + +[cols="1,2,1", options="header"] +|=== +| Parameter | Description | Default Value + +| Kafka.Security.SSL.Certificate +| Kafka broker certificate in PEM format +| + +| Kafka.Security.SSL.Enable +| Enable Kafka TLS encryption +| false + +| Kafka.Security.SSL.ExternalListener.ClientAuth +| Enable SSL client authentication for external listeners, the root certificate of Kafka.Security.SSL.Certificate will be used to trust client certificate. +| false + +| Kafka.Security.SSL.Passphrase +| Kafka broker private key passphrase. Should not be empty. +| + +| Kafka.Security.SSL.Port +| Kafka SSL listening port +| 30001 + +| Kafka.Security.SSL.PrivateKey +| Kafka broker private key in PEM format +| + +| Kafka.Security.ClientConf.ProtocolForAllClients +| If specified, all clients must use the specified protocol. Legal values include: empty-string (not specified), ssl, plaintext. If it's not specified, clients can choose a preferred protocol +| + +| Kafka.Security.ClientConf.EngineProtocol +| It is the protocol for engine-kafka communication. The value can be an empty-string or "plaintext", "ssl". It's overridden by Kafka.Security.ClientConf.ProtocolForAllClients. +| + +| Kafka.Security.ClientConf.InfraProtocol +| It is the protocol for infra-kafka communication. The value can be an empty-string or "plaintext", "ssl". It's overridden by Kafka.Security.ClientConf.ProtocolForAllClients. +| + +| Kafka.Security.ClientConf.InterBrokerProtocol +| It is the protocol for inter-broker communication. The value can be an empty-string or "plaintext", "ssl". It's overridden by Kafka.Security.ClientConf.ProtocolForAllClients. +| +|=== + + + + + == Vulnerability scanning TigerGraph leverages best-of-breed tools to periodically and proactively scan source code, application runtime, infrastructure to identify security vulnerabilities: