This sample code describes how to configure your Kinesis Data Analytics for Java application to use a custom keystore when communicating with Kafka.
We need a way to deliver our custom keystore to the KDA/Flink environment, since we don't have access to the runners directly. Overriding the open() method of the FlinkKafkaConsumer class allows us to place our custom keystore on every runner while ensuring that the keystore is available across restarts and runner replacements.
In the overriden open() method of CustomFlinkKafkaConsumer (inherited from FlinkKafkaConsumer), we can write our custom keystore to /tmp as shown below:
...
/*
Override the 'open' method of the FlinkKafkaConsumer to drop our custom
keystore. This is necessary so that certs are available to be picked up in spite of
runner restarts and replacements.
*/
@Override
public void open(Configuration configuration) throws Exception {
// write keystore to /tmp
// NOTE: make sure that keystore is in JKS format for KDA/Flink. See README for details
dropFile("/tmp");
super.open(configuration);
}
private void dropFile(String destFolder) throws Exception
{
InputStream input = null;
OutputStream outStream = null;
try {
ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
input = classLoader.getResourceAsStream("kafka.client.truststore.jks");
byte[] buffer = new byte[input.available()];
input.read(buffer);
File destDir = new File(destFolder);
File targetFile = new File(destDir, "kafka.client.truststore.jks");
outStream = new FileOutputStream(targetFile);
outStream.write(buffer);
outStream.flush();
}
catch (Exception ex)
{
System.out.println(ex.getMessage());
if(input != null) {
input.close();
}
if(outStream != null) {
outStream.close();
}
}
}
...
In our main() function, we configure the truststore location as shown below:
...
// configure location where runtime will look for custom truststore
sourceProps.setProperty("ssl.truststore.location", "/tmp/kafka.client.truststore.jks");
...
The KDA/Flink runtime expects the keystore to be in JKS format. For instance, if your keystore is in PKCS12 format, you'll get an "invalid keystore format" error when running your application. This HOWTO describes the process for converting keystores.