Knowledge Center Monthly Newsletter - September 2025

Stay up to date with the latest from the Knowledge Center. See all new Knowledge Center articles published in the last month, and re:Post’s top contributors.

Configure SSL client authentication with keystore and custom truststore for MSK Connect

Hello,

I'm trying to integrate an external Kafka cluster using MSK Connect. This external cluster needs Kafka clients to support mTLS, so providing a keystore is mandatory for a successful SSL handshake. The Kafka clients also need to trust a certificate, which ist not inside the default JVM cacerts. Since the MSK Connect documentation states, that "ssl." properties are not supported inside the worker configuration (https://docs.aws.amazon.com/msk/latest/developerguide/msk-connect-supported-worker-config-properties.html), I am wondering:

Is it even possible to provide keystores for Kafka connection/authentication with MSK Connect?
Is it possible to connect to a Kafka cluster requiring mTLS/SSL authentication?
Can I override the truststore location for MSK Connect?

I tried this connector configuration, but it resulted in a SSL handshake exception inside the worker:

{
  "connector.class": "io.confluent.connect.s3.S3SinkConnector",
  "s3.region": "<region>",
  "flush.size": "1",
  "tasks.max": "1",
  "format.class": "io.confluent.connect.s3.format.json.JsonFormat",
  "value.converter": "org.apache.kafka.connect.json.JsonConverter",
  "s3.bucket.name": "<bucketName>",
  "store.kafka.keys": "true",
  "s3.ssea.name": "aws:kms",
  "schema.compatibility": "NONE",
  "topics": "test",
  "store.kafka.headers": "true",
  "s3.sse.kms.key.id": "<s3KeyId>",
  "headers.format.class": "io.confluent.connect.s3.format.json.JsonFormat",
  "partitioner.class": "io.confluent.connect.storage.partitioner.DefaultPartitioner",
  "keys.format.class": "io.confluent.connect.s3.format.json.JsonFormat",
  "storage.class": "io.confluent.connect.s3.storage.S3Storage",
  "value.converter.schemas.enable": "false",
  "security.protocol": "SSL",
  "ssl.keystore.location": "${s3import:<region>:<bucketName>/keystore.jks}",
  "ssl.truststore.location": "${s3import:<region>:<bucketName>/truststore.jks}",
  "ssl.keystore.password": "<password>",
  "ssl.truststore.password": "<password>",
  "ssl.key.password": "<password>"
}

Topics: Analytics
Tags: Amazon Managed Streaming for Apache Kafka (Amazon MSK)
Language: English

okron

asked 25 days ago14 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

This recommendation was generated using AWS Generative AI capabilities. You are responsible for evaluating the recommendation in your specific context and implementing appropriate oversight and safeguards. Learn more

This answer has not been reviewed by an expert

To address your questions about configuring SSL client authentication with keystores and custom truststores for MSK Connect:

Unfortunately, MSK Connect does not currently support providing custom keystores or truststores for Kafka connections that require mTLS/SSL authentication. The "ssl." properties that you're trying to use in your connector configuration are not supported within the MSK Connect worker configuration.

Amazon MSK itself uses AWS Certificate Manager (ACM) certificates for its broker authentication, and any truststore that trusts Amazon Trust Services should also trust MSK brokers. However, when connecting to external Kafka clusters that require client certificate authentication, MSK Connect has limitations.

For Amazon MSK clusters, client authentication can be enabled using mutual TLS, which requires an AWS Private CA. The client would need to present a certificate signed by this CA during the TLS handshake. However, this is for clients connecting to MSK clusters, not for MSK Connect acting as a client to external clusters.

The error you're experiencing with the SSL handshake exception is likely because MSK Connect cannot use the custom keystore and truststore configurations you're trying to provide.

As an alternative approach, you might need to:

Consider using a different solution for connecting to your external Kafka cluster that requires mTLS, such as setting up a self-managed Kafka Connect cluster on EC2 where you have full control over the SSL configuration.
If possible, modify the authentication requirements of your external Kafka cluster to support other authentication methods that are compatible with MSK Connect.

Unfortunately, there isn't currently a way to override the truststore location or provide custom keystores for MSK Connect when connecting to external Kafka clusters requiring mTLS.
Sources
Mutual TLS client authentication for Amazon MSK - Amazon Managed Streaming for Apache Kafka
Configuring MSK Connect worker to pass SSL certs | AWS re:Post

re:Post Agent

answered 25 days ago

Relevant content

Moving from Spring Kafka Sink Connector to MSK Connect for external Confluent Cluster
MichStop
asked 4 months ago
MSK Connect support jks keystore location ?
rePost-User-6907219
asked 3 years ago
MSK Cluster connection failed with SASL authentication error for internal Kafka Users
FilatovM
asked a year ago
How to connect Glue to MSK with IAM authentication?
dude0001
asked 4 years ago
How do I troubleshoot errors I receive when I try to connect to my Amazon MSK cluster?
AWS OFFICIALUpdated 9 months ago
How do I troubleshoot a cross-account AWS Glue job for an Amazon MSK cluster?
AWS OFFICIALUpdated 9 months ago
How do I transfer data between Amazon MSK clusters in different accounts with MirrorMaker 2 that runs on MSK Connect?
AWS OFFICIALUpdated 5 days ago
How do I troubleshoot authentication and permission issues when I use my Amazon MSK cluster with SASL/SCRAM authentication turned on?
AWS OFFICIALUpdated a month ago
Create Kafka Client Keystore certificate for connecting AWS MSK with mTLS Authentication from AWS Glue
EXPERT
Nitin Kumar
published 3 months ago
Establishing Multi-tenant, Custom Domain-based Secure Connectivity to Amazon MSK through a Kafka Proxy
EXPERT
ThinkKolk@123
published a year ago