Docs Menu
Docs Home
MongoDB Kafka Connector

SSL/TLS and X.509 Certificates

On this page

  • Overview
  • Prerequisites
  • Store Certificates on the Worker
  • Keystore
  • Truststore
  • Add Credentials to the Connector

In this guide, you can learn how to secure communications between your MongoDB Kafka Connector worker and your MongoDB cluster.

To secure your connection, you must perform the following tasks:

  • Create the certificates

  • Store the certificates on the worker host machine

  • Supply the certificates' credentials to the connector


If you host your MongoDB cluster on MongoDB Atlas or your cluster does not explicitly require certificates, you can already communicate securely and do not need to follow the steps in this guide.

This guide requires prior knowledge of the following concepts:

Store your certificates in a keystore and truststore to secure your certificate credentials for each server you run your connector worker instance on.

You can use a keystore to store private keys and identity certificates. The keystore uses the key and certificate to verify the client's identity to external hosts.

If your SSL/TLS configuration requires a client certificate to connect to your worker instance, generate a secure private key and include the client certificate bundled with the intermediate CA. Then, store this information in your keystore by using the following openssl command to generate a PKCS 12 file:

openssl pkcs12 -export -inkey <your private key> \
-in <your bundled certificate> \
-out <your output pkcs12 file>

You can use a truststore to store certificates from a CA. The truststore uses the certificates to identify parties the client trusts. Some examples of these certificates are a root CA, intermediate CA and your MongoDB cluster's end entity certificate.

Import the certificates of parties that you trust into your truststore by using the following keytool command:

keytool -import -trustcacerts -import -file <your root or intermediate CA>

If your SSL/TLS configuration requires the end entity certificate for your MongoDB cluster, import it into your truststore with the following command:

keytool -import -file <your server bundled certificate> -keystore <your keystore name>

For more information on how to set up a client keystore and truststore for testing purposes, see OpenSSL Client Certificates for Testing.

The connector worker processes JVM options from your KAFKA_OPTS environment variable. The environment variable contains the path and password to your keystore and truststore.

Export the following JVM options in your KAFKA_OPTS variable:

export KAFKA_OPTS="\<your path to truststore> \<your truststore password> \<your path to keystore> \<your keystore password>"

When the worker processes the JVM options, the connector attempts to connect by using the SSL/TLS protocol and certificates in your keystore and truststore.

← Security and Authentication