In MSK to communicate with brokers by using TLS(SSL) we have used 9094 port and able to communicate MSK cluster with the required keystore and truststore configurations.
And to communicate with brokers by using SASL_SCRAM we have used 9096 port and able to communicate MSK cluster with username and password configurations.
And now we want to configure both SASL_SSL to authenticate client while connecting to broker nodes as a mandatory configurations at client side.
NOTE: We are able to configure both SASL_SSL security protocol on 9096 port but the client configuration considered as the TLS configurations are optional because if we remove TLS properties, still it is able to connect broker nodes.
Im testing this connection with kafka console producer like below:
./bin/kafka-console-producer.sh --broker-list b-1.xxx:9096,b-2xx:9096 --producer.config ./bin/client_sasl_ssl.properties --topic TestTopicSASLSSL
File: client_sasl_ssl.properties
security.protocol=SASL_SSL
sasl.mechanism=SCRAM-SHA-512
#ssl.truststore.location=/path/to/kafka.client.truststore.jks
#ssl.keystore.location=/path/to/kafka.client.keystore.jks
#ssl.keystore.password=psswd
#ssl.key.password=psswd
Please note that im able to produce data with or without the above commented ssl properties, which seems optional.
Any option to mandate both SASL and TLS auth protocol to restrict client connection.
