home

Zuora Platform

Zuora BillingZuora PaymentsZuora PlatformZuora CPQZephrZuora RevenueAccounts ReceivableRelease NotesBasicsEntitlementsSupport and policies
Zuora BillingZuora PaymentsZuora PlatformZuora CPQZephrZuora RevenueAccounts ReceivableRelease NotesBasicsEntitlementsSupport and policies

Welcome to Zuora Product Documentation

Explore our rich library of product information

Show Contents

thumbnailZuora Platform

Security options for Kafka connections

Configure Kafka authentication

Configure how Zuora authenticates with your Kafka cluster using SASL (SCRAM or PLAIN) or TLS/SSL, and review how credentials and certificates are handled securely.

  1. To configure SASL with SCRAM authentication:
    1. Select SASL_SSL or SASL_PLAINTEXT as the Security Protocol.
    2. Select SCRAM as the SASL Mechanism.
    3. In the SCRAM Authentication section, select a Mechanism Variant.
      SCRAM‑SHA‑256
    4. Enter the Kafka Username and Password.
    5. Review the auto‑generated JAAS configuration, which uses ScramLoginModule and your credentials.
    Username and password values are treated as secrets and, after you save the connection, are not shown again in the UI or returned by the API. Connections are rejected if SCRAM settings are incomplete or invalid, for example:
    • Missing SASL mechanism or JAAS configuration.
    • Empty username or password in the JAAS configuration.
    • A JAAS login module that does not match the selected SCRAM mechanism.

    For API requests, sasl.jaas.config must use:

    • org.apache.kafka.common.security.scram.ScramLoginModule for SCRAM-SHA-256 or SCRAM-SHA-512.
    • org.apache.kafka.common.security.plain.PlainLoginModule for PLAIN.
  2. To configure SASL with PLAIN authentication:
    1. Select SASL_SSL or SASL_PLAINTEXT as the Security Protocol.
    2. Select PLAIN as the SASL Mechanism.
    3. In the PLAIN Authentication section, enter the Kafka Username and Password.
      The wizard shows the auto‑generated JAAS configuration using PlainLoginModule.
    As with SCRAM, PLAIN credentials are stored securely as secrets and are not returned in API responses.
  3. To configure TLS / SSL authentication:
    1. Select SSL or SASL_SSL as the Security Protocol.
    2. In the TLS / SSL Configuration section, under Truststore Type, choose JKS or PKCS12.
      Truststore Type identifies the format of the certificate store used for TLS. Select the option that matches your truststore file (Java Key Store for JKS, or PKCS #12 for PKCS12).
    3. Upload the Truststore Location file and enter the Truststore Password.
      Truststore Location specifies the JKS file that contains the CA or server certificates your Kafka client will trust; upload the exact truststore used by your cluster's TLS configuration. Truststore Password is the password that protects this JKS file and must match the password configured on the truststore so Zuora can open it during TLS handshakes.
    4. (Optional) Select Show additional options to configure the SSL Endpoint Identification Algorithm (https to enable hostname verification).
      This setting controls hostname verification for TLS. Set it to https so Kafka verifies that the broker certificate's host name matches the bootstrap server you configured, helping prevent misconfiguration and man-in-the-middle issues. Only https is accepted; disabling hostname verification by setting this field to an empty string or any other value is not supported.
    5. Upload a Keystore Location file and provide the Keystore Password and Key Password for mutual TLS.
      Keystore Location specifies the JKS/PKCS12 file that contains the client certificate and private key used for mutual TLS when your brokers require client authentication. Keystore Password unlocks the keystore itself, and Key Password (if set) unlocks the private key inside it. Both must match the values configured for this keystore on your Kafka side.
    The connection is rejected if required combinations are incomplete, such as:
    • Truststore location without a truststore password.
    • Keystore location without a keystore password.
    • ssl.key.password provided without a keystore.

    TLS / SSL fields cannot be set on non‑TLS protocols such as SASL_PLAINTEXT or PLAINTEXT; such combinations are rejected.

    Note: File size limit: Truststore and keystore uploads are limited to 1 MB of decoded content. If you upload a larger file, the connection test or save will fail with an error indicating that the SSL file exceeds the maximum size.
  4. If you set the Security Protocol to PLAINTEXT, no authentication or TLS settings are required.
    • The wizard displays a warning that PLAINTEXT sends data unencrypted with no authentication and should only be used in development or fully trusted networks.
    • SASL properties (sasl.mechanism, sasl.jaas.config) and SSL properties are not allowed on PLAINTEXT connections and are rejected if present.
  5. Click Save & Continue.

Last updated: May 7, 2026