Skip to Main Content
IBM Data and AI Ideas Portal for Customers


This portal is to open public enhancement requests against products and services offered by the IBM Data & AI organization. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:


Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,


Post your ideas

Post ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

IBM Employees should enter Ideas at https://ideas.ibm.com


Status Future consideration
Created by Guest
Created on Apr 27, 2022

Configure multiple certificates for the Replication Engine

The Replication Engine for Kafka currently uses a single keystore for the certificates used to encrypt both the connection to its source datastore and the connection to the targeted Schema Registry.


Although it is possible to configure multiple certificates within the keystore, only the certificate with the alphabetically first alias is chosen for encryption.


However, our security guidelines require us to use a certificate of the network hostname for encrypting the connection between Replication Engine and source datastore and a certificate of the user for writing to the Schema Registry. Both hostname and user name cannot be the same, requiring us to use two different certificates. This cannot currently be configured and prevents us from running CDC in our production environment.


A possible solution would be to either allow configuring two different keystores or to configure the alias names of any certificates to use for either connection.

Needed By Month
  • Admin
    Alex Klufas
    Reply
    |
    Jul 27, 2022

    IBM Update:

    Thanks for filing this requirement.

    We think this requirement is valid, but the work is not committed at this time.

  • Guest
    Reply
    |
    May 10, 2022

    Looking further into this issue, the keystore should be configurable by creating a KCOP and setting the variables

    schema.registry.ssl.keystore.location

    schema.registry.ssl.keystore.password

    schema.registry.ssl.key.password

    schema.registry.ssl.truststore.location

    schema.registry.ssl.truststore.password

    to the configuration map passed to the KafkaAvroSerializer. These parameters are (at least in the Confluent implementation which I understand CDC to use) eventually passed to SslFactory to create parameters for an SSL connection. I do not understand why setting these parameters does seem to have any effect at all.