Control Center Configuration Reference for Confluent Platform

The following settings are available for configuring Control Center.

Confluent Control Center includes several sample configuration (.properties) files in the following directory: $CONFLUENT_HOME/etc/confluent-control-center For a list of sample configuration files, see Control Center Configuration Examples for Confluent Platform.

Search reference

Confluent Control Center groups settings into categories. You can search and filter by configuration property name.

Base settings

This section includes base settings for Control Center.

bootstrap.servers

A list of host/port pairs to use for establishing the initial connection to the Apache Kafka® cluster. The client will make use of all servers irrespective of which servers are specified here for bootstrapping; this list only impacts the initial hosts used to discover the full set of servers. This list should be in the form host1:port1,host2:port2,.... Since these servers are just used for the initial connection to discover the full cluster membership (which could change dynamically), this list need not contain the full set of servers (you may want more than one, though, in case a server is down).

  • Type: list
  • Default: localhost:9092
  • Importance: high

confluent.license

Confluent issues an enterprise license key to each subscriber, allowing the subscriber to unlock the full functionality of Control Center. The license key is text that you can copy and paste. Paste the license key as the value for confluent.license. You can also manage the license in the Control Center web interface.

A trial license allows using for a 30-day trial period. A developer license allows using Control Center and other Confluent Platform proprietary components indefinitely for single-broker development environments. Trial and developer licenses are shipped with Confluent Platform.

See Manage Confluent Platform Licenses Using Control Center for more details.

If you are a subscriber, contact Confluent Support for more information about obtaining another valid enterprise license before it expires. confluent.controlcenter.license is a deprecated synonym for this configuration key.

  • Type: string
  • Default: “”
  • Importance: high

confluent.controlcenter.rest.csrf.prevention.enable

When enabled, uses a token-based system to help prevent Cross-Site Request Forgery (CSRF). CSRF is a malicious exploit that can result in an end user executing unwanted actions on a web application in which they’re currently authenticated. If the target user has an administrative account, CSRF can compromise the entire web application.

  • Type: boolean
  • Default: false
  • Importance: medium

confluent.controlcenter.rest.csrf.prevention.token.expiration.minutes

Sets the CSRF prevention token expiration time, if CSRF prevention is enabled. The default expiration time should be sufficient for most use cases, however you can use this setting to increase or decrease the token expiration interval time if needed.

  • Type: int
  • Default: 30
  • Importance: low

confluent.controlcenter.rest.thread.pool.max

The maximum number of threads that will be started for the HTTP Servlet server.

  • Type: int
  • Default: 200
  • Importance: low

confluent.controlcenter.rest.thread.pool.min

The minimum number of threads that will be started for the HTTP Servlet server.

  • Type: int
  • Default: 8
  • Importance: low

Production Settings

In production, you should run Control Center in a cluster that is separate from the Kafka clusters being monitored. Set the following configuration parameters in the Control Center properties file.

confluent.controlcenter.kafka.<name>.bootstrap.servers

Bootstrap servers for any additional Kafka cluster being monitored. Replace <name> with the name Control Center should use to identify this cluster. For example, using confluent.controlcenter.kafka.production-nyc.bootstrap.servers, Control Center will show the additional cluster with the name production-nyc in the cluster list.

  • Type: list
  • Default: “”
  • Importance: high

confluent.controlcenter.kafka.<name>.<connection config>

Any additional connection configuration required to connect to the Kafka cluster identified by <name> can be specified using the confluent.controlcenter.kafka.<name>. prefix. For example, to specify the security.protocol=SASL_SSL configuration for the cluster named production-nyc, add confluent.controlcenter.kafka.production-nyc.security.protocol=SASL_SSL to the configuration.

  • Importance: medium

Tip

If you are configuring a multi-cluster deployment, see also confluent.controlcenter.streams.name.cprest.url.

Mode settings

Use this optional setting to specify the mode that Confluent Control Center starts in. By default, Control Center starts in Normal mode, meaning all is specified, and monitoring is enabled.

confluent.controlcenter.mode.enable

Set the mode in which Control Center should be started. Valid values are all, meaning Confluent Control Center operates normally, and management meaning Confluent Control Center uses less infrastructure to operate. In Reduced infrastructure mode, Control Center is used to manage Kafka clusters only and will not display monitoring or metrics information.

To run Control Center in Reduced infrastructure mode, set this property to management and confluent.controlcenter.prometheus.enable to false.

confluent.controlcenter.prometheus.enable=false
  • Type: string
  • Default: all
  • Importance: high

General settings

General settings for Control Center are optional.

confluent.controlcenter.connect.<connect-cluster-name>.cluster

Comma-separated list of Kafka Connect worker URLs for the Connect cluster specified by <connect-cluster-name>. <connect-cluster-name> can be an arbitrary string used to identify individual connect clusters and does not need to correspond to any worker setting. Control Center will connect to a single worker. If a worker fails, Control Center will try the request against a different worker. This must be set if you want to manage a Connect cluster. The URL should include the protocol (HTTP or HTTPS) and its associated port (8083 or 8443 respectively).

  • Type: list
  • Default: “”
  • Importance: high
  • Example HTTP: confluent.controlcenter.connect.myconnectclustername.cluster=http://localhost:8083

confluent.controlcenter.connect.healthcheck.endpoint

Provides the default discovery path for connect clusters. If you are using the community version of Confluent Platform, set this property to /connectors to display the connect clusters in Control Center.

  • Type: string
  • Default: /v1/metadata/id
  • Importance: high

confluent.controlcenter.connect.cluster

Deprecated since Confluent Platform version 6.2. Comma-separated list of Connect worker URLs within a single cluster. This is deprecated by confluent.controlcenter.connect.<connect-cluster-name>.cluster.

  • Type: list
  • Default: “”
  • Importance: low

confluent.controlcenter.data.dir

Location for Control Center-specific data. Although the data stored in this directory can be recomputed, doing so is expensive and can affect the availability of Control Center’s stream monitoring functionality. For production, you should set this to a durable, writable, and secure location.

  • Type: path
  • Default: /var/lib/confluent-control-center (control-center-production.properties)
  • Default: /tmp/confluent/control-center (control-center.properties, control-center-dev.properties, control-center-minimal.properties)
  • Importance: high

confluent.controlcenter.rest.listeners

Comma-separated list of listeners that listen for API requests over either http or https. If a listener uses https, the appropriate TLS/SSL configuration parameters need to be set as well. The first value will be used as a Control Center link in the body of eligible alert emails sent from Control Center. For details, see Alerts history.

  • Type: list
  • Default: http://0.0.0.0:9021
  • Importance: high

confluent.controlcenter.rest.advertised.url

Externally visible host. Control Center uses this as an override to rest.listeners when generating URLs for external communications such as alert emails.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.rest.access.control.allow.origin

Sets the value for Jetty Access-Control-Allow-Origin header.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.rest.response.http.headers.config

Use to select which HTTP headers are returned in the HTTP response for Confluent Platform components. Specify multiple values in a comma-separated string using the format [action][header name]:[header value] where [action] is one of the following: set, add, setDate, or addDate. You must use quotation marks around the header value when the header value contains commas. For example:

response.http.headers.config="add Cache-Control: no-cache, no-store, must-revalidate", add X-XSS-Protection: 1; mode=block, add Strict-Transport-Security: max-age=31536000; includeSubDomains, add X-Content-Type-Options: nosniff
  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.streams.cprest.url

Defines the REST endpoints for Control Center to enable HTTP servers on the broker(s). A comma-separated list with multiple values can be provided for a multi-broker cluster.

For examples, see /platform/current/Configure Control Center with REST endpoints and advertised listeners, Required Configurations for Control Center, and Self-Balancing Clusters documentation.

  • Type: list
  • Default: http://localhost:8090
  • Importance: high

To configure multiple clusters, see confluent.controlcenter.kafka.name.cprest.url.

confluent.controlcenter.kafka.<name>.cprest.url

Defines the REST endpoints for any additional Kafka clusters being monitored by Control Center to enable HTTP servers on the broker(s). Replace <name> with the name that identifies this cluster. This name should be consistent with the Kafka cluster name used for other Control Center configurations. A comma-separated list with multiple values can be provided for a multi-broker cluster.

Note that if the REST API endpoints are secured with TLS, you must include additional properties in the Confluent Control Center properties file that provide the security information. For more information, see Configure TLS for Control Center as a server and TLS settings for web access.

The following example shows REST endpoint settings for three clusters or data centers (dc1, dc2, and dc3):

confluent.controlcenter.streams.cprest.url=https://dc1:8090
confluent.controlcenter.kafka.dc2.cprest.url=https://dc2:8090
confluent.controlcenter.kafka.dc3.cprest.url=https://dc3:8090
  • Type: list
  • Default: “”
  • Importance: high

For an example of configuring the Control Center cprest.url specifically for multiple clusters, see Enabling Multi-Cluster Schema Registry.

confluent.controlcenter.schema.registry.url

Schema Registry URL. For more information and examples, see the Schema Registry Documentation and configuration steps for Enabling Multi-Cluster Schema Registry.

confluent.controlcenter.id

Identifier used as a prefix so that multiple instances of Control Center can co-exist.

  • Type: string
  • Default: “1”
  • Importance: low

confluent.controlcenter.name

Control Center Name

  • Type: string
  • Default: _confluent-controlcenter-2.1.0
  • Importance: low

confluent.controlcenter.disk.skew.warning.min.bytes

Threshold for the max difference in disk usage across all brokers before disk skew warning is published.

  • Type: long
  • Default: 1,073,741,824
  • Importance: low

confluent.controlcenter.ui.data.expired.threshold

Configure a threshold (in seconds) before data is considered out of date. Default: 120 seconds (2 minutes).

  • Type: int
  • Default: 120
  • Importance: low

confluent.controlcenter.service.healthcheck.interval.sec

The interval (in seconds) used for checking the health of Confluent Platform nodes. This includes ksqlDB, Connect, Schema Registry, REST Proxy, and Metadata Service (MDS).

  • Type: int
  • Default: 20
  • Importance: low

confluent.controlcenter.request.buffer.size.bytes

Allows adjustment of the RequestBuffer size of HttpClient.

  • Type: int
  • Default: 10,000
  • Importance: low

confluent.controlcenter.prometheus.url

A valid URL to access the Prometheus server on the Control Center. The hostname must be reachable from any browser that will use the web interface in the Control Center.

confluent.controlcenter.prometheus.rules.file

Location for Prometheus-specific config file.

  • Type: string
  • Default: “”
  • Importance: high

Confluent.controlcenter.alertmanager.url

A valid URL to access the Alertmanager service on the Control Center. The hostname must be reachable from any browser that will use the web interface in the Control Center.

Confluent.controlcenter.alertmanager.config.file

Location for Alertmanager specific config file.

  • Type: string
  • Default:
  • Importance: high

Broker UI settings

Starting with Confluent Platform version 7.0.0, Control Center uses an embedded REST proxy and as a result provides an updated UI to display broker settings. These settings are optional.

confluent.controlcenter.embedded.kafkarest.enable

Enables or disables the use of an embedded REST proxy for Control Center, which must be enabled for Confluent Control Center to display the new broker settings UI. Starting with Confluent Platform version 7.0.0, Control Center uses an embedded REST proxy and as a result provides an updated UI to display broker settings. The new settings UI is enabled by default, but you can revert back to the old view with this setting and confluent.controlcenter.ui.brokersettings.kafkarest.enable.

  • Type: boolean
  • Default: true
  • Importance: low

confluent.controlcenter.ui.brokersettings.kafkarest.enable

Enables or disables new broker settings UI. This setting will be forced to false if confluent.controlcenter.embedded.kafkarest.enable is also false.

  • Type: boolean
  • Default: true
  • Importance: low

Basic Authentication settings for web access

These optional settings allow you to enable and configure authentication for accessing the Control Center web interface. See the Configure HTTP Basic Authentication with Control Center on Confluent Platform guide for more details on configuring authentication.

confluent.controlcenter.rest.authentication.method

Authentication method to use. Available options: NONE, BASIC, BEARER.

Important

When RBAC is enabled in Control Center, the method must be BEARER. For more information, see Configure RBAC for Control Center on Confluent Platform.

  • Type: string
  • Default: NONE
  • Importance: low

confluent.controlcenter.rest.authentication.realm

Realm to be used by Control Center when authenticating.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.rest.authentication.roles

Roles that are authenticated to access Control Center.

  • Type: string
  • Default: *
  • Importance: low

confluent.controlcenter.auth.restricted.roles

Specify a list of roles with limited read-only access. You must include roles added here in confluent.controlcenter.rest.authentication.roles. For users that are members of roles included in this list, the following features and options are unavailable:

  • Add, delete, pause, or resume connectors
  • Browse connectors
  • View connector settings
  • Upload connector configs
  • Create, delete, or edit alerts (triggers or actions)
  • Edit a license
  • Edit brokers
  • Press submit on cluster forms
  • Edit, create, or delete schemas
  • Edit data flow queries
  • Inspect topics
  • Type in the KSQL editor
  • Run or stop ksqlDB querie
  • Add ksqlDB streams or table

For fine-grained access control, consider configuring role-based access control (RBAC).

  • Type: list
  • Default: “”
  • Importance: low

confluent.controlcenter.auth.session.expiration.ms

Timeout in milliseconds after which a user session will have to be re-authenticated with the authentication service (e.g. LDAP). Defaults to 0, which means authentication is done for every request. Increase this value to avoid calling the LDAP service for each request.

  • Type: long
  • Default: 0
  • Importance: low

TLS settings for web access

Configure the following optional properties to secure web access (HTTPS) to Control Center with TLS.

To configure TLS settings when Control Center acts as a proxy server to other Confluent Platform components, see Configure TLS for Control Center on Confluent Platform.

confluent.controlcenter.rest.listeners

Comma-separated list of listeners that listen for API requests over either http or https. If a listener uses https, the appropriate TLS/SSL configuration parameters need to be set as well. The first value will be used as a Control Center link in the body of eligible alert emails sent from Control Center. For details, see Alerts history.

  • Type: list
  • Default: http://0.0.0.0:9021
  • Importance: high

confluent.controlcenter.rest.ssl.keystore.location

Used for HTTPS. Location of the keystore file to use for TLS.

Important

Jetty requires that the key’s CN stored in the keystore must match the FQDN.

  • Type: string
  • Default: “”
  • Importance: high

confluent.controlcenter.rest.ssl.keystore.password

Used for HTTPS. The store password for the keystore file.

  • Type: password
  • Default: “”
  • Importance: high

confluent.controlcenter.rest.ssl.key.password

Used for HTTPS. The password of the private key in the keystore file.

  • Type: password
  • Default: “”
  • Importance: high

confluent.controlcenter.rest.ssl.truststore.location

Used for HTTPS. Location of the truststore. Required only to authenticate HTTPS clients.

  • Type: string
  • Default: “”
  • Importance: high

confluent.controlcenter.rest.ssl.truststore.password

Used for HTTPS. The store password for the truststore file.

  • Type: password
  • Default: “”
  • Importance: high

confluent.controlcenter.rest.ssl.keystore.type

Used for HTTPS. The type of keystore file.

  • Type: string
  • Default: JKS
  • Importance: medium

confluent.controlcenter.rest.ssl.truststore.type

Used for HTTPS. The type of truststore file.

  • Type: string
  • Default: JKS
  • Importance: medium

confluent.controlcenter.rest.ssl.protocol

Used for HTTPS. The TLS protocol used to generate the SSLContext. The default is TLSv1.3 when running with Java 11 or newer, TLSv1.2 otherwise. This value should be fine for most use cases. Allowed values in recent JVMs are TLSv1.2 and TLSv1.3. TLS, TLSv1.1, SSL, SSLv2 and SSLv3 might be supported in older JVMs, but their usage is discouraged due to known security vulnerabilities. With the default value for this configuration and ssl.enabled.protocols, clients downgrade to TLSv1.2 if the server does not support TLSv1.3. If this configuration is set to TLSv1.2, clients do not use TLSv1.3, even if it is one of the values in ssl.enabled.protocols and the server only supports TLSv1.3.

  • Type: string
  • Default: TLSv1.3
  • Importance: medium

confluent.controlcenter.rest.ssl.provider

Used for HTTPS. The TLS security provider name. Leave blank to use the defaults for Jetty.

  • Type: string
  • Default: “” (Jetty default)
  • Importance: medium

confluent.controlcenter.rest.ssl.client.auth

Deprecated. Used for HTTPS. Whether to require the HTTPS client to authenticate using the server’s truststore. This is deprecated by confluent.controlcenter.rest.ssl.client.authentication.

  • Type: boolean
  • Default: false
  • Importance: medium

confluent.controlcenter.rest.ssl.client.authentication

Used for HTTPS. Valid values: NONE, REQUESTED or REQUIRED. NONE disables TLS client authentication, REQUESTED requests but doesn’t require TLS client authentication, and REQUIRED requires HTTPS clients to authenticate using the server’s truststore. This config overrides confluent.controlcenter.rest.ssl.client.auth (deprecated).

  • Type: string
  • Default: NONE
  • Importance: medium

confluent.controlcenter.rest.ssl.enabled.protocols

Used for HTTPS. Leave blank ("") to use the Jetty default. The comma-separated list of protocols enabled for TLS connections. The default value is TLSv1.2,TLSv1.3 when running with Java 11 or later, TLSv1.2 otherwise. With the default value for Java 11 (TLSv1.2,TLSv1.3), Kafka clients and brokers prefer TLSv1.3 if both support it, and falls back to TLSv1.2 otherwise (assuming both support at least TLSv1.2).

  • Type: list
  • Default: “” (Jetty default)
  • Importance: medium

confluent.controlcenter.rest.ssl.keymanager.algorithm

Used for HTTPS. The algorithm used by the key manager factory for TLS connections. Leave blank to use the Jetty default.

  • Type: string
  • Default: “” (Jetty default)
  • Importance: low

confluent.controlcenter.rest.ssl.trustmanager.algorithm

Used for HTTPS. The algorithm used by the trust manager factory for TLS connections. Leave blank to use the Jetty default.

  • Type: string
  • Default: “” (Jetty default)
  • Importance: low

confluent.controlcenter.rest.ssl.cipher.suites

A comma-separated list of TLS cipher suites used for HTTPS. Leave blank to use the Jetty default or specify any combination of the following suites:

  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Using another cipher suite name causes Confluent Control Center to fail to start. Ciphers listed here are not supported. Do not use them.

  • Type: list
  • Default: “” (Jetty default)
  • Importance: low

confluent.controlcenter.rest.ssl.endpoint.identification.algorithm

Used for HTTPS. The endpoint identification algorithm to validate the server hostname using the server certificate. Leave blank to use the Jetty default.

  • Type: string
  • Default: https
  • Importance: low

confluent.controlcenter.use.default.jvm.truststore

Enable Control Center to fallback to use the default JVM trust store.

  • Type: string
  • Default: false
  • Importance: low

confluent.controlcenter.use.default.os.truststore

Enable Control Center to fallback to use the default operating system trust store.

  • Type: string
  • Default: false
  • Importance: low

confluent.controlcenter.prometheus.ssl.truststore.location

Used for HTTPS. Location of the truststore. Required only to authenticate HTTPS clients.

  • Type: string
  • Default: “”
  • Importance: high

confluent.controlcenter.prometheus.ssl.truststore.password

Used for HTTPS. The store password for the truststore file.

  • Type: password
  • Default: “”
  • Importance: high

confluent.controlcenter.prometheus.alias.name

Specifies an alias for the certificate Prometheus uses during TLS.

Use the following format to specify <Certificate-Alias> as an alias:

confluent.controlcenter.prometheus.alias.name=<Certificate-Alias>

If you have multiple trustStores, each certificate should have a unique alias, even if you are using the same certificate for multiple connections.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.prometheus.ssl.keystore.location

Used for HTTPS. Location of the keystore file to use for TLS.

  • Type: string
  • Default: “”
  • Importance: high

confluent.controlcenter.prometheus.ssl.keystore.password

Used for HTTPS. The store password for the keystore file.

  • Type: password
  • Default: “”
  • Importance: high

Confluent.controlcenter.prometheus.ssl.key.password

Used for HTTPS. The password of the private key in the keystore file.

  • Type: password
  • Default: “”
  • Importance: high

confluent.controlcenter.prometheus.basic.auth.user.info

Specifies the user credentials for HTTP Basic Authentication in the form of {username}:{password} for Prometheus server.

  • Type: string
  • Default: “”
  • Importance: high

confluent.controlcenter.alertmanager.ssl.truststore.location

Used for HTTPS. Location of the truststore. Required only to authenticate HTTPS clients.

  • Type: string
  • Default: “”
  • Importance: high

confluent.controlcenter.alertmanager.ssl.truststore.password

Used for HTTPS. The store password for the truststore file.

  • Type: password
  • Default: “”
  • Importance: high

confluent.controlcenter.alertmanager.alias.name

Specifies an alias for the certificate Alertmanager uses during TLS.

Use the following format to specify <Certificate-Alias> as an alias:

confluent.controlcenter.alertmanager.alias.name=<Certificate-Alias>

If you have multiple trustStores, each certificate should have a unique alias, even if you are using the same certificate for multiple connections.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.alertmanager.ssl.keystore.location

Used for HTTPS. Location of the keystore file to use for TLS.

  • Type: string
  • Default: “”
  • Importance: high

confluent.controlcenter.alertmanager.ssl.keystore.password

Used for HTTPS. The store password for the keystore file.

  • Type: password
  • Default: “”
  • Importance: high

confluent.controlcenter.alertmanager.ssl.key.password

Used for HTTPS. The password of the private key in the keystore file.

  • Type: password
  • Default: “”
  • Importance: high

confluent.controlcenter.alertmanager.basic.auth.user.info

Specifies the user credentials for HTTP Basic Authentication in the form of {username}:{password} for Alertmanager service.

  • Type: string
  • Default: “”
  • Importance: medium

Security for Confluent Platform components settings

The following optional settings control TLS encryption between Control Center and Confluent Platform components or features. You can also configure Basic authentication for Schema Registry.

You should configure these settings if you have configured your Kafka cluster with these security features. For TLS, you can choose to configure each component separately, or set a single store.

Streams security settings

These optional settings are the standard Kafka authentication and authorization settings prefixed with confluent.controlcenter.streams..

confluent.controlcenter.streams.security.protocol

Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, and SASL_SSL.

  • Type: string
  • Default: PLAINTEXT
  • Importance: low

confluent.controlcenter.streams.ssl.keystore.location

The location of the keystore file.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.streams.ssl.keystore.password

The store password for the keystore file.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.streams.ssl.key.password

The password of the private key in the keystore file.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.streams.ssl.truststore.location

The location of the truststore file.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.streams.ssl.truststore.password

The password for the truststore file.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.streams.sasl.mechanism

SASL mechanism used for client connections. This may be any mechanism for which a security provider is available. GSSAPI is the default mechanism.

  • Type: string
  • Default: GSSAPI
  • Importance: low

confluent.controlcenter.streams.sasl.kerberos.service.name

The Kerberos principal name that Kafka runs as. This can be defined either in Kafka’s JAAS config or in Kafka’s config.

  • Type: string
  • Default: null
  • Importance: low

Schema Registry security settings

These Schema Registry settings are optional. To enable TLS for Schema Registry, specify the following set of properties:

  • confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.location
  • confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.password
  • confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.location
  • confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.password
  • confluent.controlcenter.schema.registry.schema.registry.ssl.key.password
  • confluent.controlcenter.schema.registry.schema.registry.alias.name

confluent.controlcenter.schema.registry.basic.auth.credentials.source

Defines how to select the credentials for HTTP Basic Authentication header for a single Schema Registry cluster, or the first Schema Registry in a multi-cluster Schema Registry deployment. The supported values are URL, USER_INFO, and SASL_INHERIT.

  • Type: string
  • Default: URL
  • Importance: medium

Note

Specifying control.center.schema.registry.basic.auth.credentials.source, as shown, passes basic.auth.credentials.source to the Schema Registry client.

confluent.controlcenter.schema.registry.<sr-cluster-name>.basic.auth.credentials.source

Defines how to pick the credentials for HTTP Basic Authentication header on a Schema Registry cluster in a multi-cluster Schema Registry deployment. The supported values are URL, USER_INFO, and SASL_INHERIT.

  • Type: string
  • Default: URL
  • Importance: medium

confluent.controlcenter.schema.registry.basic.auth.user.info

Specifies the user credentials for HTTP Basic Authentication in the form of {username}:{password} for a single Schema Registry cluster, or the first Schema Registry cluster in a multi-cluster Schema Registry deployment.

  • Type: string
  • Default: “”
  • Importance: medium

confluent.controlcenter.schema.registry.<sr-cluster-name>.basic.auth.user.info

Specifies the user credentials for HTTP Basic Authentication in the form of <username>:<password> for Schema Registry clusters in a multi-cluster Schema Registry deployment (associated with the URL fields by <sr-cluster-name>).

  • Type: string
  • Default: “”
  • Importance: medium

confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.location

The location of the truststore file for Schema Registry.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.password

The password for the truststore file for Schema Registry.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.location

The location of the keystore file for Schema Registry.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.password

The store password for the keystore file for Schema Registry.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.schema.registry.schema.registry.ssl.key.password

The password of the private key in the keystore file for Schema Registry.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.schema.registry.schema.registry.alias.name

Specifies an alias for the certificate Schema Registry uses during mTLS. Use the following format to specify <Certificate-Alias> as an alias.

confluent.controlcenter.schema.registry.schema.registry.alias.name=<Certificate-Alias>

If you have multiple trustStores, each certificate should have a unique alias, even if you are using the same certificate for multiple connections.

  • Type: string
  • Default: “”
  • Importance: low

Connect security settings

These Connect settings are optional. To enable TLS for Connect, specify the following set of properties:

  • confluent.controlcenter.connect.connect.ssl.truststore.location
  • confluent.controlcenter.connect.connect.ssl.truststore.password
  • confluent.controlcenter.connect.connect.ssl.keystore.location
  • confluent.controlcenter.connect.connect.ssl.keystore.password
  • confluent.controlcenter.connect.connect.ssl.key.password
  • confluent.controlcenter.connect.connect.alias.name

confluent.controlcenter.connect.<connect-cluster-name>.basic.auth.user.info

Specifies the user credentials for Control Center to communicate with a Connect cluster configured for HTTP Basic Authentication. The name of the Connect cluster appears in the configuration (<connect-cluster-name>) and credentials use this form: <username>:<password>

Without this configuration for Connect clusters using HTTP Basic Authentication, Control Center cannot display Connectors in the cluster. For more information, see Control Center and other components.

Tip

Versions of Control Center prior to 7.2 did not require this configuration. If you are upgrading and using HTTP Basic Authentication with Connect, you must use this configuration.

  • Type: string
  • Default: “”
  • Importance: medium

confluent.controlcenter.connect.connect.ssl.truststore.location

The location of the truststore file for Connect.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.connect.connect.ssl.truststore.password

The stored password for the truststore for Connect.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.connect.connect.ssl.keystore.location

The location of the keystore file for Connect.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.connect.connect.ssl.keystore.password

The store password for the keystore file for Connect.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.connect.connect.ssl.key.password

The password of the private key in the keystore file for Connect.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.connect.connect.alias.name

Specifies an alias for the certificate Connect uses during mTLS. Use the following format to specify <Certificate-Alias> as an alias.

confluent.controlcenter.connect.connect.alias.name=<Certificate-Alias>

If you have multiple trustStores, each certificate should have a unique alias, even if you are using the same certificate for multiple connections.

  • Type: string
  • Default: “”
  • Importance: low

ksqlDB security settings

These ksqlDB settings are optional. To enable TLS for ksqlDB, specify the following set of properties:

  • confluent.controlcenter.ksql.ksql.ssl.truststore.location
  • confluent.controlcenter.ksql.ksql.ssl.truststore.password
  • confluent.controlcenter.ksql.ksql.ssl.keystore.location
  • confluent.controlcenter.ksql.ksql.ssl.keystore.password
  • confluent.controlcenter.ksql.ksql.ssl.key.password
  • confluent.controlcenter.ksql.ksql.alias.name

confluent.controlcenter.ksql.<ksql-cluster-name>.basic.auth.user.info

Specifies the user credentials for HTTP Basic Authentication in the form of <username>:<password> for ksqlDB clusters associated with the URL fields by <ksqldb-cluster-name>.

  • Type: string
  • Default: “”
  • Importance: medium

confluent.controlcenter.ksql.ksql.ssl.truststore.location

The location of the truststore file for ksqlDB.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.ksql.ksql.ssl.truststore.password

The stored password for the truststore file for ksqlDB.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.ksql.ksql.ssl.keystore.location

The location of the keystore file for ksqlDB.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.ksql.ksql.ssl.keystore.password

The stored password for the keystore file for ksqlDB.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.ksql.ksql.ssl.key.password

The password of the private key in the keystore file for ksqlDB.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.ksql.ksql.alias.name

Specifies an alias for the certificate ksqlDB uses during mTLS. Use the following format to specify <Certificate-Alias> as an alias.

confluent.controlcenter.ksql.ksql.alias.name=<Certificate-Alias>

If you have multiple trustStores, each certificate should have a unique alias, even if you are using the same certificate for multiple connections.

  • Type: string
  • Default: “”
  • Importance: low

Single proxy server store security settings

Instead of specifying TLS settings for each component, you have the option to specify that Confluent Control Center use a single proxy server truststore and keystore that contain all the TLS settings for all the components.

confluent.controlcenter.rest.proxy.ssl.truststore.location

The location of the the truststore file.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.rest.proxy.ssl.truststore.password

The stored password for the truststore file.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.rest.proxy.ssl.keystore.location

The location of the keystore file.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.rest.proxy.ssl.keystore.password

The stored password for the password file.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.rest.proxy.ssl.key.password

The password of the private key in the keystore file.

  • Type: string
  • Default: “”
  • Importance: low

RBAC settings

Metadata Service (MDS) and other optional settings required for implementing RBAC in Control Center. For a complete configuration example of essential settings, see Configure RBAC for Control Center on Confluent Platform.

confluent.metadata.bootstrap.server.urls

A comma-separated list of valid URLs that specify where the RBAC metadata server or servers can be reached. This configuration is required to run Control Center inside an RBAC environment.

  • Type: long
  • Default: 0
  • Importance: low

confluent.metadata.basic.auth.user.info

Formatted as USERNAME:PASSWORD, the credentials of an RBAC user for Control Center to act on behalf of. This includes running Kafka Streams, authorizing requests, and interacting with other Confluent Platform services. This configuration is required to run Control Center inside an RBAC environment.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.auth.bearer.issuer

JWT token issuer.

  • Type: string
  • Default: “”
  • Importance: low

public.key.path

Path to public key for authenticating JWT tokens.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.auth.bearer.roles.claim

JWT roles claim.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.mds.client.max.requests.queued.per.destination

The number of requests that can be queued for the Control Center MDS client used with RBAC. You can increase this property value to increase queue capacity, but you should not lower the value.

  • Type: int
  • Default: 1024
  • Importance: low

confluent.controlcenter.mds.client.idle.timeout

The number of seconds before an idle connection to the Control Center MDS client used with RBAC times out. You can reduce this property value to help reduce the number connections left in a CLOSE_WAIT state.

  • Type: int
  • Default: 30
  • Importance: low

confluent.controlcenter.auth.bearer.token.max.lifetime.ms

Bearer token issued during login cannot renew itself beyond this duration. You must set confluent.controlcenter.auth.bearer.token.max.lifetime.ms to a value less than 24 hours and greater than or equal to the value of the Metadata Service (MDS) property confluent.metadata.server.token.max.lifetime.ms.

  • If you set this to more than 24 hours, the system overrides your setting and uses 24 hours.
  • If you set this value to a value less than the value defined by the Metadata Service (MDS) property confluent.metadata.server.token.max.lifetime.ms, the value you set for confluent.controlcenter.auth.bearer.token.max.lifetime.ms is ignored. For more information, see Configuration.

Maximum value: 86400000 (24 hours)

  • Type: long
  • Default: 21,600,000 (6 hours)
  • Importance: low

Cluster Registry settings

Version 6.0.1 of Confluent Platform and later includes optional settings to enable the Cluster Registry in Confluent Platform for Control Center, which creates a more user-friendly RBAC role binding experience and enables centralized audit logging.

confluent.metadata.cluster.registry.enable

The value for this flag is True if the cluster registry is enabled. When enabled, cluster information will be read from the cluster registry.

  • Type: boolean
  • Default: false

Note

If this feature flag is enabled, the following flags will be ignored:

  • confluent.controlcenter.kafka.<name>.bootstrap.servers
  • confluent.controlcenter.kafka.<name>.<connection config>

An exception to this rule occurs when you need to specify additional flags, such as confluent.controlcenter.kafka.<name>.ssl.keystore.location.

confluent.metadata.cluster.registry.merge.configuration.enable

When enabled, the configuration information for Kafka clusters in the properties file is merged with the one from cluster registry. This enables users to configure additional properties that cannot be added to cluster registry (for example, confluent.controlcenter.kafka.<name>.ssl.keystore.location).

  • Type: boolean
  • Default: true

confluent.controlcenter.purge.stale.cluster.enable

When enabled, Control Center will purge stale cluster information from the command store.

  • Type: boolean
  • Default: false

Email settings

These optional settings control the SMTP server and account used when an alerts triggers the email action.

Important

The body of the email alert is populated with the first hostname specified in the confluent.controlcenter.rest.listeners property. The default value is localhost:9021.

confluent.controlcenter.mail.enabled

Enable email alerts. If this setting is false, you cannot add email alert actions in the web user interface.

  • Type: boolean
  • Default: false
  • Importance: low

confluent.controlcenter.mail.host.name

Hostname of outgoing SMTP server.

  • Type: string
  • Default: localhost
  • Importance: low

confluent.controlcenter.mail.port

SMTP port open on confluent.controlcenter.mail.host.name.

  • Type: int
  • Default: 587
  • Importance: low

confluent.controlcenter.mail.ssl.checkserveridentity

Forces the use of TLS and validation of the server’s certificate. Enabling this flag causes Control Center to use the port set by confluent.controlcenter.mail.ssl.port instead of confluent.controlcenter.mail.port.

  • Type: boolean
  • Default: false
  • Importance: low

confluent.controlcenter.mail.ssl.port

SSL-specific SMTP port to open on confluent.controlcenter.mail.host.name. Setting confluent.controlcenter.mail.ssl.checkserveridentity to true forces the use of this port and not the confluent.controlcenter.mail.port.

  • Type: int
  • Default: 465
  • Importance: low

confluent.controlcenter.mail.from

The originating address for emails sent from Control Center.

confluent.controlcenter.mail.bounce.address

Override for confluent.controlcenter.mail.from config to send message bounce notifications.

  • Type: string
  • Importance: low

confluent.controlcenter.mail.starttls.required

Forces using STARTTLS.

  • Type: boolean
  • Default: false
  • Importance: low

confluent.controlcenter.mail.username

Username for username/password authentication. Authentication with your SMTP server only performs if this value is set.

  • Type: string
  • Importance: low

confluent.controlcenter.mail.password

Password for username/password authentication.

  • Type: string
  • Importance: low

Feature settings

These optional settings enable Confluent Control Center features such as message inspection, broker configurations, license manager, ksqlDB for Confluent Platform, and Schema Registry. They apply to all clusters managed by the current Control Center installation. Most features are enabled by default except the deprecated views for legacy System Health and Streams Monitoring.

confluent.controlcenter.topic.inspection.enable

Enable users to inspect topics.

  • Type: boolean
  • Default: true
  • Importance: low

confluent.controlcenter.broker.config.edit.enable

Enable user access to Edit dynamic cluster configuration settings.

  • Type: boolean
  • Default: true
  • Importance: low

confluent.controlcenter.license.manager.enable

Enable License Manager in Control Center.

  • Type: boolean
  • Default: true
  • Importance: low

confluent.controlcenter.consumers.view.enable

Enable the Consumers view in Control Center.

  • Type: boolean
  • Default: true
  • Importance: low

confluent.controlcenter.ksql.enable

Enable user access to the ksqlDB GUI.

  • Type: boolean
  • Default: true
  • Importance: low

confluent.controlcenter.schema.registry.enable

Enable user access to Manage Schemas in Confluent Platform.

  • Type: boolean
  • Default: true
  • Importance: low

confluent.controlcenter.ui.autoupdate.enable

Enable auto updating the Control Center UI.

  • Type: boolean
  • Default: true
  • Importance: low

confluent.controlcenter.usage.data.collection.enable

Data collection is disabled, and this property has no effect regardless of its value. Enable or disable data collection in Control Center.

  • Type: boolean
  • Default: true
  • Importance: low

confluent.controlcenter.ui.replicator.monitoring.enable

Enable Replicator monitoring in the Control Center UI.

  • Type: boolean
  • Default: true
  • Importance: low

confluent.controlcenter.ui.controller.chart.enable

Enable the Active Controller chart to display within the Broker uptime panel in the Control Center UI.

  • Type: boolean
  • Default: false
  • Importance: low

ksqlDB settings

You can use these optional settings to use Control Center to interact with ksqlDB Server, which runs separately from your Kafka clusters. For access control configuration related to ksqlDB, see Feature settings.

confluent.controlcenter.ksql.<ksql-cluster-name>.advertised.url

Comma-separated list of advertised URLs to access the ksqlDB cluster on Control Center. Replace <ksql-cluster-name> with the name Control Center should use to identify this ksqlDB cluster. By default, this is set to the value specified in confluent.controlcenter.ksql.<ksql-cluster-name>.url. These hostnames must be reachable from any browser that will use the ksqlDB web interface in Control Center.

For example, if ksqlDB is communicating over an internal DNS that is not externally resolvable or routeable (for example, if running in Docker for Mac), then the advertised URL must be set so that the browser can resolve the externally available DNS that ksqlDB is available at. For more information, see Connect ksqlDB Server Instances to Confluent Control Center on Confluent Platform.

  • Type: list
  • Default: “”
  • Importance: low

confluent.controlcenter.ksql.<ksql-cluster-name>.url

Comma-separated list of the ksqlDB server hostnames and listener ports for the ksqlDB cluster specified by <ksql-cluster-name>. By default, this is empty. These hostnames must be reachable from the machine Control Center is installed on. For more information, see Connect ksqlDB Server Instances to Confluent Control Center on Confluent Platform.

  • Type: list
  • Default: “”
  • Importance: low

confluent.controlcenter.ksql.advertised.url

Deprecated. The advertised URL to access the ksqlDB cluster on Control Center. By default, this is set to the value specified in confluent.controlcenter.ksql.url.

  • Type: string
  • Default: “”
  • Importance: low

confluent.controlcenter.ksql.url

Deprecated. The ksqlDB server hostname and listener port. This is deprecated by confluent.controlcenter.ksql.<ksql-cluster-name>.url. If this deprecated configuration is supplied, then Control Center will ignore any named ksqlDB configurations.

  • Type: string
  • Default: “”
  • Importance: low

Internal Kafka Streams settings

Because Control Center reads and writes data to Kafka, you are allowed to change some optional settings for producer and consumer configurations.

Caution

Changing these values is not recommended unless advised by Confluent Support.

Some examples of values used internally are given. These settings map 1:1 with producer/consumer configs used internally by Control Center and all use the prefix confluent.controlcenter.streams.{producer,consumer}..

confluent.controlcenter.streams.ssl.cipher.suites

A list of cipher suites. This is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS. By default, all of the available cipher suites are supported.

  • Type: list
  • Default: null
  • Importance: low

confluent.controlcenter.streams.ssl.enabled.protocols

The comma-separated list of protocols enabled for TLS connections. The default value is TLSv1.2,TLSv1.3 when running with Java 11 or later, TLSv1.2 otherwise. With the default value for Java 11 (TLSv1.2,TLSv1.3), Kafka clients and brokers prefer TLSv1.3 if both support it, and falls back to TLSv1.2 otherwise (assuming both support at least TLSv1.2).

  • Type: list
  • Default: TLSv1.2,TLSv1.3
  • Importance: medium

Internal Command settings

These settings are optional.

The command topic is used to store internal configuration data for Control Center.

Note

For multiple instances of Control Center using the same Kafka cluster for monitoring purposes, it may be helpful to use separate metrics and command topics (if each Control Center installation is monitoring different Kafka clusters).

The command topic reuses the defaults/overrides for Kafka Streams, but allows the following overrides.

confluent.controlcenter.command.topic

Topic used to store Control Center configuration.

  • Type: string
  • Default: _confluent-command
  • Importance: low

confluent.controlcenter.command.topic.replication

Replication factor for command topic.

Important

Reducing the replication value is not recommended, except in a development environment.

  • Type: int
  • Default: 3
  • Importance: low

confluent.controlcenter.command.topic.retention.ms

Maximum time in milliseconds that command data is stored in Kafka.

  • Type: long
  • Default: 86,400,000 (1 day)
  • Importance: low

Consumer Group settings

This setting is optional.

If you find that the Consumer Group page is not returning data, you can change the timeout value for the page. The default value is 15 seconds (or 15000 milliseconds); try increasing the value to 30 seconds (30000 milliseconds) if you are having timeout issues.

confluent.controlcenter.consumer.metadata.timeout.ms

Time to wait when attempting to retrieve Consumer Group metadata.

  • Type: int
  • Default: 15,000
  • Importance: low

Related content