Configuration

Explore options to configure Kafkorama Portal.

Web Server Settings

memory

This parameter sets the maximum heap size (-Xmx) of the Java Virtual Machine (JVM) running the Kafkorama Portal, expressed in megabytes (MB).

For example, to allocate 512 megabytes of heap memory, use:

memory = 512 MB

log.folder

If not set, the default folder logs is used relative to the directory from which the Kafkorama Portal is started.

You can specify an absolute path instead:

web.listen.ip

Specifies the IP address on which the Kafkorama Portal web server will listen for incoming HTTP requests.

web.listen.port

Defines the TCP port on which the Kafkorama Portal web server listens.

web.url

Defines the base URL used in emails and links sent to users.

web.ssl.enable

Enables SSL/TLS for the Kafkorama Portal web server. Set to true to activate HTTPS using the below SSL configuration parameters.

web.ssl.letsencrypt.validationdir

If using Let's Encrypt certificates, this folder is used to temporarily store validation files required for domain ownership verification.

web.ssl.keystorepath

Specifies the file path to the Java keystore (.jks) that contains the SSL certificate used by the Portal.

web.ssl.keystorepassword

The password required to open the keystore file specified in web.ssl.keystorepath.

web.ssl.port

Defines the port on which the Portal listens for HTTPS connections when SSL is enabled.

web.ssl.host

Sets the IP address the HTTPS server binds to.

Email Settings

web.email.verification

Set this to true to require email verification for new users.

web.email.address

Email address used by the portal to send emails. Must be configured if email verification is enabled.

web.email.password

Password for the configured web.email.address.

Admin Settings

admin.email

Email of the administrator account created at startup.

admin.password

Password of the administrator account created at startup.

admin.organization

Organization label associated with the default admin.

Gateway Integration

portal.password

Used by the Kafkorama Gateway to authenticate with the Portal when retrieving Kafka configurations and entitlement data.

gateway.servers

Used by the debug console as well as by demo live data of Kafkorama Portal to establish client connections to the Kafkorama Gateway cluster.

gateway.servers.protocol

Sets the connection scheme (http or https) to be used with gateway.servers.

Demo Mode

demo.apis

Enables demo APIs useful for testing and onboarding.

demo.topic

The default Kafka topic used for demo purposes.

Database Settings

db.name

The path to the SQLite or MySql database file.

db.user / db.password

User and password used for the database connection.

db.type

Sets the type of database backend: sqlite or mysql.

db.ip / db.port

Sets the address and port of the external DB (MySQL).

db.driver.classpath

JDBC driver class used to connect to the database: org.sqlite.JDBC (for SQLite) and com.mysql.jdbc.Driver (for MySQL).

db.ssl

Enables SSL for database connections if set to true.

JWT and Token Settings

renewTokenBeforeSeconds

This parameter defines the number of seconds before the expiration of a JWT token when the Kafkorama Gateway sends a notification to the client, prompting it to renew the token. This ensures uninterrupted service by allowing clients to refresh tokens before they expire.

signature.type

This parameter determines the algorithm type used to verify JWT tokens:

• hmac: A symmetric signature algorithm using the same secret key for both signing and verification. Depending on the length of the key, one of the following HMAC algorithms is automatically selected:

  • HS256: Requires at least a 32-byte secret (recommended)
  • HS384: Requires at least a 48-byte secret
  • HS512: Requires at least a 64-byte secret

• rsa: An asymmetric signature algorithm that uses a private key for signing and a public key for verification. Based on the size of the private key, one of the following algorithms is chosen:

  • RS256: Requires a 2048-bit private key (recommended)
  • RS384: Requires a 3072-bit private key
  • RS512: Requires a 4096-bit private key

signature.hmac.secret

If HMAC is used as the JWT signature method, this parameter must be set with a base64-encoded secret key.

The length of this secret key determines which HMAC algorithm is used.

To generate a base64-encoded 32-byte key, you can use the following command:

openssl rand -base64 32

signature.rsa.publicKeyPath

Specifies the PEM path to the RSA public key used to verify JWT tokens.

Limits

limits.clusters / limits.apis

Sets an upper limit on the number of Kafka clusters and APIs that can be defined in the portal.

OAuth Providers

oauth.github.apikey / oauth.github.apisecret / oauth.github.callback

Used for enabling GitHub-based login. The callback must match the one configured in your GitHub OAuth app.

oauth.google.apikey / oauth.google.apisecret / oauth.google.callback

Used for enabling Google-based login. The callback must match the one configured in your Google OAuth app.

reCAPTCHA Settings

recaptcha.google.enabled

Enables or disables reCAPTCHA validation for forms and authentication.

recaptcha.google.secretkey

The backend secret key provided by Google to verify the token.

recaptcha.google.sitekey

The frontend site key used by the client to render the reCAPTCHA widget.

recaptcha.google.score.threshold

A float value between 0.0 and 1.0. Scores closer to 1.0 are more human-like.

recaptcha.google.hostnames

Comma-separated list of hostnames allowed in the verification response.

recaptcha.google.verify.timeout

Time in milliseconds to wait for a response from Google's reCAPTCHA API.

recaptcha.google.verify.url

The URL used to verify reCAPTCHA tokens. Only change for testing or proxying.