Kafka with SSL:
- Generate SSL key and certificate for each Kafka broker
keytool -keystore kafka.server.keystore.jks -alias localhost -validity 365 -genkey
output: kafka.server.keystore.jks
- Creating your own CA
openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
output: ca-cert, ca-key
- The next step is to add the generated CA to the clients’ truststore so that the clients can trust this CA:
keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file ca-cert
- If you configure the Kafka brokers to require client authentication by setting ssl.client.auth to requested or required on the broker config then you must also provide a truststore for the Kafka brokers and it should have all the CA certificates that clients keys were signed by.
keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file ca-cert
- The next step is to sign all certificates in the keystore with the CA we generated.
1. First, you need to export the certificate from the keystore:
keytool -keystore kafka.server.keystore.jks -alias localhost -certreq -file cert-file
2. Then sign it with the CA:
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:test1234
- Finally, you need to import both the certificate of the CA and the signed certificate into the keystore:
keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore kafka.server.keystore.jks -alias localhost -import -file cert-signed
server.properties:
listeners=PLAINTEXT://node1.openstacklocal:9092,SSL://node1.openstacklocal:9094
security.protocol=SSL
ssl.keystore.location=/home/kafka/ssl/kafka.server.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
ssl.truststore.location=/home/kafka/ssl/kafka.server.truststore.jks
ssl.truststore.password=test1234
security.inter.broker.protocol=SSL
producer.properties:
bootstrap.servers=node1.openstacklocal:9092
security.protocol=SSL
ssl.truststore.location=/home/kafka/ssl/kafka.client.truststore.jks
ssl.truststore.password=test1234
ssl.keystore.location=/home/kafka/ssl/kafka.client.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
consumer.properties:
security.protocol=SSL
ssl.truststore.location=/home/kafka/ssl/kafka.client.truststore.jks
ssl.truststore.password=test1234
ssl.keystore.location=/home/kafka/ssl/kafka.client.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
- Generate SSL key and certificate for each Kafka broker
keytool -keystore kafka.server.keystore.jks -alias localhost -validity 365 -genkey
output: kafka.server.keystore.jks
- Creating your own CA
openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
output: ca-cert, ca-key
- The next step is to add the generated CA to the clients’ truststore so that the clients can trust this CA:
keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file ca-cert
- If you configure the Kafka brokers to require client authentication by setting ssl.client.auth to requested or required on the broker config then you must also provide a truststore for the Kafka brokers and it should have all the CA certificates that clients keys were signed by.
keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file ca-cert
- The next step is to sign all certificates in the keystore with the CA we generated.
1. First, you need to export the certificate from the keystore:
keytool -keystore kafka.server.keystore.jks -alias localhost -certreq -file cert-file
2. Then sign it with the CA:
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:test1234
- Finally, you need to import both the certificate of the CA and the signed certificate into the keystore:
keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore kafka.server.keystore.jks -alias localhost -import -file cert-signed
server.properties:
listeners=PLAINTEXT://node1.openstacklocal:9092,SSL://node1.openstacklocal:9094
security.protocol=SSL
ssl.keystore.location=/home/kafka/ssl/kafka.server.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
ssl.truststore.location=/home/kafka/ssl/kafka.server.truststore.jks
ssl.truststore.password=test1234
security.inter.broker.protocol=SSL
producer.properties:
bootstrap.servers=node1.openstacklocal:9092
security.protocol=SSL
ssl.truststore.location=/home/kafka/ssl/kafka.client.truststore.jks
ssl.truststore.password=test1234
ssl.keystore.location=/home/kafka/ssl/kafka.client.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
consumer.properties:
security.protocol=SSL
ssl.truststore.location=/home/kafka/ssl/kafka.client.truststore.jks
ssl.truststore.password=test1234
ssl.keystore.location=/home/kafka/ssl/kafka.client.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
No comments:
Post a Comment