kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Manikumar <manikumar.re...@gmail.com>
Subject Re: Using different SSL keystore and truststore for different listeners
Date Sat, 23 Sep 2017 16:50:34 GMT
Yes, It was missing in the Kafka documentation.  I will raise PR to the
update docs.

On Sat, Sep 23, 2017 at 8:06 PM, Jakub Scholz <jakub@scholz.cz> wrote:

> Hi,
>
> Thanks for your answer. The "listener.name.client.ssl.keystore.location"
> trick is exactly what I was looking for. Did I missed it somewhere in the
> regular documentation? Or is it mentioned only in the KIP?
>
> Thanks & Regards
> Jakub
>
> On Sat, Sep 23, 2017 at 11:05 AM, Manikumar <manikumar.reddy@gmail.com>
> wrote:
>
> > Hi,
> >
> > We can override per listener security settings.  This way we can
> configure
> > each listener
> > to with different configs.
> >
> > https://issues.apache.org/jira/browse/KAFKA-4636
> >
> > On Fri, Sep 22, 2017 at 2:00 PM, Jakub Scholz <jakub@scholz.cz> wrote:
> >
> > > Hi,
> > >
> > > I would like to setup my Kafka cluster so that it has several SSL
> > listeners
> > > (for replication, for clients in internal network, for clients in
> > external
> > > network etc.). But I need to use different certificates for each
> > listener.
> > > In particular I need:
> > > * different server keys (keystore) because the clients connecting from
> > > within internal network use different hostnames to connect then the
> > clients
> > > connecting from external network and I want hostname verification to
> > work.
> > > (With some private CA the different hostnames can be in the same
> > > certificate as alternate subjects. But I would like to have private CA
> > key
> > > for the internal interface with internal addresses and key from a
> public
> > CA
> > > for the external address. So I need two keys.)
> > > * different truststore because two separate groups of users are
> > > authenticating over the different interfaces.
> > >
> > > Kafka allows to create several different listeners with different
> > > configurations. That is great. But it seems that when I create several
> > SSL
> > > interfaces they all share the same keystore and truststore file. Is my
> > > understanding correct? Or is there some way how to configure each
> > listener
> > > to use different keystore / truststore?
> > >
> > > Thanks & Regards
> > > Jakub
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message