kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jakub Scholz <ja...@scholz.cz>
Subject Re: Using different SSL keystore and truststore for different listeners
Date Sat, 23 Sep 2017 14:36:09 GMT
Hi,

Thanks for your answer. The "listener.name.client.ssl.keystore.location"
trick is exactly what I was looking for. Did I missed it somewhere in the
regular documentation? Or is it mentioned only in the KIP?

Thanks & Regards
Jakub

On Sat, Sep 23, 2017 at 11:05 AM, Manikumar <manikumar.reddy@gmail.com>
wrote:

> Hi,
>
> We can override per listener security settings.  This way we can configure
> each listener
> to with different configs.
>
> https://issues.apache.org/jira/browse/KAFKA-4636
>
> On Fri, Sep 22, 2017 at 2:00 PM, Jakub Scholz <jakub@scholz.cz> wrote:
>
> > Hi,
> >
> > I would like to setup my Kafka cluster so that it has several SSL
> listeners
> > (for replication, for clients in internal network, for clients in
> external
> > network etc.). But I need to use different certificates for each
> listener.
> > In particular I need:
> > * different server keys (keystore) because the clients connecting from
> > within internal network use different hostnames to connect then the
> clients
> > connecting from external network and I want hostname verification to
> work.
> > (With some private CA the different hostnames can be in the same
> > certificate as alternate subjects. But I would like to have private CA
> key
> > for the internal interface with internal addresses and key from a public
> CA
> > for the external address. So I need two keys.)
> > * different truststore because two separate groups of users are
> > authenticating over the different interfaces.
> >
> > Kafka allows to create several different listeners with different
> > configurations. That is great. But it seems that when I create several
> SSL
> > interfaces they all share the same keystore and truststore file. Is my
> > understanding correct? Or is there some way how to configure each
> listener
> > to use different keystore / truststore?
> >
> > Thanks & Regards
> > Jakub
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message