kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antony A <antonyaugus...@gmail.com>
Subject Re: kafka security using ssl
Date Thu, 22 Aug 2019 12:40:08 GMT
Hi,

I was able to get the broker running if I used a CA created as shown in the example below.
https://kafka.apache.org/documentation/#security_ssl

The issue I am facing is when I used my internal CA. Not sure what I am missing when I am
creating the certificate. 

Thanks.

Sent from my iPhone

> On Aug 21, 2019, at 10:16 PM, Pere Urbón Bayes <pere.urbon@gmail.com> wrote:
> 
> Hi,
>   the error looks like a missing configuration value. A good source of
> examples how to set up security can be found at
> https://github.com/purbon/kafka-security-playbook or
> https://docs.confluent.io/current/kafka/authentication_ssl.html.
> 
> i would verify them and see if you're using the same configuration and
> properly setup certificate stores.
> 
> I hope it helps,
> 
> -- Pere
> 
>> On Thu, 22 Aug 2019, 05:49 Antony A <antonyaugustus@gmail.com> wrote:
>> 
>> Hi,
>> 
>> I have followed the steps to secure the brokers using SSL. I have signed
>> the server certificate using internal CA. I have the keystore with server
>> certificate, private key and the CA. Also the truststore has only the CA.
>> 
>> Unfortunately I am unable to start the broker with the following server
>> properties
>> 
>> isteners=SSL://:9092
>> security.inter.broker.protocol=SSL
>> ssl.client.auth=required
>> 
>> ssl.truststore.location=/tmp/kafka.server.truststore.jks
>> ssl.truststore.password=password
>> ssl.keystore.location=/tmp/kafka.server.keystore.jks
>> ssl.keystore.password=password
>> ssl.key.password=password
>> 
>> # ACLs
>> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
>> super.users=User:kafkabroker
>> 
>> 
>> Here is the error in the logs
>> 
>> org.apache.kafka.common.KafkaException:
>> org.apache.kafka.common.config.ConfigException: Invalid value
>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem for
>> configuration A client SSLEngine created with the provided settings can't
>> connect to a server SSLEngine created with those settings.
>> 
>> Any pointers on what to do?
>> 
>> Thanks,
>> Antony
>> 
>> PS: Kafka Version 2.3
>> 

Mime
  • Unnamed multipart/alternative (inline, 7-Bit, 0 bytes)
View raw message