kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antony A <antonyaugus...@gmail.com>
Subject Re: kafka security using ssl
Date Mon, 26 Aug 2019 03:57:55 GMT
Thank you. Using a cert with both server and client auth extensions worked.

Sent from my iPhone

> On Aug 22, 2019, at 8:59 AM, Pere Urbón Bayes <pere.urbon@gmail.com> wrote:
> 
> HI,
>   I would add both, end of the day they do the two jobs see for more details, https://github.com/purbon/kafka-security-playbook/blob/master/tls/server.cnf#L25
> 
> Missatge de Antony A <antonyaugustus@gmail.com> del dia dj., 22 d’ag. 2019 a
les 16:50:
>> Is ExtendedKeyUsages an issue for Kafka? 
>> 
>> #7: ObjectId: 2.5.29.37 Criticality=false
>> ExtendedKeyUsages [
>>   serverAuth
>> ]
>> 
>> The certificate itself has the CA in the chain.
>> 
>> 
>> 
>>> On Thu, Aug 22, 2019 at 6:51 AM Pere Urbón Bayes <pere.urbon@gmail.com>
wrote:
>>> can you share your certificate content somehow? i should ask, is it
>>> properly signed with the ca? can you share as well the current error.
>>> 
>>> -- Pere
>>> 
>>> On Thu, 22 Aug 2019, 14:47 Antony A <antonyaugustus@gmail.com> wrote:
>>> 
>>> > Yes. The truststore has the CA. The keystore has the CA, PRIVATE KEY used
>>> > to create the CSR and the SERVER CERT.
>>> >
>>> > Sent from my iPhone
>>> >
>>> > > On Aug 22, 2019, at 6:44 AM, Pere Urbón Bayes <pere.urbon@gmail.com>
>>> > wrote:
>>> > >
>>> > > you should verify a proper chain of validation. is your private ca
cert
>>> > in
>>> > > your trust store?
>>> > >
>>> > >> On Thu, 22 Aug 2019, 14:40 Antony A <antonyaugustus@gmail.com>
wrote:
>>> > >>
>>> > >> Hi,
>>> > >>
>>> > >> I was able to get the broker running if I used a CA created as
shown in
>>> > >> the example below. https://kafka.apache.org/documentation/#security_ssl
>>> > >>
>>> > >> The issue I am facing is when I used my internal CA. Not sure what
I am
>>> > >> missing when I am creating the certificate.
>>> > >>
>>> > >> Thanks.
>>> > >>
>>> > >> Sent from my iPhone
>>> > >>
>>> > >>> On Aug 21, 2019, at 10:16 PM, Pere Urbón Bayes <pere.urbon@gmail.com>
>>> > >> wrote:
>>> > >>>
>>> > >>> Hi,
>>> > >>>  the error looks like a missing configuration value. A good
source of
>>> > >>> examples how to set up security can be found at
>>> > >>> https://github.com/purbon/kafka-security-playbook or
>>> > >>> https://docs.confluent.io/current/kafka/authentication_ssl.html.
>>> > >>>
>>> > >>> i would verify them and see if you're using the same configuration
and
>>> > >>> properly setup certificate stores.
>>> > >>>
>>> > >>> I hope it helps,
>>> > >>>
>>> > >>> -- Pere
>>> > >>>
>>> > >>>> On Thu, 22 Aug 2019, 05:49 Antony A <antonyaugustus@gmail.com>
wrote:
>>> > >>>>
>>> > >>>> Hi,
>>> > >>>>
>>> > >>>> I have followed the steps to secure the brokers using SSL.
I have
>>> > signed
>>> > >>>> the server certificate using internal CA. I have the keystore
with
>>> > >> server
>>> > >>>> certificate, private key and the CA. Also the truststore
has only the
>>> > >> CA.
>>> > >>>>
>>> > >>>> Unfortunately I am unable to start the broker with the
following
>>> > server
>>> > >>>> properties
>>> > >>>>
>>> > >>>> isteners=SSL://:9092
>>> > >>>> security.inter.broker.protocol=SSL
>>> > >>>> ssl.client.auth=required
>>> > >>>>
>>> > >>>> ssl.truststore.location=/tmp/kafka.server.truststore.jks
>>> > >>>> ssl.truststore.password=password
>>> > >>>> ssl.keystore.location=/tmp/kafka.server.keystore.jks
>>> > >>>> ssl.keystore.password=password
>>> > >>>> ssl.key.password=password
>>> > >>>>
>>> > >>>> # ACLs
>>> > >>>> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
>>> > >>>> super.users=User:kafkabroker
>>> > >>>>
>>> > >>>>
>>> > >>>> Here is the error in the logs
>>> > >>>>
>>> > >>>> org.apache.kafka.common.KafkaException:
>>> > >>>> org.apache.kafka.common.config.ConfigException: Invalid
value
>>> > >>>> javax.net.ssl.SSLHandshakeException: General SSLEngine
problem for
>>> > >>>> configuration A client SSLEngine created with the provided
settings
>>> > >> can't
>>> > >>>> connect to a server SSLEngine created with those settings.
>>> > >>>>
>>> > >>>> Any pointers on what to do?
>>> > >>>>
>>> > >>>> Thanks,
>>> > >>>> Antony
>>> > >>>>
>>> > >>>> PS: Kafka Version 2.3
>>> > >>>>
>>> > >>
>>> >
> 
> 
> -- 
> Pere Urbon-Bayes
> Software Architect 
> http://www.purbon.com
> https://twitter.com/purbon
> https://www.linkedin.com/in/purbon/

Mime
  • Unnamed multipart/alternative (inline, 7-Bit, 0 bytes)
View raw message