kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pere Urbón Bayes <pere.ur...@gmail.com>
Subject Re: kafka security using ssl
Date Thu, 22 Aug 2019 14:59:24 GMT
HI,
  I would add both, end of the day they do the two jobs see for more
details,
https://github.com/purbon/kafka-security-playbook/blob/master/tls/server.cnf#L25

Missatge de Antony A <antonyaugustus@gmail.com> del dia dj., 22 d’ag. 2019
a les 16:50:

> Is ExtendedKeyUsages an issue for Kafka?
>
> #7: ObjectId: 2.5.29.37 Criticality=false
> ExtendedKeyUsages [
>   serverAuth
> ]
>
> The certificate itself has the CA in the chain.
>
>
>
> On Thu, Aug 22, 2019 at 6:51 AM Pere Urbón Bayes <pere.urbon@gmail.com>
> wrote:
>
>> can you share your certificate content somehow? i should ask, is it
>> properly signed with the ca? can you share as well the current error.
>>
>> -- Pere
>>
>> On Thu, 22 Aug 2019, 14:47 Antony A <antonyaugustus@gmail.com> wrote:
>>
>> > Yes. The truststore has the CA. The keystore has the CA, PRIVATE KEY
>> used
>> > to create the CSR and the SERVER CERT.
>> >
>> > Sent from my iPhone
>> >
>> > > On Aug 22, 2019, at 6:44 AM, Pere Urbón Bayes <pere.urbon@gmail.com>
>> > wrote:
>> > >
>> > > you should verify a proper chain of validation. is your private ca
>> cert
>> > in
>> > > your trust store?
>> > >
>> > >> On Thu, 22 Aug 2019, 14:40 Antony A <antonyaugustus@gmail.com>
>> wrote:
>> > >>
>> > >> Hi,
>> > >>
>> > >> I was able to get the broker running if I used a CA created as shown
>> in
>> > >> the example below.
>> https://kafka.apache.org/documentation/#security_ssl
>> > >>
>> > >> The issue I am facing is when I used my internal CA. Not sure what
I
>> am
>> > >> missing when I am creating the certificate.
>> > >>
>> > >> Thanks.
>> > >>
>> > >> Sent from my iPhone
>> > >>
>> > >>> On Aug 21, 2019, at 10:16 PM, Pere Urbón Bayes <
>> pere.urbon@gmail.com>
>> > >> wrote:
>> > >>>
>> > >>> Hi,
>> > >>>  the error looks like a missing configuration value. A good source
>> of
>> > >>> examples how to set up security can be found at
>> > >>> https://github.com/purbon/kafka-security-playbook or
>> > >>> https://docs.confluent.io/current/kafka/authentication_ssl.html.
>> > >>>
>> > >>> i would verify them and see if you're using the same configuration
>> and
>> > >>> properly setup certificate stores.
>> > >>>
>> > >>> I hope it helps,
>> > >>>
>> > >>> -- Pere
>> > >>>
>> > >>>> On Thu, 22 Aug 2019, 05:49 Antony A <antonyaugustus@gmail.com>
>> wrote:
>> > >>>>
>> > >>>> Hi,
>> > >>>>
>> > >>>> I have followed the steps to secure the brokers using SSL.
I have
>> > signed
>> > >>>> the server certificate using internal CA. I have the keystore
with
>> > >> server
>> > >>>> certificate, private key and the CA. Also the truststore has
only
>> the
>> > >> CA.
>> > >>>>
>> > >>>> Unfortunately I am unable to start the broker with the following
>> > server
>> > >>>> properties
>> > >>>>
>> > >>>> isteners=SSL://:9092
>> > >>>> security.inter.broker.protocol=SSL
>> > >>>> ssl.client.auth=required
>> > >>>>
>> > >>>> ssl.truststore.location=/tmp/kafka.server.truststore.jks
>> > >>>> ssl.truststore.password=password
>> > >>>> ssl.keystore.location=/tmp/kafka.server.keystore.jks
>> > >>>> ssl.keystore.password=password
>> > >>>> ssl.key.password=password
>> > >>>>
>> > >>>> # ACLs
>> > >>>> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
>> > >>>> super.users=User:kafkabroker
>> > >>>>
>> > >>>>
>> > >>>> Here is the error in the logs
>> > >>>>
>> > >>>> org.apache.kafka.common.KafkaException:
>> > >>>> org.apache.kafka.common.config.ConfigException: Invalid value
>> > >>>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem
for
>> > >>>> configuration A client SSLEngine created with the provided
settings
>> > >> can't
>> > >>>> connect to a server SSLEngine created with those settings.
>> > >>>>
>> > >>>> Any pointers on what to do?
>> > >>>>
>> > >>>> Thanks,
>> > >>>> Antony
>> > >>>>
>> > >>>> PS: Kafka Version 2.3
>> > >>>>
>> > >>
>> >
>>
>

-- 
Pere Urbon-Bayes
Software Architect
http://www.purbon.com
https://twitter.com/purbon
https://www.linkedin.com/in/purbon/

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message