From users-return-38049-apmail-kafka-users-archive=kafka.apache.org@kafka.apache.org Thu Aug 22 03:49:34 2019 Return-Path: X-Original-To: apmail-kafka-users-archive@www.apache.org Delivered-To: apmail-kafka-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by minotaur.apache.org (Postfix) with SMTP id 85539195BC for ; Thu, 22 Aug 2019 03:49:34 +0000 (UTC) Received: (qmail 87799 invoked by uid 500); 22 Aug 2019 03:49:26 -0000 Delivered-To: apmail-kafka-users-archive@kafka.apache.org Received: (qmail 87731 invoked by uid 500); 22 Aug 2019 03:49:26 -0000 Mailing-List: contact users-help@kafka.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@kafka.apache.org Delivered-To: mailing list users@kafka.apache.org Received: (qmail 87719 invoked by uid 99); 22 Aug 2019 03:49:25 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Aug 2019 03:49:25 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 3A19EC098C for ; Thu, 22 Aug 2019 03:49:25 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.801 X-Spam-Level: * X-Spam-Status: No, score=1.801 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-ec2-va.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id XDasC_3opkOs for ; Thu, 22 Aug 2019 03:49:23 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.219.175; helo=mail-yb1-f175.google.com; envelope-from=antonyaugustus@gmail.com; receiver= Received: from mail-yb1-f175.google.com (mail-yb1-f175.google.com [209.85.219.175]) by mx1-ec2-va.apache.org (ASF Mail Server at mx1-ec2-va.apache.org) with ESMTPS id 0FBEFBC7F0 for ; Thu, 22 Aug 2019 03:49:23 +0000 (UTC) Received: by mail-yb1-f175.google.com with SMTP id y21so1950580ybi.11 for ; Wed, 21 Aug 2019 20:49:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=lRrIJhicvPNUWBJvFQc61YbqXchwiWR8UqRqdT53oUA=; b=ijPRVji3K6ex639c8QCE54FFsUP1RXrJrTmydgiMFBu+YP4425cGFArANG1Qu892Xt wxucZkpA7KneQ9DCuXPPJCyelRDG9SsqRwh5DMoyJiJadCcZqGzJUEszj21IlBgbPIFV QTxDMdtqTDuG4cRqT6LxYK4dXtEvfEKQBwznPRRZgUoEyInkBGt7RYRyST21+LIhct2G JpKvf+vyTE8bp9RNHZ0+rR6oNdXqcOAHHK158plLb51bq2/PMQlBjCKs635tuYomO6ta vATePgAaQ+oeAtW4+8mm74yy8x5TbRwxySLrxXahKmerHAelYVNFqqHBf05cJOPJA0Qk LJkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=lRrIJhicvPNUWBJvFQc61YbqXchwiWR8UqRqdT53oUA=; b=RDOjsP8RGHUyjYB/RYwlaJnUwn5GyHtumsKHQOP3kC7j8qZvz2f1CUHD2+m5GJ1mvy XGusgFCydeHA0uoAiWE7hN6EST0DmeBqtxnPKEpEApsKVSSBRh6HvcPlnoWZGEfWeQGR hH5bTY4ULzg3UC+MDeQLgFtRz4DI1G02nuebhrn9Y4REy41EAEeEqxcFa4XZzP3hIXBf 6DyWx2varlCdAQMJwgtsRyk0ZNA08eEc41sRM/7EPbly69R1b4kMCLGh9mnfvmQvubts bYiVHyUlrGyD4i/PvoIdWXvWnMgF+92cH2DrOP+DGnZ0cy3jYz7rfdfIGzjOtUWtveto N9Mg== X-Gm-Message-State: APjAAAVqhsg37pHpiY57V3IsUAEtPzGfxlWomws//qrhea/wPKS+pY63 4SfzAxxVhwQWoXTukurQKuQ6y0+l76XPW3fDUk04hqeC1So= X-Google-Smtp-Source: APXvYqzxInKg9F2tqkMHHzlUaifLlYXrJ18puiv61MSNz2fiz+eZFT0rysuQORw/GCRsHkUuiRNS5ElsA0m6zBNwwns= X-Received: by 2002:a25:d901:: with SMTP id q1mr26759094ybg.195.1566445755613; Wed, 21 Aug 2019 20:49:15 -0700 (PDT) MIME-Version: 1.0 From: Antony A Date: Wed, 21 Aug 2019 21:49:05 -0600 Message-ID: Subject: kafka security using ssl To: users@kafka.apache.org Content-Type: multipart/alternative; boundary="000000000000d2c56a0590ac92f8" --000000000000d2c56a0590ac92f8 Content-Type: text/plain; charset="UTF-8" Hi, I have followed the steps to secure the brokers using SSL. I have signed the server certificate using internal CA. I have the keystore with server certificate, private key and the CA. Also the truststore has only the CA. Unfortunately I am unable to start the broker with the following server properties isteners=SSL://:9092 security.inter.broker.protocol=SSL ssl.client.auth=required ssl.truststore.location=/tmp/kafka.server.truststore.jks ssl.truststore.password=password ssl.keystore.location=/tmp/kafka.server.keystore.jks ssl.keystore.password=password ssl.key.password=password # ACLs authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer super.users=User:kafkabroker Here is the error in the logs org.apache.kafka.common.KafkaException: org.apache.kafka.common.config.ConfigException: Invalid value javax.net.ssl.SSLHandshakeException: General SSLEngine problem for configuration A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings. Any pointers on what to do? Thanks, Antony PS: Kafka Version 2.3 --000000000000d2c56a0590ac92f8--