4

I have to add encryption and authentication with SSL in kafka.

This is what I have done:

- 1) Generate certificate for each broker kafka:
COMANDO: keytool -keystore server.keystore.jks -alias localhost -validity 365 -genkey

- 2) Create CA. The generated CA is a public-private key pair and certificate used to sign other certificates. A CA is responsible for signing certificates. 
COMANDO: openssl req -new -x509 -keyout ca-key -out ca-cert -days 365

- 3) Sign all brokers certificates with the generated CA
Export the certificate from the keystore: keytool -keystore server.keystore.jks -alias localhost -certreq -file cert-file
Sign it with the CA: openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days {validity} -CAcreateserial -passin pass:{ca-password}

- 4) Import both the certificate of the CA and the signed certificate into the keystore:
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed

- 5) Import CA to client truststore and broker/server truststore:
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert

- 6) Add these line in the configuration server.properties:
listeners=PLAINTEXT://localhost:9092, SSL://localhost:9192
ssl.client.auth=required
ssl.keystore.location=/home/xrobot/kafka_2.12-2.1.0/certificate/server.keystore.jks
ssl.keystore.password=blablabla
ssl.key.password=blablabla
ssl.truststore.location=/home/xrobot/kafka_2.12-2.1.0/certificate/server.truststore.jks
ssl.truststore.password=blablabla
security.inter.broker.protocol=SSL

The problem is that what I start kafka, I get this error:

[2019-02-26 19:03:59,783] INFO [KafkaServer id=0] started (kafka.server.KafkaServer)
[2019-02-26 19:04:00,011] ERROR [Controller id=0, targetBrokerId=0] Connection to node 0 (localhost/127.0.0.1:9192) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2019-02-26 19:04:00,178] ERROR [Controller id=0, targetBrokerId=0] Connection to node 0 (localhost/127.0.0.1:9192) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2019-02-26 19:04:00,319] ERROR [Controller id=0, targetBrokerId=0] Connection to node 0 (localhost/127.0.0.1:9192) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)

Why?

xRobot
  • 141
  • 1
  • 1
  • 4

1 Answers1

1

I used to your shared step to generate the certificates and configured in the Kafka and spring boot producer and consumer level, all are working fine.

I have also got the same error but I did the following configuration.

you can add the following line in server.properties

ssl.endpoint.identification.algorithm=

Higher version of Kafka doing the host verification so you can ignore by the adding the above line server.properties.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
  • Wouldn't it be better to ensure the hostnames match the SANs on the cert rather than disabling hostname checking? – floodpants Nov 28 '20 at 11:09