我正在尝试在我的3节点Kafka群集中设置SSL,但仍然遇到连接错误,特别是指示代理无法相互连接。它们的形式如下:
WARN [Controller-1003-to-broker-1002-send-thread], Controller 1003's connection to broker FQDN:9093 (id: 1002 rack: null) was unsuccessful (kafka.controller.RequestSendThread)
我正在尝试按照此处找到的步骤(http://kafka.apache.org/documentation.html#security),但我承认我从未使用过密钥库或证书,所以我可能会做一些基本错误的事情。以下是我在所有3个server.properties文件中更改的设置:
security.inter.broker.protocol=SSL
listeners=SSL://<FQDN>:9093 #Turning off PLAINTEXT to be sure everything is working over SSL
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
ssl.key.password=test1234
ssl.keystore.location=/var/private/ssl/server.keystore.jks
ssl.keystore.password=test1234
ssl.truststore.location=/var/private/ssl/server.truststore.jks
ssl.truststore.password=test1234
以下是我在每个Kafka经纪商上运行的命令:
PASSWORD=test1234
VALIDITY=365
FQDN=`hostname --fqdn`
keytool -alias localhost -keystore server.keystore.jks -keypass $PASSWORD -storepass $PASSWORD -genkeypair -validity $VALIDITY -dname "cn=$FQDN, ou=development, o=mycom.com, l=stl, st=mo, c=jv" -keyalg RSA
openssl req -new -x509 -keyout ca-key -out ca-cert -days $VALIDITY
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert -storepass test1t34 -noprompt
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert -storepass $PASSWORD -noprompt
keytool -keystore server.keystore.jks -alias localhost -certreq -file cert-file -storepass $PASSWORD
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days $VALIDITY -CAcreateserial -passin pass:$PASSWORD
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert -storepass $PASSWORD -noprompt
keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed -storepass $PASSWORD -noprompt
cp ./server.truststore.jks /var/private/ssl/server.truststore.jks
cp ./server.keystore.jks /var/private/ssl/server.keystore.jks
在这些命令结束时,每个代理都有自己的本地server.truststore.jks和server.keystore.jks,它们没有与任何其他代理交互。
我已验证端口9093已打开并可通过telnet访问(telnet localIP 9093工作正常),但是当我运行时
openssl s_client -debug -connect <local IPs>:9093 -tls1
所有3台机器都返回
Verify return code: 19 (self signed certificate in certificate chain)
我是否应该在所有3个经纪人上运行上述所有命令?一些命令引用了client.keystore.jks和client.truststore.jks。
有谁知道未正确设置的内容?
谢谢!
答案 0 :(得分:0)
我在一个节点上生成CA,然后复制到所有节点
在所有节点上运行:
keytool -alias localhost -keystore server.keystore.jks -keypass $PASSWORD -storepass $PASSWORD -genkeypair -validity $VALIDITY -dname "cn=$FQDN, ou=development, o=mycom.com, l=stl, st=mo, c=jv" -keyalg RSA
在一个或本地:
openssl req -new -x509 -keyout ca-key -out ca-cert -days $VALIDITY
将CA复制到所有节点
在所有节点上:
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert -storepass test1t34 -noprompt
客户端在一个节点上运行,然后复制到客户端:
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert -storepass $PASSWORD -noprompt
在所有节点上:
keytool -keystore server.keystore.jks -alias localhost -certreq -file cert-file -storepass $PASSWORD
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days $VALIDITY -CAcreateserial -passin pass:$PASSWORD
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert -storepass $PASSWORD -noprompt
keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed -storepass $PASSWORD -noprompt
cp ./server.truststore.jks /var/private/ssl/server.truststore.jks
cp ./server.keystore.jks /var/private/ssl/server.keystore.jks