我必须在 kafka 中添加使用 SSL 的加密和身份验证。
这是我所做的:
- 1) Generate certificate for each broker kafka:
COMANDO: keytool -keystore server.keystore.jks -alias localhost -validity 365 -genkey
- 2) Create CA. The generated CA is a public-private key pair and certificate used to sign other certificates. A CA is responsible for signing certificates.
COMANDO: openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
- 3) Sign all brokers certificates with the generated CA
Export the certificate from the keystore: keytool -keystore server.keystore.jks -alias localhost -certreq -file cert-file
Sign it with the CA: openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days {validity} -CAcreateserial -passin pass:{ca-password}
- 4) Import both the certificate of the CA and the signed certificate into the keystore:
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed
- 5) Import CA to client truststore and broker/server truststore:
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
- 6) Add these line in the configuration server.properties:
listeners=PLAINTEXT://localhost:9092, SSL://localhost:9192
ssl.client.auth=required
ssl.keystore.location=/home/xrobot/kafka_2.12-2.1.0/certificate/server.keystore.jks
ssl.keystore.password=blablabla
ssl.key.password=blablabla
ssl.truststore.location=/home/xrobot/kafka_2.12-2.1.0/certificate/server.truststore.jks
ssl.truststore.password=blablabla
security.inter.broker.protocol=SSL
问题是,当我启动 kafka 时,出现此错误:
[2019-02-26 19:03:59,783] INFO [KafkaServer id=0] started (kafka.server.KafkaServer)
[2019-02-26 19:04:00,011] ERROR [Controller id=0, targetBrokerId=0] Connection to node 0 (localhost/127.0.0.1:9192) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2019-02-26 19:04:00,178] ERROR [Controller id=0, targetBrokerId=0] Connection to node 0 (localhost/127.0.0.1:9192) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2019-02-26 19:04:00,319] ERROR [Controller id=0, targetBrokerId=0] Connection to node 0 (localhost/127.0.0.1:9192) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
为什么?
答案1
我按照您共享的步骤生成证书并在 Kafka 和 Spring Boot 生产者和消费者级别进行配置,一切运行良好。
我也遇到了同样的错误,但我进行了以下配置。
您可以在 server.properties 中添加以下行
ssl.endpoint.identification.algorithm=
更高版本的 Kafka 正在进行主机验证,因此您可以通过添加上面一行 server.properties 来忽略。