You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Antony A <an...@gmail.com> on 2019/08/22 03:49:05 UTC
kafka security using ssl
Hi,
I have followed the steps to secure the brokers using SSL. I have signed
the server certificate using internal CA. I have the keystore with server
certificate, private key and the CA. Also the truststore has only the CA.
Unfortunately I am unable to start the broker with the following server
properties
isteners=SSL://:9092
security.inter.broker.protocol=SSL
ssl.client.auth=required
ssl.truststore.location=/tmp/kafka.server.truststore.jks
ssl.truststore.password=password
ssl.keystore.location=/tmp/kafka.server.keystore.jks
ssl.keystore.password=password
ssl.key.password=password
# ACLs
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
super.users=User:kafkabroker
Here is the error in the logs
org.apache.kafka.common.KafkaException:
org.apache.kafka.common.config.ConfigException: Invalid value
javax.net.ssl.SSLHandshakeException: General SSLEngine problem for
configuration A client SSLEngine created with the provided settings can't
connect to a server SSLEngine created with those settings.
Any pointers on what to do?
Thanks,
Antony
PS: Kafka Version 2.3
Re: kafka security using ssl
Posted by Antony A <an...@gmail.com>.
Thank you. Using a cert with both server and client auth extensions worked.
Sent from my iPhone
> On Aug 22, 2019, at 8:59 AM, Pere Urbón Bayes <pe...@gmail.com> wrote:
>
> HI,
> I would add both, end of the day they do the two jobs see for more details, https://github.com/purbon/kafka-security-playbook/blob/master/tls/server.cnf#L25
>
> Missatge de Antony A <an...@gmail.com> del dia dj., 22 d’ag. 2019 a les 16:50:
>> Is ExtendedKeyUsages an issue for Kafka?
>>
>> #7: ObjectId: 2.5.29.37 Criticality=false
>> ExtendedKeyUsages [
>> serverAuth
>> ]
>>
>> The certificate itself has the CA in the chain.
>>
>>
>>
>>> On Thu, Aug 22, 2019 at 6:51 AM Pere Urbón Bayes <pe...@gmail.com> wrote:
>>> can you share your certificate content somehow? i should ask, is it
>>> properly signed with the ca? can you share as well the current error.
>>>
>>> -- Pere
>>>
>>> On Thu, 22 Aug 2019, 14:47 Antony A <an...@gmail.com> wrote:
>>>
>>> > Yes. The truststore has the CA. The keystore has the CA, PRIVATE KEY used
>>> > to create the CSR and the SERVER CERT.
>>> >
>>> > Sent from my iPhone
>>> >
>>> > > On Aug 22, 2019, at 6:44 AM, Pere Urbón Bayes <pe...@gmail.com>
>>> > wrote:
>>> > >
>>> > > you should verify a proper chain of validation. is your private ca cert
>>> > in
>>> > > your trust store?
>>> > >
>>> > >> On Thu, 22 Aug 2019, 14:40 Antony A <an...@gmail.com> wrote:
>>> > >>
>>> > >> Hi,
>>> > >>
>>> > >> I was able to get the broker running if I used a CA created as shown in
>>> > >> the example below. https://kafka.apache.org/documentation/#security_ssl
>>> > >>
>>> > >> The issue I am facing is when I used my internal CA. Not sure what I am
>>> > >> missing when I am creating the certificate.
>>> > >>
>>> > >> Thanks.
>>> > >>
>>> > >> Sent from my iPhone
>>> > >>
>>> > >>> On Aug 21, 2019, at 10:16 PM, Pere Urbón Bayes <pe...@gmail.com>
>>> > >> wrote:
>>> > >>>
>>> > >>> Hi,
>>> > >>> the error looks like a missing configuration value. A good source of
>>> > >>> examples how to set up security can be found at
>>> > >>> https://github.com/purbon/kafka-security-playbook or
>>> > >>> https://docs.confluent.io/current/kafka/authentication_ssl.html.
>>> > >>>
>>> > >>> i would verify them and see if you're using the same configuration and
>>> > >>> properly setup certificate stores.
>>> > >>>
>>> > >>> I hope it helps,
>>> > >>>
>>> > >>> -- Pere
>>> > >>>
>>> > >>>> On Thu, 22 Aug 2019, 05:49 Antony A <an...@gmail.com> wrote:
>>> > >>>>
>>> > >>>> Hi,
>>> > >>>>
>>> > >>>> I have followed the steps to secure the brokers using SSL. I have
>>> > signed
>>> > >>>> the server certificate using internal CA. I have the keystore with
>>> > >> server
>>> > >>>> certificate, private key and the CA. Also the truststore has only the
>>> > >> CA.
>>> > >>>>
>>> > >>>> Unfortunately I am unable to start the broker with the following
>>> > server
>>> > >>>> properties
>>> > >>>>
>>> > >>>> isteners=SSL://:9092
>>> > >>>> security.inter.broker.protocol=SSL
>>> > >>>> ssl.client.auth=required
>>> > >>>>
>>> > >>>> ssl.truststore.location=/tmp/kafka.server.truststore.jks
>>> > >>>> ssl.truststore.password=password
>>> > >>>> ssl.keystore.location=/tmp/kafka.server.keystore.jks
>>> > >>>> ssl.keystore.password=password
>>> > >>>> ssl.key.password=password
>>> > >>>>
>>> > >>>> # ACLs
>>> > >>>> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
>>> > >>>> super.users=User:kafkabroker
>>> > >>>>
>>> > >>>>
>>> > >>>> Here is the error in the logs
>>> > >>>>
>>> > >>>> org.apache.kafka.common.KafkaException:
>>> > >>>> org.apache.kafka.common.config.ConfigException: Invalid value
>>> > >>>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem for
>>> > >>>> configuration A client SSLEngine created with the provided settings
>>> > >> can't
>>> > >>>> connect to a server SSLEngine created with those settings.
>>> > >>>>
>>> > >>>> Any pointers on what to do?
>>> > >>>>
>>> > >>>> Thanks,
>>> > >>>> Antony
>>> > >>>>
>>> > >>>> PS: Kafka Version 2.3
>>> > >>>>
>>> > >>
>>> >
>
>
> --
> Pere Urbon-Bayes
> Software Architect
> http://www.purbon.com
> https://twitter.com/purbon
> https://www.linkedin.com/in/purbon/
Re: kafka security using ssl
Posted by Pere Urbón Bayes <pe...@gmail.com>.
HI,
I would add both, end of the day they do the two jobs see for more
details,
https://github.com/purbon/kafka-security-playbook/blob/master/tls/server.cnf#L25
Missatge de Antony A <an...@gmail.com> del dia dj., 22 d’ag. 2019
a les 16:50:
> Is ExtendedKeyUsages an issue for Kafka?
>
> #7: ObjectId: 2.5.29.37 Criticality=false
> ExtendedKeyUsages [
> serverAuth
> ]
>
> The certificate itself has the CA in the chain.
>
>
>
> On Thu, Aug 22, 2019 at 6:51 AM Pere Urbón Bayes <pe...@gmail.com>
> wrote:
>
>> can you share your certificate content somehow? i should ask, is it
>> properly signed with the ca? can you share as well the current error.
>>
>> -- Pere
>>
>> On Thu, 22 Aug 2019, 14:47 Antony A <an...@gmail.com> wrote:
>>
>> > Yes. The truststore has the CA. The keystore has the CA, PRIVATE KEY
>> used
>> > to create the CSR and the SERVER CERT.
>> >
>> > Sent from my iPhone
>> >
>> > > On Aug 22, 2019, at 6:44 AM, Pere Urbón Bayes <pe...@gmail.com>
>> > wrote:
>> > >
>> > > you should verify a proper chain of validation. is your private ca
>> cert
>> > in
>> > > your trust store?
>> > >
>> > >> On Thu, 22 Aug 2019, 14:40 Antony A <an...@gmail.com>
>> wrote:
>> > >>
>> > >> Hi,
>> > >>
>> > >> I was able to get the broker running if I used a CA created as shown
>> in
>> > >> the example below.
>> https://kafka.apache.org/documentation/#security_ssl
>> > >>
>> > >> The issue I am facing is when I used my internal CA. Not sure what I
>> am
>> > >> missing when I am creating the certificate.
>> > >>
>> > >> Thanks.
>> > >>
>> > >> Sent from my iPhone
>> > >>
>> > >>> On Aug 21, 2019, at 10:16 PM, Pere Urbón Bayes <
>> pere.urbon@gmail.com>
>> > >> wrote:
>> > >>>
>> > >>> Hi,
>> > >>> the error looks like a missing configuration value. A good source
>> of
>> > >>> examples how to set up security can be found at
>> > >>> https://github.com/purbon/kafka-security-playbook or
>> > >>> https://docs.confluent.io/current/kafka/authentication_ssl.html.
>> > >>>
>> > >>> i would verify them and see if you're using the same configuration
>> and
>> > >>> properly setup certificate stores.
>> > >>>
>> > >>> I hope it helps,
>> > >>>
>> > >>> -- Pere
>> > >>>
>> > >>>> On Thu, 22 Aug 2019, 05:49 Antony A <an...@gmail.com>
>> wrote:
>> > >>>>
>> > >>>> Hi,
>> > >>>>
>> > >>>> I have followed the steps to secure the brokers using SSL. I have
>> > signed
>> > >>>> the server certificate using internal CA. I have the keystore with
>> > >> server
>> > >>>> certificate, private key and the CA. Also the truststore has only
>> the
>> > >> CA.
>> > >>>>
>> > >>>> Unfortunately I am unable to start the broker with the following
>> > server
>> > >>>> properties
>> > >>>>
>> > >>>> isteners=SSL://:9092
>> > >>>> security.inter.broker.protocol=SSL
>> > >>>> ssl.client.auth=required
>> > >>>>
>> > >>>> ssl.truststore.location=/tmp/kafka.server.truststore.jks
>> > >>>> ssl.truststore.password=password
>> > >>>> ssl.keystore.location=/tmp/kafka.server.keystore.jks
>> > >>>> ssl.keystore.password=password
>> > >>>> ssl.key.password=password
>> > >>>>
>> > >>>> # ACLs
>> > >>>> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
>> > >>>> super.users=User:kafkabroker
>> > >>>>
>> > >>>>
>> > >>>> Here is the error in the logs
>> > >>>>
>> > >>>> org.apache.kafka.common.KafkaException:
>> > >>>> org.apache.kafka.common.config.ConfigException: Invalid value
>> > >>>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem for
>> > >>>> configuration A client SSLEngine created with the provided settings
>> > >> can't
>> > >>>> connect to a server SSLEngine created with those settings.
>> > >>>>
>> > >>>> Any pointers on what to do?
>> > >>>>
>> > >>>> Thanks,
>> > >>>> Antony
>> > >>>>
>> > >>>> PS: Kafka Version 2.3
>> > >>>>
>> > >>
>> >
>>
>
--
Pere Urbon-Bayes
Software Architect
http://www.purbon.com
https://twitter.com/purbon
https://www.linkedin.com/in/purbon/
Re: kafka security using ssl
Posted by Antony A <an...@gmail.com>.
Is ExtendedKeyUsages an issue for Kafka?
#7: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
The certificate itself has the CA in the chain.
On Thu, Aug 22, 2019 at 6:51 AM Pere Urbón Bayes <pe...@gmail.com>
wrote:
> can you share your certificate content somehow? i should ask, is it
> properly signed with the ca? can you share as well the current error.
>
> -- Pere
>
> On Thu, 22 Aug 2019, 14:47 Antony A <an...@gmail.com> wrote:
>
> > Yes. The truststore has the CA. The keystore has the CA, PRIVATE KEY used
> > to create the CSR and the SERVER CERT.
> >
> > Sent from my iPhone
> >
> > > On Aug 22, 2019, at 6:44 AM, Pere Urbón Bayes <pe...@gmail.com>
> > wrote:
> > >
> > > you should verify a proper chain of validation. is your private ca cert
> > in
> > > your trust store?
> > >
> > >> On Thu, 22 Aug 2019, 14:40 Antony A <an...@gmail.com> wrote:
> > >>
> > >> Hi,
> > >>
> > >> I was able to get the broker running if I used a CA created as shown
> in
> > >> the example below.
> https://kafka.apache.org/documentation/#security_ssl
> > >>
> > >> The issue I am facing is when I used my internal CA. Not sure what I
> am
> > >> missing when I am creating the certificate.
> > >>
> > >> Thanks.
> > >>
> > >> Sent from my iPhone
> > >>
> > >>> On Aug 21, 2019, at 10:16 PM, Pere Urbón Bayes <pere.urbon@gmail.com
> >
> > >> wrote:
> > >>>
> > >>> Hi,
> > >>> the error looks like a missing configuration value. A good source of
> > >>> examples how to set up security can be found at
> > >>> https://github.com/purbon/kafka-security-playbook or
> > >>> https://docs.confluent.io/current/kafka/authentication_ssl.html.
> > >>>
> > >>> i would verify them and see if you're using the same configuration
> and
> > >>> properly setup certificate stores.
> > >>>
> > >>> I hope it helps,
> > >>>
> > >>> -- Pere
> > >>>
> > >>>> On Thu, 22 Aug 2019, 05:49 Antony A <an...@gmail.com>
> wrote:
> > >>>>
> > >>>> Hi,
> > >>>>
> > >>>> I have followed the steps to secure the brokers using SSL. I have
> > signed
> > >>>> the server certificate using internal CA. I have the keystore with
> > >> server
> > >>>> certificate, private key and the CA. Also the truststore has only
> the
> > >> CA.
> > >>>>
> > >>>> Unfortunately I am unable to start the broker with the following
> > server
> > >>>> properties
> > >>>>
> > >>>> isteners=SSL://:9092
> > >>>> security.inter.broker.protocol=SSL
> > >>>> ssl.client.auth=required
> > >>>>
> > >>>> ssl.truststore.location=/tmp/kafka.server.truststore.jks
> > >>>> ssl.truststore.password=password
> > >>>> ssl.keystore.location=/tmp/kafka.server.keystore.jks
> > >>>> ssl.keystore.password=password
> > >>>> ssl.key.password=password
> > >>>>
> > >>>> # ACLs
> > >>>> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> > >>>> super.users=User:kafkabroker
> > >>>>
> > >>>>
> > >>>> Here is the error in the logs
> > >>>>
> > >>>> org.apache.kafka.common.KafkaException:
> > >>>> org.apache.kafka.common.config.ConfigException: Invalid value
> > >>>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem for
> > >>>> configuration A client SSLEngine created with the provided settings
> > >> can't
> > >>>> connect to a server SSLEngine created with those settings.
> > >>>>
> > >>>> Any pointers on what to do?
> > >>>>
> > >>>> Thanks,
> > >>>> Antony
> > >>>>
> > >>>> PS: Kafka Version 2.3
> > >>>>
> > >>
> >
>
Re: kafka security using ssl
Posted by Pere Urbón Bayes <pe...@gmail.com>.
can you share your certificate content somehow? i should ask, is it
properly signed with the ca? can you share as well the current error.
-- Pere
On Thu, 22 Aug 2019, 14:47 Antony A <an...@gmail.com> wrote:
> Yes. The truststore has the CA. The keystore has the CA, PRIVATE KEY used
> to create the CSR and the SERVER CERT.
>
> Sent from my iPhone
>
> > On Aug 22, 2019, at 6:44 AM, Pere Urbón Bayes <pe...@gmail.com>
> wrote:
> >
> > you should verify a proper chain of validation. is your private ca cert
> in
> > your trust store?
> >
> >> On Thu, 22 Aug 2019, 14:40 Antony A <an...@gmail.com> wrote:
> >>
> >> Hi,
> >>
> >> I was able to get the broker running if I used a CA created as shown in
> >> the example below. https://kafka.apache.org/documentation/#security_ssl
> >>
> >> The issue I am facing is when I used my internal CA. Not sure what I am
> >> missing when I am creating the certificate.
> >>
> >> Thanks.
> >>
> >> Sent from my iPhone
> >>
> >>> On Aug 21, 2019, at 10:16 PM, Pere Urbón Bayes <pe...@gmail.com>
> >> wrote:
> >>>
> >>> Hi,
> >>> the error looks like a missing configuration value. A good source of
> >>> examples how to set up security can be found at
> >>> https://github.com/purbon/kafka-security-playbook or
> >>> https://docs.confluent.io/current/kafka/authentication_ssl.html.
> >>>
> >>> i would verify them and see if you're using the same configuration and
> >>> properly setup certificate stores.
> >>>
> >>> I hope it helps,
> >>>
> >>> -- Pere
> >>>
> >>>> On Thu, 22 Aug 2019, 05:49 Antony A <an...@gmail.com> wrote:
> >>>>
> >>>> Hi,
> >>>>
> >>>> I have followed the steps to secure the brokers using SSL. I have
> signed
> >>>> the server certificate using internal CA. I have the keystore with
> >> server
> >>>> certificate, private key and the CA. Also the truststore has only the
> >> CA.
> >>>>
> >>>> Unfortunately I am unable to start the broker with the following
> server
> >>>> properties
> >>>>
> >>>> isteners=SSL://:9092
> >>>> security.inter.broker.protocol=SSL
> >>>> ssl.client.auth=required
> >>>>
> >>>> ssl.truststore.location=/tmp/kafka.server.truststore.jks
> >>>> ssl.truststore.password=password
> >>>> ssl.keystore.location=/tmp/kafka.server.keystore.jks
> >>>> ssl.keystore.password=password
> >>>> ssl.key.password=password
> >>>>
> >>>> # ACLs
> >>>> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> >>>> super.users=User:kafkabroker
> >>>>
> >>>>
> >>>> Here is the error in the logs
> >>>>
> >>>> org.apache.kafka.common.KafkaException:
> >>>> org.apache.kafka.common.config.ConfigException: Invalid value
> >>>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem for
> >>>> configuration A client SSLEngine created with the provided settings
> >> can't
> >>>> connect to a server SSLEngine created with those settings.
> >>>>
> >>>> Any pointers on what to do?
> >>>>
> >>>> Thanks,
> >>>> Antony
> >>>>
> >>>> PS: Kafka Version 2.3
> >>>>
> >>
>
Re: kafka security using ssl
Posted by Antony A <an...@gmail.com>.
Yes. The truststore has the CA. The keystore has the CA, PRIVATE KEY used to create the CSR and the SERVER CERT.
Sent from my iPhone
> On Aug 22, 2019, at 6:44 AM, Pere Urbón Bayes <pe...@gmail.com> wrote:
>
> you should verify a proper chain of validation. is your private ca cert in
> your trust store?
>
>> On Thu, 22 Aug 2019, 14:40 Antony A <an...@gmail.com> wrote:
>>
>> Hi,
>>
>> I was able to get the broker running if I used a CA created as shown in
>> the example below. https://kafka.apache.org/documentation/#security_ssl
>>
>> The issue I am facing is when I used my internal CA. Not sure what I am
>> missing when I am creating the certificate.
>>
>> Thanks.
>>
>> Sent from my iPhone
>>
>>> On Aug 21, 2019, at 10:16 PM, Pere Urbón Bayes <pe...@gmail.com>
>> wrote:
>>>
>>> Hi,
>>> the error looks like a missing configuration value. A good source of
>>> examples how to set up security can be found at
>>> https://github.com/purbon/kafka-security-playbook or
>>> https://docs.confluent.io/current/kafka/authentication_ssl.html.
>>>
>>> i would verify them and see if you're using the same configuration and
>>> properly setup certificate stores.
>>>
>>> I hope it helps,
>>>
>>> -- Pere
>>>
>>>> On Thu, 22 Aug 2019, 05:49 Antony A <an...@gmail.com> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I have followed the steps to secure the brokers using SSL. I have signed
>>>> the server certificate using internal CA. I have the keystore with
>> server
>>>> certificate, private key and the CA. Also the truststore has only the
>> CA.
>>>>
>>>> Unfortunately I am unable to start the broker with the following server
>>>> properties
>>>>
>>>> isteners=SSL://:9092
>>>> security.inter.broker.protocol=SSL
>>>> ssl.client.auth=required
>>>>
>>>> ssl.truststore.location=/tmp/kafka.server.truststore.jks
>>>> ssl.truststore.password=password
>>>> ssl.keystore.location=/tmp/kafka.server.keystore.jks
>>>> ssl.keystore.password=password
>>>> ssl.key.password=password
>>>>
>>>> # ACLs
>>>> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
>>>> super.users=User:kafkabroker
>>>>
>>>>
>>>> Here is the error in the logs
>>>>
>>>> org.apache.kafka.common.KafkaException:
>>>> org.apache.kafka.common.config.ConfigException: Invalid value
>>>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem for
>>>> configuration A client SSLEngine created with the provided settings
>> can't
>>>> connect to a server SSLEngine created with those settings.
>>>>
>>>> Any pointers on what to do?
>>>>
>>>> Thanks,
>>>> Antony
>>>>
>>>> PS: Kafka Version 2.3
>>>>
>>
Re: kafka security using ssl
Posted by Pere Urbón Bayes <pe...@gmail.com>.
you should verify a proper chain of validation. is your private ca cert in
your trust store?
On Thu, 22 Aug 2019, 14:40 Antony A <an...@gmail.com> wrote:
> Hi,
>
> I was able to get the broker running if I used a CA created as shown in
> the example below. https://kafka.apache.org/documentation/#security_ssl
>
> The issue I am facing is when I used my internal CA. Not sure what I am
> missing when I am creating the certificate.
>
> Thanks.
>
> Sent from my iPhone
>
> > On Aug 21, 2019, at 10:16 PM, Pere Urbón Bayes <pe...@gmail.com>
> wrote:
> >
> > Hi,
> > the error looks like a missing configuration value. A good source of
> > examples how to set up security can be found at
> > https://github.com/purbon/kafka-security-playbook or
> > https://docs.confluent.io/current/kafka/authentication_ssl.html.
> >
> > i would verify them and see if you're using the same configuration and
> > properly setup certificate stores.
> >
> > I hope it helps,
> >
> > -- Pere
> >
> >> On Thu, 22 Aug 2019, 05:49 Antony A <an...@gmail.com> wrote:
> >>
> >> Hi,
> >>
> >> I have followed the steps to secure the brokers using SSL. I have signed
> >> the server certificate using internal CA. I have the keystore with
> server
> >> certificate, private key and the CA. Also the truststore has only the
> CA.
> >>
> >> Unfortunately I am unable to start the broker with the following server
> >> properties
> >>
> >> isteners=SSL://:9092
> >> security.inter.broker.protocol=SSL
> >> ssl.client.auth=required
> >>
> >> ssl.truststore.location=/tmp/kafka.server.truststore.jks
> >> ssl.truststore.password=password
> >> ssl.keystore.location=/tmp/kafka.server.keystore.jks
> >> ssl.keystore.password=password
> >> ssl.key.password=password
> >>
> >> # ACLs
> >> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> >> super.users=User:kafkabroker
> >>
> >>
> >> Here is the error in the logs
> >>
> >> org.apache.kafka.common.KafkaException:
> >> org.apache.kafka.common.config.ConfigException: Invalid value
> >> javax.net.ssl.SSLHandshakeException: General SSLEngine problem for
> >> configuration A client SSLEngine created with the provided settings
> can't
> >> connect to a server SSLEngine created with those settings.
> >>
> >> Any pointers on what to do?
> >>
> >> Thanks,
> >> Antony
> >>
> >> PS: Kafka Version 2.3
> >>
>
Re: kafka security using ssl
Posted by Antony A <an...@gmail.com>.
Hi,
I was able to get the broker running if I used a CA created as shown in the example below. https://kafka.apache.org/documentation/#security_ssl
The issue I am facing is when I used my internal CA. Not sure what I am missing when I am creating the certificate.
Thanks.
Sent from my iPhone
> On Aug 21, 2019, at 10:16 PM, Pere Urbón Bayes <pe...@gmail.com> wrote:
>
> Hi,
> the error looks like a missing configuration value. A good source of
> examples how to set up security can be found at
> https://github.com/purbon/kafka-security-playbook or
> https://docs.confluent.io/current/kafka/authentication_ssl.html.
>
> i would verify them and see if you're using the same configuration and
> properly setup certificate stores.
>
> I hope it helps,
>
> -- Pere
>
>> On Thu, 22 Aug 2019, 05:49 Antony A <an...@gmail.com> wrote:
>>
>> Hi,
>>
>> I have followed the steps to secure the brokers using SSL. I have signed
>> the server certificate using internal CA. I have the keystore with server
>> certificate, private key and the CA. Also the truststore has only the CA.
>>
>> Unfortunately I am unable to start the broker with the following server
>> properties
>>
>> isteners=SSL://:9092
>> security.inter.broker.protocol=SSL
>> ssl.client.auth=required
>>
>> ssl.truststore.location=/tmp/kafka.server.truststore.jks
>> ssl.truststore.password=password
>> ssl.keystore.location=/tmp/kafka.server.keystore.jks
>> ssl.keystore.password=password
>> ssl.key.password=password
>>
>> # ACLs
>> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
>> super.users=User:kafkabroker
>>
>>
>> Here is the error in the logs
>>
>> org.apache.kafka.common.KafkaException:
>> org.apache.kafka.common.config.ConfigException: Invalid value
>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem for
>> configuration A client SSLEngine created with the provided settings can't
>> connect to a server SSLEngine created with those settings.
>>
>> Any pointers on what to do?
>>
>> Thanks,
>> Antony
>>
>> PS: Kafka Version 2.3
>>
Re: kafka security using ssl
Posted by Pere Urbón Bayes <pe...@gmail.com>.
Hi,
the error looks like a missing configuration value. A good source of
examples how to set up security can be found at
https://github.com/purbon/kafka-security-playbook or
https://docs.confluent.io/current/kafka/authentication_ssl.html.
i would verify them and see if you're using the same configuration and
properly setup certificate stores.
I hope it helps,
-- Pere
On Thu, 22 Aug 2019, 05:49 Antony A <an...@gmail.com> wrote:
> Hi,
>
> I have followed the steps to secure the brokers using SSL. I have signed
> the server certificate using internal CA. I have the keystore with server
> certificate, private key and the CA. Also the truststore has only the CA.
>
> Unfortunately I am unable to start the broker with the following server
> properties
>
> isteners=SSL://:9092
> security.inter.broker.protocol=SSL
> ssl.client.auth=required
>
> ssl.truststore.location=/tmp/kafka.server.truststore.jks
> ssl.truststore.password=password
> ssl.keystore.location=/tmp/kafka.server.keystore.jks
> ssl.keystore.password=password
> ssl.key.password=password
>
> # ACLs
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> super.users=User:kafkabroker
>
>
> Here is the error in the logs
>
> org.apache.kafka.common.KafkaException:
> org.apache.kafka.common.config.ConfigException: Invalid value
> javax.net.ssl.SSLHandshakeException: General SSLEngine problem for
> configuration A client SSLEngine created with the provided settings can't
> connect to a server SSLEngine created with those settings.
>
> Any pointers on what to do?
>
> Thanks,
> Antony
>
> PS: Kafka Version 2.3
>