You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@zookeeper.apache.org by "Aishwarya Soni (Jira)" <ji...@apache.org> on 2020/05/04 02:41:00 UTC
[jira] [Commented] (ZOOKEEPER-2125) SSL on Netty client-server
communication
[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17098634#comment-17098634 ]
Aishwarya Soni commented on ZOOKEEPER-2125:
-------------------------------------------
[~mar.ian] I am facing a similar issue. I am configuring SSL on Zookeeper 3.5.5 branch and have removed the clientPort config from zoo.cfg and adding onlysecureClientPort. Also, I have removed it from my server ensemble connection string in zoo.cfg.dynamic file as it results in a port binding issue on the port 2181.
But, in zkServer.sh, it checks if the clientPort is not set it throws exit 1 and terminates the process. How to overcome this situation? We cannot see the clientPort in zoo.cfg as it would enable mixed mode which we do not want when we enable SSL.
> SSL on Netty client-server communication
> ----------------------------------------
>
> Key: ZOOKEEPER-2125
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
> Project: ZooKeeper
> Issue Type: Sub-task
> Reporter: Hongchao Deng
> Assignee: Hongchao Deng
> Priority: Major
> Labels: ssl-tls
> Fix For: 3.5.1, 3.6.0
>
> Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks
>
>
> Supporting SSL on Netty client-server communication.
> 1. It supports keystore and trustore usage.
> 2. It adds an additional ZK server port which supports SSL. This would be useful for rolling upgrade.
> RB: https://reviews.apache.org/r/31277/
> The patch includes three files:
> * testing purpose keystore and truststore under "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/".
> * latest ZOOKEEPER-2125.patch
> h2. How to use it
> You need to set some parameters on both ZK server and client.
> h3. Server
> You need to specify a listening SSL port in "zoo.cfg":
> {code}
> secureClientPort=2281
> {code}
> Just like what you did with "clientPort". And then set some jvm flags:
> {code}
> export SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks -Dzookeeper.ssl.keyStore.password=testpass -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> Please change keystore and truststore parameters accordingly.
> h3. Client
> You need to set jvm flags:
> {code}
> export CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks -Dzookeeper.ssl.keyStore.password=testpass -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> change keystore and truststore parameters accordingly.
> And then connect to the server's SSL port, in this case:
> {code}
> bin/zkCli.sh -server 127.0.0.1:2281
> {code}
> If you have any feedback, you are more than welcome to discuss it here!
--
This message was sent by Atlassian Jira
(v8.3.4#803005)