You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/05/19 06:32:51 UTC

[GitHub] [pulsar] hari819 commented on issue #6236: SSL/TLS Configuration for Zookeeper,BookKeeper and Pulsar

hari819 commented on issue #6236:
URL: https://github.com/apache/pulsar/issues/6236#issuecomment-630613528


   @sijie @skyrocknroll @rounak11 , did not have time to prepare a document when i completed enabling TLS in February.Hope the following config is helpful bin/pulsar(sh file) and conf files,
   
   ZooKeeper:
   =======
   ```
   elif [ $COMMAND == "zookeeper" ]; then
       PULSAR_LOG_FILE=${PULSAR_LOG_FILE:-"zookeeper.log"}
       ZK_OPTS=" -Dzookeeper.4lw.commands.whitelist=* -Dzookeeper.snapshot.trust.empty=true -Djava.security.auth.login.config=conf/zk_jaas.conf -Dzookeeper.requireClientAuthScheme=sasl -Dzookeeper.sasl.client=true -Dzookeeper.sasl.clientconfig=Client -Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory -Dzookeeper.ssl.keyStore.location=keys/KeyStore.jks -Dzookeeper.ssl.keyStore.password=keys/jkspassword -Dzookeeper.ssl.trustStore.location=keys/TrustStore.jks -Dzookeeper.ssl.trustStore.password=keys/jkspassword  -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider -Dzookeeper.authProvider.2=org.apache.zookeeper.server.auth.SASLAuthenticationProvider -Dzookeeper.authProvider.3=org.apache.zookeeper.server.auth.SASLAuthenticationProvider"
   ```
   
   zookeeper.conf:
   ==========
   ```
   secureClientPort=2281
   
   quorum.auth.enableSasl=true
   quorum.auth.learnerRequireSasl=true
   quorum.auth.serverRequireSasl=true
   quorum.auth.learner.saslLoginContext=QuorumLearner
   quorum.auth.server.saslLoginContext=QuorumServer
   
   requireClientAuthScheme=sasl
   authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
   authProvider.2=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
   authProvider.3=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
   ```
   
   Bookkeeper:
   ========
   ```
   elif [ $COMMAND == "bookie" ]; then
       PULSAR_LOG_FILE=${PULSAR_LOG_FILE:-"bookkeeper.log"}
       # Pass BOOKIE_EXTRA_OPTS option defined in pulsar_env.sh
       BOOKIE_EXTRA_OPTS=" -Djavax.net.debug=all -Djavax.net.debug=ssl:handshake:verbose -Dzookeeper.client.secure=true -Djava.security.auth.login.config=conf/bk_jaas.conf"
       OPTS="$OPTS $BOOKIE_EXTRA_OPTS"
       exec $JAVA $OPTS -Dpulsar.log.file=$PULSAR_LOG_FILE org.apache.bookkeeper.proto.BookieServer --conf $PULSAR_BOOKKEEPER_CONF $@
   ```
   bookkeeper.conf:
   ===========
   `
   tlsProvider=OpenSSL
   
   
   tlsProviderFactoryClass=org.apache.bookkeeper.tls.TLSContextFactory
   
   
   tlsClientAuthentication=true
   
   
   tlsEnabledProtocols=TLSv1.2
   
   
   
   tlsKeyStoreType=JKS
   
   
   tlsKeyStore=bookie.keystore.jks
   
   
   tlsKeyStorePasswordPath=bookie.keystore.passwd
   
   
   tlsTrustStoreType=JKS
   
   
   tlsTrustStore=bookie.truststore.jks
   
   
   tlsTrustStorePasswordPath=bookie.truststore.passwd
   
   
   clientTrustStore=client.truststore.jks
   clientTrustStorePasswordPath=client.truststore.passwd
   clientKeyStore=client.keystore.jks
   clientKeyStorePasswordPath=client.keystore.passwd`
   
   Pulsar(Broker):
   =========
   `if [ $COMMAND == "broker" ]; then
       PULSAR_LOG_FILE=${PULSAR_LOG_FILE:-"pulsar-broker.log"}
       exec $JAVA $OPTS -Djavax.net.debug=all -Djavax.net.debug=ssl:handshake:verbose -Djava.security.auth.login.config=bk_jaas.conf $ASPECTJ_AGENT -Dpulsar.log.file=$PULSAR_LOG_FILE org.apache.pulsar.PulsarBrokerStarter --broker-conf $PULSAR_BROKER_CONF $@`
   
   broker.conf
   ========
   `tlsEnabled=true
   
   
   tlsCertRefreshCheckDurationSec=300
   
   
   tlsCertificateFilePath=tls.crt.pem
   
   
   tlsKeyFilePath=tls.key.pem
   
   tlsTrustCertsFilePath=ca.cert.pem
   
   
   tlsAllowInsecureConnection=false
   
   
   tlsProtocols=TLSv1.2,TLSv1.1
   
   
   
   tlsRequireTrustedClientCertOnConnect=false
   
   authenticationEnabled=true
   
   
   authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderTls
   
   
   authorizationEnabled=false
   
   
   authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider
   
   
   brokerClientTlsEnabled=true
   brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
   brokerClientAuthenticationParameters=tlsCertFile:tls.crt.pem,tlsKeyFile:tls.key.pem
   brokerClientTrustCertsFilePath=ca.cert.pem
   
   bookkeeperTLSProviderFactoryClass=org.apache.bookkeeper.tls.TLSContextFactory
   
   bookkeeperTLSClientAuthentication=true
   
   
   bookkeeperTLSKeyFileType=JKS
   
   
   bookkeeperTLSTrustCertTypes=JKS
   
   
   bookkeeperTLSKeyStorePasswordPath=bookie.keystore.passwd
   
   
   bookkeeperTLSTrustStorePasswordPath=bookie.truststore.passwd`
   
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org