You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@storm.apache.org by "Jungtaek Lim (JIRA)" <ji...@apache.org> on 2018/11/16 00:01:00 UTC

[jira] [Resolved] (STORM-3123) Storm Kafka Monitor does not work with Kafka over two-way SSL

     [ https://issues.apache.org/jira/browse/STORM-3123?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jungtaek Lim resolved STORM-3123.
---------------------------------
       Resolution: Fixed
         Assignee: Vipin Rathor
    Fix Version/s: 2.0.0

Thanks [~vrathor-hw] and [~arunmahadevan] for the patch, I merged into master.

[~arunmahadevan] I marked [~vrathor-hw] as assignee since he originally worked on. Please reassign to you it doesn't make sense to you.

And please raise another PR for 1.x-branch as well? There's merge conflict when cherry-picking.

Thanks again!

> Storm Kafka Monitor does not work with Kafka over two-way SSL
> -------------------------------------------------------------
>
>                 Key: STORM-3123
>                 URL: https://issues.apache.org/jira/browse/STORM-3123
>             Project: Apache Storm
>          Issue Type: Bug
>          Components: storm-kafka-monitor
>    Affects Versions: 1.2.2
>            Reporter: Vipin Rathor
>            Assignee: Vipin Rathor
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 2.0.0
>
>          Time Spent: 3h 20m
>  Remaining Estimate: 0h
>
> Storm Kafka Monitor has no option to read / parse SSL truststore/keystore properties which are required to connect to Kafka running over two-way SSL. As a fix, it needs to understand the following additional Kafka properties:
> {code:java}
> ssl.truststore.location=<truststore-file>
> ssl.truststore.password=<password>
> ssl.keystore.location=<keystore-file>
> ssl.keystore.password=<password>
> ssl.key.password=<password>
> {code}
> Since, JVM has a fallback mechanism for loading SSL truststore, Storm Kafka Monitor would always endup using some truststore and would eventually work with one-way SSL (which is also a default for Kafka setup).
> Since there is no such fallback for SSL keystore, Storm Kafka Monitor would start without a keystore and would eventually throw this error (in SSL debug mode):
> {code:java}
> Warning: no suitable certificate found - continuing without client authentication
> *** Certificate chain
> <Empty>
> ***
> {code}
> At this time, Kafka broker would complain about above like this:
> {code:java}
> kafka-network-thread-1002-SSL-7, READ: TLSv1.2 Handshake, length = 141
> *** Certificate chain
> <Empty>
> ***
> kafka-network-thread-1002-SSL-7, fatal error: 42: null cert chain
> javax.net.ssl.SSLHandshakeException: null cert chain
> {code}
> Therefore, in the absence of this fix, the only available workaround is to stick to one-way SSL in Kafka (i.e. keep ssl.client.auth=none in Kafka).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)