You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by "Chris T." <c....@gmail.com> on 2019/12/12 13:31:32 UTC
Disable non-secured client port
Hi,
we're working on securing our clusters. For quorum, once we set
sslQuorum=true, there is no more unsecured quorum port.
Is such an option available or in the works for the client port as well ?
Or is ssl client port always in addition to unsecured client port ?
Regards,
Chris
Re: Disable non-secured client port
Posted by "Chris T." <c....@gmail.com>.
Great, thanks.
On Thu, Dec 12, 2019 at 3:53 PM Szalay-Bekő Máté <sz...@gmail.com>
wrote:
> Hi Chris,
>
> The short answer is yes, all you need to do is don't specify the clientPort
> in the zoo.cfg.
>
> An example for the zoo.cfg in this case:
>
> tickTime=3000
> initLimit=10
> syncLimit=5
> dataDir=/data/zkdata
>
> secureClientPort=2191
> serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
> ssl.keyStore.location=/etc/zookeeper/ssl/server.jks
> ssl.keyStore.password=password
> ssl.trustStore.location=/etc/zookeeper/ssl/servertrust.jks
> ssl.trustStore.password=password
>
> These are the main options you can choose from, when configuring client
> SSL:
>
> - option 1: only unsecure (this is when you specify only the clientPort in
> the zoo.cfg)
> - option 2: only SSL (I think this is what you want... this happens if you
> don't specify clientPort in the zoo.cfg, but you specify the
> secureClientPort. Of course in this case you also have to set a few other
> parameters, like setting the serverCnxnFactory to netty and defining the
> ssl.keyStore / ssl.trustStore locations and passwords - see the example
> above)
> - option 3: both secure and unsecure client connections on different server
> ports (this happens when you set both the clientPort and
> the secureClientPort in the zoo.cfg to different ports)
> - option 4: both secure and unsecure client connections using the same
> server port (this happens when you set the 'client.portUnification=true' in
> the config file and set the clientPort in the zoo.cfg. In this case the
> clientPort will be able to serve both unsecure and SSL connections. Of
> course, in this case you still have to set the other SSL related
> parameters, like the serverCnxnFactory and the ssl.keyStore /
> ssl.trustStore locations and passwords)
>
> AFAIK, the option 4 is not available yet in any released 3.5 version. It
> will be part of the first 3.6 release candidate soon. Also there is a
> backport PR for it just under review (
> https://github.com/apache/zookeeper/pull/1174) so it's likely to be in the
> next 3.5.7 release, if / whenever that will happen.
>
> Regards,
> Mate
>
> On Thu, Dec 12, 2019 at 2:31 PM Chris T. <c....@gmail.com> wrote:
>
> > Hi,
> >
> > we're working on securing our clusters. For quorum, once we set
> > sslQuorum=true, there is no more unsecured quorum port.
> > Is such an option available or in the works for the client port as well ?
> > Or is ssl client port always in addition to unsecured client port ?
> >
> > Regards,
> >
> > Chris
> >
>
Re: Disable non-secured client port
Posted by Szalay-Bekő Máté <sz...@gmail.com>.
Hi Chris,
The short answer is yes, all you need to do is don't specify the clientPort
in the zoo.cfg.
An example for the zoo.cfg in this case:
tickTime=3000
initLimit=10
syncLimit=5
dataDir=/data/zkdata
secureClientPort=2191
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
ssl.keyStore.location=/etc/zookeeper/ssl/server.jks
ssl.keyStore.password=password
ssl.trustStore.location=/etc/zookeeper/ssl/servertrust.jks
ssl.trustStore.password=password
These are the main options you can choose from, when configuring client SSL:
- option 1: only unsecure (this is when you specify only the clientPort in
the zoo.cfg)
- option 2: only SSL (I think this is what you want... this happens if you
don't specify clientPort in the zoo.cfg, but you specify the
secureClientPort. Of course in this case you also have to set a few other
parameters, like setting the serverCnxnFactory to netty and defining the
ssl.keyStore / ssl.trustStore locations and passwords - see the example
above)
- option 3: both secure and unsecure client connections on different server
ports (this happens when you set both the clientPort and
the secureClientPort in the zoo.cfg to different ports)
- option 4: both secure and unsecure client connections using the same
server port (this happens when you set the 'client.portUnification=true' in
the config file and set the clientPort in the zoo.cfg. In this case the
clientPort will be able to serve both unsecure and SSL connections. Of
course, in this case you still have to set the other SSL related
parameters, like the serverCnxnFactory and the ssl.keyStore /
ssl.trustStore locations and passwords)
AFAIK, the option 4 is not available yet in any released 3.5 version. It
will be part of the first 3.6 release candidate soon. Also there is a
backport PR for it just under review (
https://github.com/apache/zookeeper/pull/1174) so it's likely to be in the
next 3.5.7 release, if / whenever that will happen.
Regards,
Mate
On Thu, Dec 12, 2019 at 2:31 PM Chris T. <c....@gmail.com> wrote:
> Hi,
>
> we're working on securing our clusters. For quorum, once we set
> sslQuorum=true, there is no more unsecured quorum port.
> Is such an option available or in the works for the client port as well ?
> Or is ssl client port always in addition to unsecured client port ?
>
> Regards,
>
> Chris
>