You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by karan alang <ka...@gmail.com> on 2017/09/05 21:41:14 UTC

Kafka SSL - console-consumer on node5 not receiving messages from producer on node4

Hi All -

I've Kafka 0.10 .. I've enabled SSL(Non-kerberized) for Kafka Broker on
Node 4, and *i'm able to produce/consume messages using console-producer &
console-consumer from Node 4.*

However, i'm having issues enabling ssl connection between Node 4 & Node 5
& try to consume messages from Node5 (using console-consumer), i'm facing
issues.

here are the steps -

On node4 : Started console-producer, publishing on SSL port (9192)


   1. $CONFLUENT/bin/kafka-console-producer --broker-list node4:9192
--topic ssl --producer.config client-ssl.properties

Started console-consumer on node4, consuming messages from console producer
(port 9192)


   1. $CONFLUENT/bin/kafka-console-consumer --bootstrap-server
node4:9192 --topic ssl --new-consumer --consumer.config
client-ssl.properties

contents of client-ssl.properties ---------------------------------


   1. security.protocol=SSL
   2. ssl.truststore.location=/usr/hdp/2.5.3.0-37/confluent-3.2.2/kafkaSSL/kafka.client.truststore.jks
   3. ssl.truststore.password=<passwd>
   4. ssl.keystore.location=/usr/hdp/2.5.3.0-37/confluent-3.2.2/kafkaSSL/kafka.client.keystore.jks
   5. ssl.keystore.password=<passwd>
   6. ssl.key.password=<passwd>

*This is working fine, and consumer is able to consumer messages produced
by the producer.*

On Node5, i've another Kafka instance, i start another console-consumer
from Node5, for consuming the data from console-producer in node4

*To enable SSL (between client on Node5 & Broker on Node4),*

Steps on Node 4 ->

1) create kafka.client05.keystore.jks (*set the CN -> Node5*)


   1. keytool -keystore kafka.client05.keystore.jks -alias localhost
-validity 365 -genkey

- Export certificate from keystore


   1. keytool -keystore kafka.client05.keystore.jks -alias localhost
-certreq -file cert05-file

- Get certificate signed by CA


   1. openssl x509 -req -CA ca-cert -CAkey ca-key -in cert05-file -out
cert05-signed -days 365 -CAcreateserial -passin pass:<passwd>

- Import the CA Certificate & Signed certificate into the keystore


   1. keytool -keystore kafka.client05.keystore.jks -alias CARoot
-import -file ca-cert
   2. keytool -keystore kafka.client05.keystore.jks -alias localhost
-import -file cert05-signed

Add the generated CA to the client's truststore


   1. keytool -keystore kafka.client05.truststore.jks -alias CARoot
-import -file ca-cert

On Node5, i do the same steps above,and start the console-consumer (to read
data produced by console-producer on node4)


   1. $CONFLUENT1/bin/kafka-console-consumer --bootstrap-server
node4:9192 --topic ssl --new-consumer --consumer.config
client-ssl.properties

This is not working.. what do i need to make this work ?