[GitHub] [zookeeper] tedpearson commented on pull request #1285: ZOOKEEPER-3689: zkCli/ZooKeeperMain relies on system properties for TLS config

[GitBox <gi...@apache.org>]

tedpearson commented on pull request #1285:
URL: https://github.com/apache/zookeeper/pull/1285#issuecomment-720928392


   Dear future engineer sent here from google trying to figure out how to use this new feature:
   
   The format of the client-configuration file is also a properties file like the server's zoo.cfg, but the properties all have `zookeeper.` prepended to them, like the system properties.
   
   So if you want to do TLS, you need a `client.cnf` something like this:
   ```
   zookeeper.client.secure=true
   zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
   zookeeper.ssl.keyStore.location=
   zookeeper.ssl.keyStore.type=
   zookeeper.ssl.keyStore.password=
   zookeeper.ssl.trustStore.location=
   zookeeper.ssl.trustStore.type=
   zookeeper.ssl.trustStore.password=
   zookeeper.ssl.quorum.keyStore.location=
   zookeeper.ssl.quorum.keyStore.type=
   zookeeper.ssl.quorum.keyStore.password=
   zookeeper.ssl.quorum.trustStore.location=
   zookeeper.ssl.quorum.trustStore.type=
   zookeeper.ssl.quorum.trustStore.password=
   ```
   
   If you require ssl hostname verification, you'll want to connect to your advertised hostname something like this, since you probably haven't added localhost as a subject alternative name, and the server would block the connection otherwise:
   
   ```
   zkCli.sh -server $HOSTNAME:2281 -client-configuaration client.cfg
   ```
   
   Someone with more time on their hands can feel free to find the correct places in the project to document this.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org