You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/09/30 18:40:32 UTC

[GitHub] [pulsar] itskannanraj commented on issue #6236: SSL/TLS Configuration for Zookeeper,BookKeeper and Pulsar

itskannanraj commented on issue #6236:
URL: https://github.com/apache/pulsar/issues/6236#issuecomment-931570875


   > @sijie @skyrocknroll @rounak11 , did not have time to prepare a document when i completed enabling TLS in February.Hope the following config is helpful bin/pulsar(sh file) and conf files,
   > 
   > # ZooKeeper:
   > ```
   > elif [ $COMMAND == "zookeeper" ]; then
   >     PULSAR_LOG_FILE=${PULSAR_LOG_FILE:-"zookeeper.log"}
   >     ZK_OPTS=" -Dzookeeper.4lw.commands.whitelist=* -Dzookeeper.snapshot.trust.empty=true -Djava.security.auth.login.config=conf/zk_jaas.conf -Dzookeeper.requireClientAuthScheme=sasl -Dzookeeper.sasl.client=true -Dzookeeper.sasl.clientconfig=Client -Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory -Dzookeeper.ssl.keyStore.location=keys/KeyStore.jks -Dzookeeper.ssl.keyStore.password=keys/jkspassword -Dzookeeper.ssl.trustStore.location=keys/TrustStore.jks -Dzookeeper.ssl.trustStore.password=keys/jkspassword  -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider -Dzookeeper.authProvider.2=org.apache.zookeeper.server.auth.SASLAuthenticationProvider -Dzookeeper.authProvider.3=org.apache.zookeeper.server.auth.SASLAuthenticationProvider"
   > ```
   > 
   > # zookeeper.conf:
   > ```
   > secureClientPort=2281
   > 
   > quorum.auth.enableSasl=true
   > quorum.auth.learnerRequireSasl=true
   > quorum.auth.serverRequireSasl=true
   > quorum.auth.learner.saslLoginContext=QuorumLearner
   > quorum.auth.server.saslLoginContext=QuorumServer
   > 
   > requireClientAuthScheme=sasl
   > authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
   > authProvider.2=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
   > authProvider.3=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
   > ```
   > 
   > # Bookkeeper:
   > ```
   > elif [ $COMMAND == "bookie" ]; then
   >     PULSAR_LOG_FILE=${PULSAR_LOG_FILE:-"bookkeeper.log"}
   >     # Pass BOOKIE_EXTRA_OPTS option defined in pulsar_env.sh
   >     BOOKIE_EXTRA_OPTS=" -Djavax.net.debug=all -Djavax.net.debug=ssl:handshake:verbose -Dzookeeper.client.secure=true -Djava.security.auth.login.config=conf/bk_jaas.conf"
   >     OPTS="$OPTS $BOOKIE_EXTRA_OPTS"
   >     exec $JAVA $OPTS -Dpulsar.log.file=$PULSAR_LOG_FILE org.apache.bookkeeper.proto.BookieServer --conf $PULSAR_BOOKKEEPER_CONF $@
   > ```
   > 
   > # bookkeeper.conf:
   > ` tlsProvider=OpenSSL
   > 
   > tlsProviderFactoryClass=org.apache.bookkeeper.tls.TLSContextFactory
   > 
   > tlsClientAuthentication=true
   > 
   > tlsEnabledProtocols=TLSv1.2
   > 
   > tlsKeyStoreType=JKS
   > 
   > tlsKeyStore=bookie.keystore.jks
   > 
   > tlsKeyStorePasswordPath=bookie.keystore.passwd
   > 
   > tlsTrustStoreType=JKS
   > 
   > tlsTrustStore=bookie.truststore.jks
   > 
   > tlsTrustStorePasswordPath=bookie.truststore.passwd
   > 
   > clientTrustStore=client.truststore.jks clientTrustStorePasswordPath=client.truststore.passwd clientKeyStore=client.keystore.jks clientKeyStorePasswordPath=client.keystore.passwd`
   > 
   > # Pulsar(Broker):
   > `if [ $COMMAND == "broker" ]; then PULSAR_LOG_FILE=${PULSAR_LOG_FILE:-"pulsar-broker.log"} exec $JAVA $OPTS -Djavax.net.debug=all -Djavax.net.debug=ssl:handshake:verbose -Djava.security.auth.login.config=bk_jaas.conf $ASPECTJ_AGENT -Dpulsar.log.file=$PULSAR_LOG_FILE org.apache.pulsar.PulsarBrokerStarter --broker-conf $PULSAR_BROKER_CONF $@`
   > 
   > # broker.conf
   > `tlsEnabled=true
   > 
   > tlsCertRefreshCheckDurationSec=300
   > 
   > tlsCertificateFilePath=tls.crt.pem
   > 
   > tlsKeyFilePath=tls.key.pem
   > 
   > tlsTrustCertsFilePath=ca.cert.pem
   > 
   > tlsAllowInsecureConnection=false
   > 
   > tlsProtocols=TLSv1.2,TLSv1.1
   > 
   > tlsRequireTrustedClientCertOnConnect=false
   > 
   > authenticationEnabled=true
   > 
   > authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderTls
   > 
   > authorizationEnabled=false
   > 
   > authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider
   > 
   > brokerClientTlsEnabled=true brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls brokerClientAuthenticationParameters=tlsCertFile:tls.crt.pem,tlsKeyFile:tls.key.pem brokerClientTrustCertsFilePath=ca.cert.pem
   > 
   > bookkeeperTLSProviderFactoryClass=org.apache.bookkeeper.tls.TLSContextFactory
   > 
   > bookkeeperTLSClientAuthentication=true
   > 
   > bookkeeperTLSKeyFileType=JKS
   > 
   > bookkeeperTLSTrustCertTypes=JKS
   > 
   > bookkeeperTLSKeyStorePasswordPath=bookie.keystore.passwd
   > 
   > bookkeeperTLSTrustStorePasswordPath=bookie.truststore.passwd`
   
   @hari819 could you paste the jaas.conf file here?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org