You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by cs user <ac...@gmail.com> on 2016/07/18 14:00:20 UTC
SSL / SASL_SSL questions
Hi All,
I have a question about the config I have working, and whether or not all
traffic is being encrypted when sent via the client.
Lets say I have the following settings, I'm only including the relevant
parameters:
Broker config:
listeners=SASL_SSL://:9092,SSL://:9093
log.message.format.version=0.10.0.0
port=9092
sasl.mechanism.inter.broker.protocol=SSL
sasl.enabled.mechanisms=PLAIN,SSL
security.inter.broker.protocol=SSL
ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
ssl.keystore.password=somepassword
ssl.key.password=somepassword
ssl.truststore.location=/var/private/ssl/kafka.server.keystore.jks
ssl.truststore.password=somepassword
Client config, clients connect to the cluster on port 9092 (SASL_SSL)
PROPS.put("security.protocol","SASL_SSL");
PROPS.put("sasl.mechanism", "PLAIN");
PROPS.put("ssl.truststore.location","/some/location/kafka.client.truststore.jks");
PROPS.put("ssl.truststore.password","somepassword");
In this scenario, I believe that traffic between the servers is being
encrypted via TLS and authentication is being provided by TLS.
By giving a false password, I can confirm that client->broker connections
are being authenticated using the JAAS method. Once I put in the correct
password the producer is able to connect and send messages.
However how about client->broker communication? Once authentication has
completed, is all future traffic which is sent also encrypted with TLS?
Thanks in advance for any responses.
Cheers!
Re: SSL / SASL_SSL questions
Posted by Ismael Juma <is...@juma.me.uk>.
Hi,
Comments inline.
On Mon, Jul 18, 2016 at 3:00 PM, cs user <ac...@gmail.com> wrote:
> sasl.mechanism.inter.broker.protocol=SSL
>
This should be GSSAPI or PLAIN.
> sasl.enabled.mechanisms=PLAIN,SSL
>
Valid values for this are PLAIN and GSSAPI (unless you add your own SASL
mechanism).
In this scenario, I believe that traffic between the servers is being
> encrypted via TLS
Yes.
> and authentication is being provided by TLS.
>
Authentication is being provided by SASL since your client is using the
SASL_SSL security protocol. If you want to use TLS for authentication, set
the security protocol to SSL and configure the client keystore.
However how about client->broker communication? Once authentication has
> completed, is all future traffic which is sent also encrypted with TLS?
>
If you use SASL_SSL or SSL security protocols, all communication is
encrypted. If encryption is a requirement, you should only enable SASL_SSL
and/or SSL listeners. There is a separate config for inter-broker
communication (security.inter.broker.protocol).
Hope this helps.
Ismael