You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by cs user <ac...@gmail.com> on 2016/07/18 14:00:20 UTC

SSL / SASL_SSL questions

Hi All,

I have a question about the config I have working, and whether or not all
traffic is being encrypted when sent via the client.

Lets say I have the following settings, I'm only including the relevant
parameters:


Broker config:

listeners=SASL_SSL://:9092,SSL://:9093
log.message.format.version=0.10.0.0
port=9092
sasl.mechanism.inter.broker.protocol=SSL
sasl.enabled.mechanisms=PLAIN,SSL
security.inter.broker.protocol=SSL
ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
ssl.keystore.password=somepassword
ssl.key.password=somepassword
ssl.truststore.location=/var/private/ssl/kafka.server.keystore.jks
ssl.truststore.password=somepassword


Client config, clients connect to the cluster on port 9092 (SASL_SSL)

PROPS.put("security.protocol","SASL_SSL");
PROPS.put("sasl.mechanism", "PLAIN");
PROPS.put("ssl.truststore.location","/some/location/kafka.client.truststore.jks");
PROPS.put("ssl.truststore.password","somepassword");


In this scenario, I believe that traffic between the servers is being
encrypted via TLS and authentication is being provided by TLS.

By giving a false password, I can confirm that client->broker connections
are being authenticated using the JAAS method. Once I put in the correct
password the producer is able to connect and send messages.

However how about client->broker communication? Once authentication has
completed, is all future traffic which is sent also encrypted with TLS?

Thanks in advance for any responses.

Cheers!

Re: SSL / SASL_SSL questions

Posted by Ismael Juma <is...@juma.me.uk>.
Hi,

Comments inline.

On Mon, Jul 18, 2016 at 3:00 PM, cs user <ac...@gmail.com> wrote:

> sasl.mechanism.inter.broker.protocol=SSL
>

This should be GSSAPI or PLAIN.


> sasl.enabled.mechanisms=PLAIN,SSL
>

Valid values for this are PLAIN and GSSAPI (unless you add your own SASL
mechanism).

In this scenario, I believe that traffic between the servers is being
> encrypted via TLS


Yes.


> and authentication is being provided by TLS.
>

Authentication is being provided by SASL since your client is using the
SASL_SSL security protocol. If you want to use TLS for authentication, set
the security protocol to SSL and configure the client keystore.

However how about client->broker communication? Once authentication has
> completed, is all future traffic which is sent also encrypted with TLS?
>

If you use SASL_SSL or SSL security protocols, all communication is
encrypted. If encryption is a requirement, you should only enable SASL_SSL
and/or SSL listeners. There is a separate config for inter-broker
communication (security.inter.broker.protocol).

Hope this helps.

Ismael