A few questions regarding the usage/configuration of the NettyServerCnxnFactory

[Steve <de...@gmail.com>]

Hello Zookeeper-Users,

I noticed in the Zookeeper documentation that transport-layer
encryption (SSL/TLS) could now be achieved through the introduction of
a ServerCnxnFactory implementation based on Apache Netty,
org.apache.zookeeper.server.NettyServerCnxnFactory, which is available
starting with Zookeeper 3.4.  Unfortunately, there appears to be
little to no documentation surrounding this functionality.  In fact,
the pertinent sections in the Zookeeper Administrator’s Guide are
marked “TBD”.  I’ve done quite a bit of searching without much
success.  Past questions regarding this functionality seem to have
gone unanswered:

http://zookeeper-user.578899.n2.nabble.com/Netty-amp-SSL-td7579346.html

http://zookeeper-user.578899.n2.nabble.com/Zookeeper-Netty-SSL-PKI-td7578089.html

My apologies if the questions I put forth have been answered
previously or are documented elsewhere; if this is indeed the case, I
would greatly appreciate being pointed in the right direction.

1.       The small amount of documentation that does exist surrounding
the Netty functionality seems to imply that the
“zookeeper.serverCnxnFactory” property is applicable to both the
client and server-side.  Is this correct, or is there a
client-specific property that should be used?

2.       How does one force the server to only leverage SSL, refusing
non-encrypted connections?

3.       How does one specify both the client certificate to be
presented to the server (for client-auth) and the server certificate
to be presented during incoming handshakes?


I realize that keeping documentation updated with active development
is a difficult task, especially when the time involved is essentially
donated to the community.  As I stated previously, any assistance in
this matter will be greatly appreciated (even “RTFM” if you can point
me to the right manual).


Best Regards,

Steve