Kafka-SSL笔记整理
创建密钥仓库以及CA
- 创建密匙仓库,用户存储证书文件
keytool -keystore server.keystore.jks -alias hello_kafka -validity 100000 -genkey - 创建CA
openssl req -new -x509 -keyout ca-key -out ca-cert -days 100000 - 将生成的CA添加到客户端信任库
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert - 为broker提供信任库以及所有客户端签名了密钥的CA证书
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
签名证书,用自己生成的CA来签名前面生成的证书
- 签名证书,用自己生成的CA来签名前面生成的证书
keytool -keystore server.keystore.jks -alias hello_kafka -certreq -file cert-file - 用CA签名:
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 100000 -CAcreateserial -passin pass:hello123 - 导入CA的证书和已签名的证书到密钥仓库
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert keytool -keystore server.keystore.jks -alias hello_kafka -import -file cert-signed
kafka集成ssl (服务端配置)
- 修改config/server.properties配置文件
listeners=PLAINTEXT://192.168.99.51:9092,SSL://192.168.99.51:8989 advertised.listeners=PLAINTEXT://192.168.99.51:9092,SSL://192.168.99.51:8989 ssl.keystore.location=/root/tools/ca_temp/server.keystore.jks ssl.keystore.password=hello123 ssl.key.password=hello123 ssl.truststore.location=/root/tools/ca_temp/server.truststore.jks ssl.truststore.password=hello123 - 重启kafka
- 使用openssl测试ssl端口
openssl s_client -debug -connect 192.168.99.51:8989 -tls1 - 打开防火墙端口
a. firewall-cmd --zone=public --add-port=8989/tcp --permanent b. firewall-cmd --reload
kafka客户端ssl配置
- 配置修改
security.protocol=SSL ssl.endpoint.identification.algorithm= ssl.truststore.location=/root/tools/ca_temp/client.truststore.jks ssl.truststore.password=hello123