How to run kafka in SSL Mode
原创How to run kafka in SSL Mode
原创
rabbit_lei
修改于 2024-06-12 14:33:46
修改于 2024-06-12 14:33:46
The authentication is different between SSL mode and SASL_SSL mode, the SSL mode will use the keystore (holding the client's private key, client's certificate signed by CA) to authenticate. But SASL_SSL will use its own way to authenticate like user/pasword, oauthtoken etc. For SASL_SSL mode please refer to the article How to run kafka in SASL_SSL
- Generate the 'keystore' and 'truststore' on your kafka broker, please refer to the article How to run kafka in SASL_SSL Mode
- Now let us config the kafka server.properties file as below, now you config the kafka in SSL mode on port 9093
listeners=SSL://localhost:9093
advertised.listeners=SSL://localhost:9093
security.inter.broker.protocol=SSL
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
# ssl configurations
ssl.keystore.location=/path_to/kafka.keystore
ssl.keystore.type=pkcs12
ssl.keystore.password=yourpass
ssl.key.password=yourpass
ssl.truststore.location=/path_to/kafka.truststore
ssl.truststore.type=pkcs12
ssl.truststore.password=yourpass
ssl.client.auth=required- Be careful with the store type settings, we must set them as we generated the store in format 'pkcs12'. If we don't sepcify them, the default type should be 'jks' and you will meet error
ssl.keystore.type=pkcs12
ssl.truststore.type=pkcs12- Also be careful with the client auth setting 'ssl.client.auth', if we don't set this then only the broker will be verified by the client to see if the broker is really certified by a valid CA, and only ssl.truststore.*** settings will be needed by client (consumer/producer); If we set this field to "required", the broker will also verified the client certified by a valid CA, and ssl.keystore.*** settings will also be needed by client.
ssl.client.auth=required- Then start the zookeeper and kafka-server in different consoles, now the kafka server is setup correctly and running
zookeeper-server-start.bat .\config\zookeeper.properties
kafka-server-start.bat .\config\server.properties- Next we need to modify the consumer.properties/producer.properties to allow connecting to port 9093 with protocol SSL, you can aslo copy the following content to a file 'client.properties' for kafka-topics.bat to use.
bootstrap.servers=localhost:9092, localhost:9093
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="alice" password="alice-secret";
security.protocol=SASL_SSL
sasl.mechanism=PLAIN
#ssl configurations
ssl.truststore.location=/path_to/kafka.truststore
ssl.truststore.type=pkcs12
ssl.truststore.password=yourpass
#the following keystore setting are not needed if server didn't startup with 'ssl.client.auth=required'
ssl.keystore.location=/path_to/kafka.keystore
ssl.keystore.type=pkcs12
ssl.keystore.password=yourpass- Test the ssl connection with the following command
openssl s_client -connect localhost:9093 -tls1_2if everything runs correctly, you should be able to get something as below
Connecting to 20.36.258.36
CONNECTED(00000194)- Create and List topic with port 9093 in SSL mode
kafka-topics.bat --create --topic gaming-events --bootstrap-server localhost:9093 --command-config ./config/client.properties
kafka-topics.bat --list --bootstrap-server localhost:9093 --command-config ./config/client.properties- Run Consumer with port 9093 in SSL mode
kafka-console-consumer.bat --topic gaming-events --from-beginning --bootstrap-server localhost:9093 --consumer.config ./config/consumer.properties- Run Producer with port 9093 in SASL_SSL mode
kafka-console-producer.bat --topic gaming-events --bootstrap-server localhost:9093 --producer.config ./config/producer.properties原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读