I have to add encryption and authentication with SSL in kafka.
This is what I have done:
- 1) Generate certificate for each broker kafka:
COMANDO: keytool -keystore server.keystore.jks -alias localhost -validity 365 -genkey
- 2) Create CA. The generated CA is a public-private key pair and certificate used to sign other certificates. A CA is responsible for signing certificates.
COMANDO: openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
- 3) Sign all brokers certificates with the generated CA
Export the certificate from the keystore: keytool -keystore server.keystore.jks -alias localhost -certreq -file cert-file
Sign it with the CA: openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days {validity} -CAcreateserial -passin pass:{ca-password}
- 4) Import both the certificate of the CA and the signed certificate into the keystore:
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed
- 5) Import CA to client truststore and broker/server truststore:
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
- 6) Add these line in the configuration server.properties:
listeners=PLAINTEXT://localhost:9092, SSL://localhost:9192
ssl.client.auth=required
ssl.keystore.location=/home/xrobot/kafka_2.12-2.1.0/certificate/server.keystore.jks
ssl.keystore.password=blablabla
ssl.key.password=blablabla
ssl.truststore.location=/home/xrobot/kafka_2.12-2.1.0/certificate/server.truststore.jks
ssl.truststore.password=blablabla
security.inter.broker.protocol=SSL
The problem is that what I start kafka, I get this error:
[2019-02-26 19:03:59,783] INFO [KafkaServer id=0] started (kafka.server.KafkaServer)
[2019-02-26 19:04:00,011] ERROR [Controller id=0, targetBrokerId=0] Connection to node 0 (localhost/127.0.0.1:9192) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2019-02-26 19:04:00,178] ERROR [Controller id=0, targetBrokerId=0] Connection to node 0 (localhost/127.0.0.1:9192) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2019-02-26 19:04:00,319] ERROR [Controller id=0, targetBrokerId=0] Connection to node 0 (localhost/127.0.0.1:9192) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
Why?
I used to your shared step to generate the certificates and configured in the Kafka and spring boot producer and consumer level, all are working fine.
I have also got the same error but I did the following configuration.
you can add the following line in server.properties
ssl.endpoint.identification.algorithm=
Higher version of Kafka doing the host verification so you can ignore by the adding the above line server.properties.