Hi Team,
we need some help regarding ca certificate authority change in kafka .
Currently we are connecting in kafka using ssl implementation.
kafka version used is 1.1.1
below is server.properties
listeners=INT://$PVT_HOST_NAME:9094,EXT://$PVT_HOST_NAME:9092
advertised.listeners=INT://$PVT_HOST_NAME:9094,EXT://$PUB_HOST_NAME:9092
ssl.keystore.location=$SSL_DIR/broker.keystore.jks
ssl.keystore.password=changeit
ssl.key.password=changeit
ssl.truststore.location=$SSL_DIR/broker.truststore.jks
SUPER_USERS_CONFIG=$SUPER_USERS_CONFIG"User:CN=br$c.broker.kafka-$CLUSTER_NAME-$ENV,OU=broker,O=server
listener.security.protocol.map=PLAINTEXT:PLAINTEXT,SSL:SSL,EXT:SSL,INT:PLAINTEXT
inter.broker.listener.name=INT
options tried :-
1. generating new certificates and updating into existing keystore and
truststore (we are observing that client is able to connect using one ca is
getting accepted old ca or new ca)
2. only private keys in keystore and root certs in truststore (we are observing
that client is able to connect using one ca is getting accepted old ca or new
ca)
3. muliple keystore and truststore files using comma separated format (client
connect is not working at all)
eg ..
ssl.keystore.location=$SSL_DIR/broker-oldca.keystore.jks,$SSL_DIR/broker-newca.keystore.jks
ssl.truststore.location=$SSL_DIR/broker-oldca.truststore.jks,broker-newca.truststore.jks
can anyone please help us on this, as this change in authority will cause
outage and connection issues with existing clients.
Current Result : only one certificate is working , eaither the old one or new
one
Expected Result : both the certificates(keystore & trust store ) should work,
old one & new one.
Validation process : After updating the broker certificates we are trying to
connect to broker ( from kafka tool) by using consumer certificates.
Thanks & Regards
R . Naresh Kumar
LCG-DF DevOps Engineer
[cid:354c3de2-833f-4115-ad41-699919639207]
