RE: Inquiry about using SSL encryption and SASL authentication for Kafka without specifying IP address in SAN in the CA certificate
Hello, Can anyone please help me regarding the below query regarding SSL communication in Kafka: Query: Is there any way to enable the hostname verification for Kafka communication between broker and client without specifying the IP address in SAN? Regards, Deepak From: Deepak Jain Sent: 08 July 2022 01:23 To: Luke Chen Cc: users@kafka.apache.org Subject: Inquiry about using SSL encryption and SASL authentication for Kafka without specifying IP address in SAN in the CA certificate Hi Luke, We are using Kafka 2.8.1 Broker/Client system in our prod environment with SASL_SSL communication between Kafka Clients and Broker. We are using the IP for the property “bootstrap.servers” while initiating the KafkaConsumer. Due to some reason, one of our Customer is unable to use the IP in the CA certificate and provided only hostname in the SAN entry in the certificate due to which he is getting following exception in the logs: org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address xx.xx.xx.xx found at sun.security.ssl.Alert.createSSLException(Alert.java:131) at sun.security.ssl.TransportContext.fatal(TransportContext.java:324) at sun.security.ssl.TransportContext.fatal(TransportContext.java:267) at sun.security.ssl.TransportContext.fatal(TransportContext.java:262) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) Even after disabling the hostname verifier, he is unable to send the data from Client to broker. He has also added the Ip – hostname of the broker entry in /etc/hosts file Can you please let us know: 1. Is IP and DNS both field mandatory in SAN for Kafka Certificates? 2. If no, why the communication is failing without the IP? Regards, Deepak Jain Cumulus Systems
MM2 - mapping different replica number
Hi: My source has 5 brokers and all topic has 5 replica, but my target cluster has only 3 brokers and I can’t allocate 2 more, is it possible for MM2 to change all topic copied to have replica as 3? Thanks Andrew This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
Re: MM2 - mapping different replica number
Yes, you can configure replication.factor to match the target cluster. Ryanne On Tue, Jul 12, 2022, 12:44 PM An, Hongguo (CORP) wrote: > Hi: > My source has 5 brokers and all topic has 5 replica, but my target cluster > has only 3 brokers and I can’t allocate 2 more, is it possible for MM2 to > change all topic copied to have replica as 3? > > Thanks > Andrew > > > This message and any attachments are intended only for the use of the > addressee and may contain information that is privileged and confidential. > If the reader of the message is not the intended recipient or an authorized > representative of the intended recipient, you are hereby notified that any > dissemination of this communication is strictly prohibited. If you have > received this communication in error, notify the sender immediately by > return email and delete the message and any attachments from your system. >
