Re: Peer not authenticated when trying to send message to kafka over SSL with Authentication

Thu, 12 May 2016 14:41:06 -0700 

Hi Mayuresh,

You need to enable client authentication by setting `ssl.client.auth` to
`required` or `requested` (I suggest the former).

Ismael

On Thu, May 12, 2016 at 10:35 PM, Mayuresh Gharat <
gharatmayures...@gmail.com> wrote:

> HI I am trying to establish an SSL connection from kafkaProducer and send
> certificate to the Kafka Broker.
>
>
> I deploy my kafka broker locally running 2 ports :
> *listeners = PLAINTEXT://:9092,SSL://:16637 *
>
> *My KafkaBroker SSL configs look like this :*
>
> ssl.protocol = TLS
> ssl.trustmanager.algorithm = SunX509
> ssl.keymanager.algorithm = SunX509
> ssl.keystore.type = VALUE1
> ssl.keystore.location = /a/b/c
> ssl.keystore.password = xyz
> ssl.key.password = xyz
> ssl.truststore.type = JKS
> ssl.truststore.location = /u/v/w
> ssl.truststore.password = 123
>
> I run my producer locally on the same linux box as my KafkaBroker.
> My produce command looks like this :
>
> *bin/kafka-producer-perf-test.sh  --num-records 10 --topic testToic_1
> --record-size 10 --throughput 1 --producer-props *
> bootstrap.servers = localhost://:16637
> security.protocol = SSL
> ssl.protocol = TLS
> ssl.trustmanager.algorithm = SunX509
> ssl.keymanager.algorithm = SunX509
> ssl.keystore.type = VALUE1
> ssl.keystore.location = /a/b/c
> ssl.keystore.password = xyz
> ssl.key.password = xyz
> ssl.truststore.type = JKS
> ssl.truststore.location = /u/v/w
> ssl.truststore.password = 123
>
>
> On kafka broker, when I do inside buildPrincipal() api of PricipalBuilder
>
> SSLSession session = ((SslTransportLayer)transportLayer).sslSession();
> session.getPeerCertificates()
>
> I get:
> *org.apache.kafka.common.KafkaException:
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated*
>
>
> I ran this command as listed here
> http://kafka.apache.org/documentation.html#security_ssl :
>
> *openssl s_client -debug -connect localhost:16637 -tls1*
>
> and was able to see the certificate.
>
> I am not able to understand the peer not authenticated exception here.
> Am I missing any SSL config on producer request?
>
>
>
> --
> -Regards,
> Mayuresh R. Gharat
> (862) 250-7125
>

Reply via email to