Hello,
I am trying to only add ssl, not Kerberos, not sasl, no jaas.
I know my certs are good and installed…
test from vm or from my laptop...works
{{ openssl s_client -debug -connect 172.21.149.190:9093 -tls1_2}}
CONNECTED(00000003)
write to 0x11b27f0 [0x11fdf73] (247 bytes => 247 (0xF7))
0000 - 16 03 01 00 f2 01 00 00-ee 03 03 5a d6 00 40 53 ...........Z..@S
0010 - 55 31 ce 31 f3 27 ff da-4e 11 d9 45 a1 8b 64 38 U1.1.'..N..E..d8
blah-blah0100 - 30 20 06 09 2a 86 48 86-f7 0d 01 09 01 16 13 63 0 ..*.H........c
0110 - 73 65 2e 64 65 70 40 65-71 75 69 66 61 78 2e 63 se.dep@myCompany.c
0120 - 6f 6d 30 1e 17 0d 31 38-30 34 31 36 31 34 34 38 om0...1804161448
0130 - 33 37 5a 17 0d 31 39 30-34 31 36 31 34 34 38 33 37Z..19041614483
0140 - 37 5a 30 7a 31 78 30 76-06 03 55 04 06 0c 6f 55 7Z0z1x0v..U...oU
0150 - 53 20 73 74 3d 47 41 20-6c 3d 41 6c 70 68 61 72 S st=GA l=Alphar
0160 - 65 74 74 61 20 6f 3d 45-71 75 69 66 61 78 20 6f etta o=myCompany o
0170 - 75 3d 43 6f 72 65 20 53-6f 66 74 77 61 72 65 20 u=Core Software
0180 - 45 6e 67 69 6e 65 65 72-69 6e 67 20 63 6e 3d 31 Engineering cn=1
I config my server…
/dep/dep-kafka/config/server.properties:
listeners=PLAINTEXT://0.0.0.0:9092,SSL://0.0.0.0:9093
advertised.listeners=PLAINTEXT://172.21.149.190:9092,SSL://172.21.149.190:9093
security.inter.broker.protocol=SSL
ssl.keystore.location=/dep/ssl/kafka.server.172.21.149.190.keystore.jks
ssl.keystore.password=mypassword
ssl.key.password=mypassword
ssl.keystore.type=JKS
ssl.truststore.location=/dep/ssl/kafka.server.172.21.149.190.truststore.jks
ssl.truststore.password=mypassword
ssl.truststore.type=JKS
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
I see my config in server bootup logs
advertised.listeners = PLAINTEXT://172.21.149.190:9092,SSL://172.21.149.190:9093
ssl.cipher.suites = null
ssl.client.auth = none
ssl.enabled.protocols = [TLSv1.2, TLSv1.1, TLSv1]
ssl.endpoint.identification.algorithm = null
ssl.key.password = [hidden]
ssl.keymanager.algorithm = SunX509
ssl.keystore.location = /dep/ssl/kafka.server.172.21.149.190.keystore.jks
ssl.keystore.password = [hidden]
ssl.keystore.type = JKS
ssl.protocol = TLS
ssl.provider = null
ssl.secure.random.implementation = null
ssl.trustmanager.algorithm = PKIX
ssl.truststore.location = /dep/ssl/kafka.server.172.21.149.190.truststore.jks
ssl.truststore.password = [hidden]
ssl.truststore.type = JKS
I config my client ( a consumer )
(java code, spring getters setters, config file)
Proof of my config in consumer logs
bootstrap.servers = [172.21.149.190:9093, 172.21.149.188:9093,
172.21.149.184:9093]
security.protocol = SSL
send.buffer.bytes = 131072
session.timeout.ms = 10000
ssl.cipher.suites = null
ssl.enabled.protocols = [TLSv1.2, TLSv1.1, TLSv1]
ssl.endpoint.identification.algorithm = null
ssl.key.password = [hidden]
ssl.keymanager.algorithm = SunX509
ssl.keystore.location = C:\mykeystore\kafka.client.172.18.191.141.keystore.jks
ssl.keystore.password = [hidden]
ssl.keystore.type = JKS
ssl.protocol = TLS
ssl.provider = null
ssl.secure.random.implementation = null
ssl.trustmanager.algorithm = PKIX
ssl.truststore.location =
C:\mykeystore\kafka.client.172.18.191.141.truststore.jks
ssl.truststore.password = [hidden]
ssl.truststore.type = JKS
The java code has consumer code, uses a kafka.consumer.poll
If I turn off ssl config of consumer side only ( leave the server PLAINTEXT
9092, SSL 9093) my poll gets through to the server.
If I turn on this ssl config of consumer side only the consumer.poll never
comes back ( is it blocking ?)
I’m using 0.10.1.1
I am not seeing any logs for rejected ssl but I admit I don’t know how to turn
such logging on. I don’t know for server side. I don’t know for java code on
the consumer side.
Phil Gerow
Data Exchange Platform - Career
Core Software Engineering
O: 770-740-4893
philip.ge...@equifax.com<mailto:philip.ge...@equifax.com>
This message contains proprietary information from Equifax which may be
confidential. If you are not an intended recipient, please refrain from any
disclosure, copying, distribution or use of this information and note that such
actions are prohibited. If you have received this transmission in error, please
notify by e-mail postmas...@equifax.com. Equifax® is a registered trademark of
Equifax Inc. All rights reserved.
