I am trying to setup 2 way ssl authentication. My requirement is broker
should authenticate only specific clients.
My organization has a CA which issue all certificates in pkcs12 format.
steps i followed are as follows.

1. get a certificate for the broker and configured it in the broker keystore
   ssl.keystore.location=/home/kafka/certificate.p12
   ssl.keystore.password=xxxxx
   ssl.client.auth=required
2. get a certificate for the client and configured it in the client keystore
   ssl.keystore.location=/home/kafka/certificate.p12
   ssl.keystore.password=xxxxx
3. extracted the public certificate from the client certificate using
keytool command
   keytool -export -file cert -keystore certificate.p12 -alias "12345"
-storetype pkcs12 -storepass xxxxx
4. imported the certificate into broker truststore. broker truststore
contains only the client 12345 certificate.
   keytool -keystore truststore.p12 -import -file cert -alias 12345
-storetype pkcs12 -storepass xxxxx -noprompt
5. configured the truststore in the broker.
   ssl.truststore.location=/home/kafka/truststore.p12
   ssl.truststore.password=xxxxx
6. configured the truststore in client. client truststore contains CA
certificates.
   ssl.truststore.location=/etc/pki/java/cacerts
   ssl.truststore.password=xxxxx

When i run the broker and client i expect the broker to authenticate the
client and establish ssl connection. but instead following error is thrown.
[2021-06-03 23:32:06,864] ERROR [AdminClient clientId=adminclient-1]
Connection to node -1 (abc.com/10.129.140.212:9093) failed authentication
due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2021-06-03 23:32:06,866] WARN [AdminClient clientId=adminclient-1]
Metadata update failed due to authentication error
(org.apache.kafka.clients.admin.internals.AdminMetadataManager)
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake
failed
Caused by: javax.net.ssl.SSLProtocolException: Unexpected handshake
message: server_hello

I tried various things but nothing seems to work. when i replace the broker
truststore with /etc/pki/java/cacerts truststore file which contains only
the CA certificate
then it works fine. but it will authenticate any client which has
certificate issued by the CA.

what could be the issue ?

Reply via email to