you may do openssl s_client -connect kafkahost:port to dump the cert.
See if the cert makes sense.
To test if your SSL works, you may try use this java program to test if you
have SSL trust issue - if it connects ok, the cert trust is mostly to be
okay. (remember to change your host name in code, and jks path in command
line options.
java -Djavax.net.ssl.trustStore=truststore.jks
-Djavax.net.ssl.trustStorePassword=changeme Test
import java.net.*;
import java.io.*;
import javax.net.ssl.*;
/*
* This example demostrates how to use a SSLSocket as client to
* send a HTTP request and get response from an HTTPS server.
* It assumes that the client is not behind a firewall
*/
public class Test {
public static void main(String[] args) throws Exception {
try {
SSLSocketFactory factory =
(SSLSocketFactory)SSLSocketFactory.getDefault();
SSLSocket socket =
(SSLSocket)factory.createSocket("cp-kafka1", 9093);
/*
* send http request
*
* Before any application data is sent or received, the
* SSL socket will do SSL handshaking first to set up
* the security attributes.
*
* SSL handshaking can be initiated by either flushing data
* down the pipe, or by starting the handshaking by hand.
*
* Handshaking is started manually in this example because
* PrintWriter catches all IOExceptions (including
* SSLExceptions), sets an internal error flag, and then
* returns without rethrowing the exception.
*
* Unfortunately, this means any error messages are lost,
* which caused lots of confusion for others using this
* code. The only way to tell there was an error is to call
* PrintWriter.checkError().
*/
socket.startHandshake();
socket.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
[image: Confluent] <https://www.confluent.io>
Wu Shilin
Solution Architect
+6581007012
Follow us: [image: Blog]
<https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog>[image:
Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
<https://www.linkedin.com/company/confluent/>[image: Slack]
<https://slackpass.io/confluentcommunity>[image: YouTube]
<https://youtube.com/confluent>
[image: Kafka Summit] <https://www.kafka-summit.org/>
On Thu, Jun 24, 2021 at 8:17 PM Anjali Sharma <sharma.anjali.2...@gmail.com>
wrote:
> Had added those configuration but still seeing only junk certificates from
> client side ? Any idea how to solve?
>
>
> Thanks
> Anjali
>
> On Thu, Jun 24, 2021, 17:44 Shilin Wu <s...@confluent.io.invalid> wrote:
>
> > ssl.truststore.location=/root/truststore.jks
> >
> > ssl.truststore.type=JKS
> >
> > ssl.truststore.password=changeme
> >
> > ssl.keystore.location=/root/alice.jks
> >
> > ssl.keystore.type=JKS
> >
> > ssl.keystore.password=changeme
> >
> > security.protocol=SSL
> >
> > bootstrap.server=cp-kafka1:9093
> >
> > ssl.endpoint.identification.algorithm=https
> >
> > This worked for me pretty well.
> >
> > Of course you need to generate those certs from open ssl.
> >
> > The trust store only contains the CA cert, the key store contains the
> > keypair for alice (the user here).
> >
> >
> > [image: Confluent] <https://www.confluent.io>
> > Wu Shilin
> > Solution Architect
> > +6581007012
> > Follow us: [image: Blog]
> > <
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > >[image:
> > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > <https://youtube.com/confluent>
> > [image: Kafka Summit] <https://www.kafka-summit.org/>
> >
> >
> > On Thu, Jun 24, 2021 at 11:38 AM Anjali Sharma <
> > sharma.anjali.2...@gmail.com>
> > wrote:
> >
> > > Thanks for this info can you please share what all needs to be present
> on
> > > the client side for mtls as in what all configuration are needed that
> > side?
> > >
> > > Thanks
> > >
> > > On Thu, Jun 24, 2021, 07:51 Shilin Wu <s...@confluent.io.invalid>
> wrote:
> > >
> > > > A few things to check:
> > > >
> > > > 1. Client trust store need to trust the server cert's issuer cert
> (AKA
> > > the
> > > > CA cert)
> > > > 2. The client must have a keystore that can be trusted by server's
> > trust
> > > > store.
> > > > 3. The server needs to be accessed either via FQDN, or one of the SAN
> > > > address. If you are doing self sign, you can add many DNS alias and
> > even
> > > ip
> > > > addresses to the server's cert.
> > > > 4. Make sure the server cert has extended key usage of serverAuth,
> > client
> > > > cert has extended key usage of clientAuth. Actually you can have
> both -
> > > if
> > > > you are generating yourself.
> > > >
> > > >
> > > >
> > > > [image: Confluent] <https://www.confluent.io>
> > > > Wu Shilin
> > > > Solution Architect
> > > > +6581007012
> > > > Follow us: [image: Blog]
> > > > <
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > >[image:
> > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > <https://youtube.com/confluent>
> > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > >
> > > >
> > > > On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma <
> > > > sharma.anjali.2...@gmail.com>
> > > > wrote:
> > > >
> > > > > Hi All,
> > > > >
> > > > > While trying for mtls ssl.client.aut=required, From Client side we
> > are
> > > > > seeing some junk certificates which we have not imported on the
> > client
> > > > > side?
> > > > >
> > > > > Please help with this?
> > > > >
> > > > > Thanks & Regards
> > > > >
> > > > > Anjali
> > > > >
> > > >
> > >
> >
>
