Menu
I am trying to setup TLS for kafka broker. I have followed the steps here and able to setup the Kafka with TLS. (In log, I see SSL entry for the configured port).
Now I am facing the issue with connecting the producer/consumer.
I created a client keystore using the below command,
keytool -keystore client.keystore.jks -alias localhost -validity 365 -keyalg RSA -genkey
Added the CA cert to the keystore,
keytool -keystore client.keystore.jks -alias CARoot -import -file ca-cert
Ran the below command in the client, where the ca-cert is the certificate used on the server.
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
keytool -keystore client.keystore.jks -alias localhost -validity 365 -keyalg RSA -genkey
keytool -keystore client.keystore.jks -alias CARoot -import -file ca-cert
Added the below config in the producer.properties,
security.protocol=SSL
ssl.truststore.location=path to client.truststore.jks
ssl.truststore.password=<password>
ssl.keystore.location=path to client.keystore.jks
ssl.keystore.password=<password>
ssl.key.password=<password>
Ran kafka-console-producer
kafka-console-producer.sh --broker-list 0.0.0.0:9092 --topic test --producer.config ../config/producer.properties
But I am getting the below error when running the util,
WARN Connection to node -1 terminated during authentication. This may indicate that authentication failed due to invalid credentials. (org.apache.kafka.clients.NetworkClient)
Suspecting that I am missing something in the client config. Any help would be greatly appreciated.
846
TLS is only supported by new Kafka Producer and Consumer, the older APIs are not supported. Enabling security is simply a matter of configuration, no code changes are required.
Step1: Start the zookeeper as well as the kafka server. Step2: Type the command: 'kafka-console-producer' on the command line. This will help the user to read the data from the standard inputs and write it to the Kafka topic.
A client that wants to send or receive messages from the Kafka cluster may connect to any broker in the cluster. Every broker in the cluster has metadata about all the other brokers and will help the client connect to them as well, and therefore any broker in the cluster is also called a bootstrap server.
Are you trying with client side certificate ? Rather I would recommend, try without client certificate. In that case you only need below entries,
producer.properties file:-
security.protocol=SSL
ssl.truststore.location=/<path-to>/truststore.jks
ssl.truststore.type=JKS
Read more about it here - http://kafka.apache.org/documentation/#security_configclients
For client authentication kafka uses SASL, This part of the document covers it clearly - http://kafka.apache.org/documentation/#security_sasl
94
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
