Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How does Kafka specify key alias for Client Authentication?

Tags:

ssl

keystore

apache-kafka

client-certificates

I've seen many places that show enabling Kafka client authentication using the same example code as here:

https://www.cloudera.com/documentation/kafka/latest/topics/kafka_security.html#deploying_ssl_for_kafka__d18295e284

Namely:

ssl.keystore.location=/var/private/ssl/kafka.client.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234

My question is, how does the client specify the particular key within the keystore to use? Everywhere else I see JKS keystores discussed, keys are specified using an alias. The only things I can figure is that:

  • The alias is expected to be hard-coded (I can find no reference to this fact, however)
  • It is expected that only one key is in the keystore, and thus it uses the first key it finds
  • It scans and uses the first where the password matches the value of the ssl.key.password property
like image 343
fool4jesus Avatar asked Jul 05 '17 18:07

fool4jesus

People also ask

How does SSL work in Kafka?

SSL Overview By default, Apache Kafka sends all data as clear text and without any authentication. First of all, we can configure SSL for encryption between the broker and the client. This, by default, requires one-way authentication using public key encryption where the client authenticates the server certificate.

What is keystore in Kafka?

Generate SSL key and certificate for each Kafka broker You need to specify two parameters in the above command: keystore: the keystore file that stores the certificate. The keystore file contains the private key of the certificate; therefore, it needs to be kept safely.

What is Kafka mTLS?

mTLS provides two-way authentication to ensure that traffic between clients and the MDS is secure, and that you can trust content coming from both directions. In this example: Clients communicating with Kafka can use mTLS (encryption plus authentication).

What is SSL endpoint identification algorithm?

identification. algorithm The endpoint identification algorithm used by clients to validate server host name. The default value is HTTPS . Clients verify that the broker host name matches the host name in the broker's certificate. Server host name verification may be disabled by setting ssl.

1 Answers

None of the above. If you don't specify ssl.keymanager.algorithm (see SslConfigs:96) then it uses the JVM default (see SslEngineBuilder:138), which is probably going to be SunX509 (the only standard name is PKIX, but there's no indication of what that does differently; see Standard Algorithm Names § KeyManagerFactory algorithms). Despite the description of the standard algorithm, RFC 3280 does not specify a key selection process per se. However, the actual implemention simply selects some key of one of the desired types for which the corresponding certificate's certification path contains one of the desired issuers (see call chain starting at SunX509KeyManagerImpl.chooseClientAlias).

So the client's choice of key alias is going to be dictated by the certificate issuers that the server says it trusts and the types of keys that the server says it accepts (this is almost always RSA today, but may be different in the future or in specific scenarios). If you have just 1 RSA key issued by a CA that the server trusts, then that's the key it will pick. If 0, then the connection will fail, and if 2 or more, you don't know which one will be picked. In particular, having an expired and unexpired cert that both match the criteria is a recipe for trouble.

I found some interesting details on KeyManagers and KeyStores on a terse systems blog post, but some of the customization they talk about won't be possible without patching Kafka itself. If you need to control key selection with more precision, you'll probably have to implement your own KeyManager or use a third-party one that meets your needs.

like image 189
kbolino Avatar answered Oct 01 '22 21:10

kbolino
Sign in to Comment

Related questions

SSL equivalent of givedescriptor() and takedescriptor()
SSL error while using pip install to install tensorflow-gpu
wsimport Xauthfile error
Why does SSL handshaking sometimes kill my CPU?
Disable SSL certificate validation of HTTPS connection? [duplicate]
Behavior of HttpURLConnection for URL with Revoked SSL Certificate?
Issues with TLS connection in Golang
Getting certificate verify failed error with mechanize
Nginx upstream with http & https
How to test POODLE over TLS?
Remote certificate was verified as invalid by the user
Building a JMXConnectorServer that handles SSL
How to update Truststore dynamically?
can't install SSL pem certificate android 10
SSLException: SSL peer shut down incorrectly
consuming webservice using https protocol
CurlException: [curl] 51: SSL: certificate verification failed
decrypt TLS 1.2 AES-GCM packet
On connecting to MySQL via SSL getting ERROR 2026 (HY000): SSL connection error: protocol version mismatch [closed]
"No system CA bundle could be found" on Google App Engine on localhost

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!