Created
December 25, 2019 21:03
-
-
Save kafagy/ff3ea265990e3c5341d040b2b1bd4d7b to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Create Some Test Data | |
| # To begin, create a test topic with some data that you can read at the end for testing. | |
| kafka-topics --bootstrap-server localhost:9092 --create --topic tls-test --partitions 1 --replication-factor 1 | |
| # Produce some data to the tls-test topic. | |
| kafka-console-producer --broker-list localhost:9092 --topic tls-test | |
| ## Generate Certificate Files | |
| # Log in to your first broker. Create a directory to work in as you generate certificate files. | |
| cd ~/ | |
| mkdir certs | |
| cd certs | |
| # Generate a certificate authority (CA). | |
| openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 -subj "/C=US/ST=Texas/L=Keller/O=Linux Academy/OU=Content/CN=CCDAK" | |
| # When prompted, enter and verify a new passphrase. | |
| # Create trust stores for clients and servers, and import the certificate authority public key into both trust stores. | |
| keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert | |
| keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert | |
| # When prompted, create a new keystore password for each trust store, and type yes for both to import the CA certificate. | |
| # Generate keys and certificates for all three brokers using the CA. Note that we are generating all of these certificates on the first broker. We will copy the necessary files to the other brokers later. | |
| keytool -keystore zoo1.keystore.jks -alias localhost -validity 365 -genkey -keyalg RSA -dname "CN=<broker 1 hostname>, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -ext san=dns:zoo1,dns:localhost,ip:127.0.0.1,ip:<broker 1 private IP> | |
| keytool -keystore zoo2.keystore.jks -alias localhost -validity 365 -genkey -keyalg RSA -dname "CN=<broker 2 hostname>, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -ext san=dns:zoo2,dns:localhost,ip:127.0.0.1,ip:<broker 2 private IP> | |
| keytool -keystore zoo3.keystore.jks -alias localhost -validity 365 -genkey -keyalg RSA -dname "CN=<broker 3 hostname>, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -ext san=dns:zoo3,dns:localhost,ip:127.0.0.1,ip:<broker 3 private IP> | |
| keytool -keystore zoo2.keystore.jks -alias localhost -validity 365 -genkey -keyalg RSA -dname "CN=wboyd2c.mylabserver.com, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -ext san=dns:zoo2,dns:localhost,ip:127.0.0.1,ip:172.31.108.62 | |
| keytool -keystore zoo3.keystore.jks -alias localhost -validity 365 -genkey -keyalg RSA -dname "CN=wboyd3c.mylabserver.com, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -ext san=dns:zoo3,dns:localhost,ip:127.0.0.1,ip:172.31.97.202 | |
| # When prompted, create a keystore password for all three keystores. When prompted for the key password, you can simply press RETURN to use the keystore password for the key as well. | |
| # Export each server's certificate from its keystore. | |
| keytool -keystore zoo1.keystore.jks -alias localhost -certreq -file zoo1-cert-file | |
| keytool -keystore zoo2.keystore.jks -alias localhost -certreq -file zoo2-cert-file | |
| keytool -keystore zoo3.keystore.jks -alias localhost -certreq -file zoo3-cert-file | |
| # Create a certificate-signing configuration file to contain the SANs for each broker. | |
| echo subjectAltName = DNS:zoo1,DNS:localhost,IP:127.0.0.1,IP:<broker 1 private IP> >> zoo1-extfile.cnf | |
| echo subjectAltName = DNS:zoo2,DNS:localhost,IP:127.0.0.1,IP:<broker 2 private IP> >> zoo2-extfile.cnf | |
| echo subjectAltName = DNS:zoo3,DNS:localhost,IP:127.0.0.1,IP:<broker 3 private IP> >> zoo2-extfile.cnf | |
| echo subjectAltName = DNS:zoo1,DNS:localhost,IP:127.0.0.1,IP:172.31.100.110 >> zoo1-extfile.cnf | |
| echo subjectAltName = DNS:zoo2,DNS:localhost,IP:127.0.0.1,IP:172.31.108.62 >> zoo2-extfile.cnf | |
| echo subjectAltName = DNS:zoo3,DNS:localhost,IP:127.0.0.1,IP:172.31.97.202 >> zoo3-extfile.cnf | |
| # Sign each broker certificate with the CA. | |
| openssl x509 -req -CA ca-cert -CAkey ca-key -in zoo1-cert-file -out zoo1-cert-signed -days 365 -CAcreateserial -extfile zoo1-extfile.cnf | |
| openssl x509 -req -CA ca-cert -CAkey ca-key -in zoo2-cert-file -out zoo2-cert-signed -days 365 -CAcreateserial -extfile zoo2-extfile.cnf | |
| openssl x509 -req -CA ca-cert -CAkey ca-key -in zoo3-cert-file -out zoo3-cert-signed -days 365 -CAcreateserial -extfile zoo3-extfile.cnf | |
| # Import the CA certificate and signed broker certificate into each server's keystore. | |
| keytool -keystore zoo1.keystore.jks -alias CARoot -import -file ca-cert | |
| keytool -keystore zoo1.keystore.jks -alias localhost -import -file zoo1-cert-signed | |
| keytool -keystore zoo2.keystore.jks -alias CARoot -import -file ca-cert | |
| keytool -keystore zoo2.keystore.jks -alias localhost -import -file zoo2-cert-signed | |
| keytool -keystore zoo3.keystore.jks -alias CARoot -import -file ca-cert | |
| keytool -keystore zoo3.keystore.jks -alias localhost -import -file zoo3-cert-signed | |
| ## Configure Your Brokers | |
| # Copy the appropriate keystore to the cloud_user home directory on each server. | |
| cp zoo1.keystore.jks server.truststore.jks /home/cloud_user/ | |
| scp zoo2.keystore.jks server.truststore.jks cloud_user@zoo2:/home/cloud_user | |
| scp zoo3.keystore.jks server.truststore.jks cloud_user@zoo3:/home/cloud_user | |
| # On all three brokers, create a directory to hold the keystore and trust store. | |
| cd ~/ | |
| sudo mkdir -p /var/private/ssl | |
| sudo mv server.truststore.jks /var/private/ssl/ | |
| sudo mv zoo<1, 2, or 3>.keystore.jks /var/private/ssl/server.keystore.jks | |
| sudo chown -R root:root /var/private/ssl/ | |
| # On each broker, configure SSL in server.properties. | |
| sudo vi /etc/kafka/server.properties | |
| # Add the following line to the file (there is a commented version of this line that you can uncomment and edit if you desire). | |
| listeners=PLAINTEXT://zoo<1, 2, or 3>:9092,SSL://zoo<1, 2, or 3>:9093 | |
| # Find the line for advertised.listeners, and delete it or comment it out. | |
| advertised.listeners=PLAINTEXT://zoo<1, 2, or 3>:9092 | |
| # Add the following lines. Enter the password values you used when generating the certificates and stores. | |
| ssl.keystore.location=/var/private/ssl/server.keystore.jks | |
| ssl.keystore.password=<keystore password> | |
| ssl.key.password=<broker key password> | |
| ssl.truststore.location=/var/private/ssl/server.truststore.jks | |
| ssl.truststore.password=<trust store password> | |
| ssl.client.auth=none | |
| # Restart Kafka on all three brokers. | |
| sudo systemctl restart confluent-kafka | |
| # Wait a few moments, then check the status of the Kafka service. | |
| sudo systemctl status confluent-kafka | |
| ## Use SSL to Connect as a Client | |
| # On broker 1, copy the client trust store to an appropriate location. | |
| sudo cp ~/certs/client.truststore.jks /var/private/ssl/ | |
| sudo chown root:root /var/private/ssl/client.truststore.jks | |
| # Connect to the cluster's non-secure port using a command line client. | |
| kafka-console-consumer --bootstrap-server zoo1:9092 --topic tls-test --from-beginning | |
| # Create a configuration file so you can easily use the SSL port with clients. | |
| cd ~/ | |
| vi client-ssl.properties | |
| security.protocol=SSL | |
| ssl.truststore.location=/var/private/ssl/client.truststore.jks | |
| ssl.truststore.password=<client trust store password> | |
| # Connect to the cluster's secure port using a command line client. | |
| kafka-console-consumer --bootstrap-server zoo1:9093 --topic tls-test --from-beginning --consumer.config client-ssl.properties |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment