Reputation: 3759
Kafka SSL security Setup causing issue
I will start telling by what i am trying to achieve. So My setup is:
6 VM's running Ubuntu 14.04 Version. - In 3 of them i have setup Kafka and in 3 i have created the zookeeper instance.
I start the produce and consume and all seems to work fine no issue.
Now i want to secure the setup using the SSL which has come up with kafka 0.9 version. I only want to setup SSL between client and kafka broker so that they can communicate securely. I followed the folowing link.
The only change i have done is: i have replaced the localhost with the IP of the kafka broker as i have 6 VM's running on same network.
Where i am getting stuck is after generating the the certificates when i run the following command:
openssl s_client -debug -connect localhost:9093 -tls1
I get the message connect:
Connection refused connect:errno=111
I dont know how to proceed with this. I tried googling going through the documents but couldn't fine anything.
Also some suggestion what will be the ideal setup for security, my req is i only need secure communication between kafka client and brokers, i dont need to worry about kafka-to-kafka and kafka-to-zookeeper communication.
Please help, Vishesh.
Upvotes: 3
Views: 3823
Answers (2)
Reputation: 3759
After few tries and help from some colleagues i was able to get the entire setup working correctly over the 9093 port.
What went wrong was with the certificate signing. As i had 3 kafka brokers so i had created 3 different CA to sign the certificate which was wrong.
What needs to be done is you need to have the certificate signed by the same single CA in all the brokers and clients, Or in case you have different certificate or you plan to use different certificates for the brokers the you need to have a root CA which signs all the other CA.
You can read more about it in Hierarchy of Trust over here :- https://msdn.microsoft.com/en-us/library/windows/desktop/aa382479(v=vs.85).aspx
So if you have done the setup in one broker user the same ca-cert file in all other brokers and client to sign the certificate and it will work .!!
Upvotes: 3
Reputation: 564
Check if the Corporate ports which are used for SSL are open. When we did set up this after long research it was this simple thing.
Upvotes: 0
Related Questions
- How to list all available Kafka brokers in a cluster?
- Kafka Security implementation issue SASL SSL and SCRAM
- Kafka Broker SSL - NoAuth Exception - KeeperErrorCode NoAuth for /brokers/ids
- Using apache kafka in SSL mode
- SSL on all kafka cluster nodes
- SAN getting cleared in SSL certificate
- Is it possible to connect zookeeper and kafka via SASL , kafka broker and its clients via SSL without enabling plain text?
- Kafka Consumption Issue on AWS