Reputation: 19
Kraft inter-broker communication over SSL
I'm wondering if I'm missing something about configuring SSL for Kraft.
We currently have a Zookeeper cluster where all inter-broker & client communication uses SSL. We manage our own CA and generate all the necessary keystore/truststore jks files for our brokers and clients. We've had this in place for several years.
I've recently been trying to set up a Kraft-based cluster. And since a Kraft controller is configured much the same as a Kafka broker is, I figured I would try to have the Kraft controllers communicate to each other over SSL, same as I have the brokers do.
When I enable SSL for the Kraft controller I get this error on startup:
Invalid value javax.net.ssl.SSLHandshakeException: No available authentication scheme for configuration A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings.
I am running everything in Docker containers, using Confluent's images. Currently using version 7.7.0, though I saw the same errors on 7.7.1
Turning on SSL debugging didn't turn up anything obvious. And I'm pretty stumped as to what's going on. Wondering if anyone here has thoughts. Several attempts at this, along with a lot of research, haven't gotten me anywhere.
My relevant Kraft controller config
KAFKA_CONTROLLER_LISTENER_NAMES: SSL
KAFKA_INTER_BROKER_LISTENER_NAME: SSL
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: "SSL:SSL"
KAFKA_LISTENERS: SSL://0.0.0.0:9094
KAFKA_METADATA_VERSION: "3.7"
KAFKA_PROCESS_ROLES: controller
KAFKA_SSL_CLIENT_AUTH: required
KAFKA_SSL_KEYSTORE_CREDENTIALS: credentials
KAFKA_SSL_KEYSTORE_FILENAME: keystore.jks
KAFKA_SSL_KEY_CREDENTIALS: credentials
KAFKA_SSL_SECRETS_DIR: /etc/kafka/secrets
KAFKA_SSL_TRUSTSTORE_CREDENTIALS: credentials
KAFKA_SSL_TRUSTSTORE_FILENAME: truststore.jks
Upvotes: 1
Views: 107
Answers (1)
Reputation: 19
I believe this issue and my comment captures the problem and the solution
https://github.com/confluentinc/kafka-images/issues/350
You can work around this by manually setting the SSL env vars that Confluent's configure script would set for you.
# created by config file, but setting manually here
KAFKA_SSL_KEY_CREDENTIALS_LOCATION: "/kafka/etc/secrets/credentials"
KAFKA_SSL_KEY_PASSWORD: "hunter1"
KAFKA_SSL_KEYSTORE_LOCATION: "/kafka/etc/secrets/keystore.jks"
KAFKA_SSL_KEYSTORE_CREDENTIALS_LOCATION: "/kafka/etc/secrets/credentials"
KAFKA_SSL_KEYSTORE_PASSWORD: "hunter1"
KAFKA_SSL_TRUSTSTORE_LOCATION: "/kafka/etc/secrets/truststore.jks"
KAFKA_SSL_TRUSTSTORE_CREDENTIALS_LOCATION: "/kafka/etc/secrets/credentials"
KAFKA_SSL_TRUSTSTORE_PASSWORD: "hunter1"
Upvotes: 0
Related Questions
- Kraft cluster configuration ERROR Could not find a 'KafkaServer' or 'controller.KafkaServer' entry in the JAAS configuration
- Has anyone got a working configuration for Kafka Kraft with SASL_SSL or even just SSL enabled?
- kafka kraft cluster is it right to set dedicated controller and dedicated broker on same machine
- Why do I need to specify all the brokers in Kafka with Kraft in a 3 node broker/controller cluster?
- Kafka cluster using KRaft, mTLS and StandardAuthorizer not starting up, getting AuthorizerNotReadyException
- Enabling SSL on Kafka