Kafka-SSL笔记整理

创建密钥仓库以及CA

1. 创建密匙仓库,用户存储证书文件

   keytool -keystore server.keystore.jks -alias hello_kafka -validity 100000 -genkey
   

2. 创建CA

   openssl req -new -x509 -keyout ca-key -out ca-cert -days 100000
   

3. 将生成的CA添加到客户端信任库

   keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
   

4. 为broker提供信任库以及所有客户端签名了密钥的CA证书

   keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
   

签名证书，用自己生成的CA来签名前面生成的证书

1. 签名证书，用自己生成的CA来签名前面生成的证书

   keytool -keystore server.keystore.jks -alias hello_kafka -certreq -file cert-file
   

2. 用CA签名：

   openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 100000 -CAcreateserial -passin pass:hello123
   

3. 导入CA的证书和已签名的证书到密钥仓库

   keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
   keytool -keystore server.keystore.jks -alias hello_kafka -import -file cert-signed
   

kafka集成ssl (服务端配置)

1. 修改config/server.properties配置文件

   listeners=PLAINTEXT://192.168.99.51:9092,SSL://192.168.99.51:8989
   advertised.listeners=PLAINTEXT://192.168.99.51:9092,SSL://192.168.99.51:8989
   ssl.keystore.location=/root/tools/ca_temp/server.keystore.jks
   ssl.keystore.password=hello123
   ssl.key.password=hello123
   ssl.truststore.location=/root/tools/ca_temp/server.truststore.jks
   ssl.truststore.password=hello123
   

2. 重启kafka
3. 使用openssl测试ssl端口

   openssl s_client -debug -connect 192.168.99.51:8989 -tls1
   

4. 打开防火墙端口

   a. firewall-cmd --zone=public --add-port=8989/tcp --permanent
   b. firewall-cmd --reload
   

kafka客户端ssl配置

1. 配置修改

   security.protocol=SSL
   ssl.endpoint.identification.algorithm=
   ssl.truststore.location=/root/tools/ca_temp/client.truststore.jks
   ssl.truststore.password=hello123