author:周坤
createTime:2022-01-21
培训结束时间:2022-02-24
# Kafka中使用SSL
# 生成ssl的密钥与证书的临时库
keytool -keystore server.keystore.jks -alias localhost -validity 365 -genkey server.keystore.jks 存储密钥与证书的临时库 validity 证书的有效期 执行完命令后 Enter keystore password: 密钥 Re-enter new password: 密钥 What is your first and last name [Unknown]:localhost或者域名 What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes验证生成的证书的内容
keytool -list -v -keystore server.keystore.jks
# 创建CA并签名
openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 ca-key ca的私钥 ca-cert ca的证书 days ca证书有效期 Enter PEM pass phrase:密钥 Verifying - Enter PEM pass phrase:密钥 Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server s hostname) []: localhost或者域名 导出请求文件 keytool -keystore server.keystore.jks -alias localhost -certreq -file cert-file 签名证书 openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days {validity} -CAcreateserial -passin pass:{ca-password} {validity}为有效期 {ca-password}为签名的密钥 将ca的证书和已签名的证书导入临时库 keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed
# 创建信任库
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert 服务端的信任库 keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert 客户端的信任库
# 配置kafka的broker
listeners=PLAINTEXT://192.168.7.198:9092,SSL://localhost或者域名:9093 ssl.keystore.location=/data/tools/kafka/ssl/server.keystore.jks ssl.keystore.password=test1234 ssl.key.password=test1234 ssl.truststore.location=/data/tools/kafka/ssl/server.truststore.jks ssl.truststore.password=test1234
# 检验服务端keystore和truststore设置是否正确
openssl s_client -debug -connect localhost或者域名:9093 -tls1
# 配置kafka的client
使用kafka的工具来检验ssl是否成功 kafka-console-producer.sh --broker-list localhost或者域名:9093 --topic test --producer.config client-ssl.properties kafka-console-consumer.sh --bootstrap-server localhost或者域名:9093 --topic test --consumer.config client-ssl.properties client-ssl.properties的内容如下: security.protocol=SSL ssl.truststore.location=/data/tools/kafka/ssl/client.truststore.jks ssl.truststore.password=test1234spring-boot中kafka的配置
spring: kafka: ssl: trust-store-location: file:/data/client.truststore.jks trust-store-password: test1234 security: protocol: SSL
# 整体流程如下
1. keytool -keystore server.keystore.jks -alias localhost -validity 365 -genkey
2. openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
3. keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
4. keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
5. keytool -keystore server.keystore.jks -alias localhost -certreq -file cert-file
6. openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:test1234
7. keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
8. keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed
# 注意点
- first and last name:localhost或者域名,不能随便填
- Common Name :localhost或者域名,不能随便填
- 客户端使用ssl,需要将client.truststore.jks下载到本地的目录
# 在kafka集群中如何只使用一份客户端的信任库
- 使用集中群任意一台机器生成的ca,通过这个ca签署其它机器的证书,这样就可以