apache kafka可以使用SSL加密連接配接,還可以限制用戶端通路,
給用戶端發行證書,隻允許持有證書的用戶端通路。
下面使用jdk的keytool工具來生成證書,配置kafka。
為了便于示範,ca和伺服器證書使用相同的密碼,如下:
KSPASS=xxxx
用戶端證書密碼如下:
CLIENT_PASS=yyyy
自簽名ca證書
# 生成
keytool -genkeypair -keystore mycastore.jks -storepass ${KSPASS} -alias myca -validity 365 -dname CN=ca,C=cn -ext bc:c
#(注意有效天數。預設是90天。)
# 導出
keytool -exportcert -keystore mycastore.jks -storepass ${KSPASS} -alias myca -rfc -file myca.cer
# 檢視
keytool -list -keystore mycastore.jks -storepass ${KSPASS}
keytool -printcert -file myca.cer
伺服器證書
# 生成
keytool -genkeypair -keystore server.keystore.jks -storepass ${KSPASS} -alias server -keypass ${KSPASS} -validity 365 -dname CN=127.0.0.1,C=cn
# 生成證書請求
keytool -certreq -keystore server.keystore.jks -storepass ${KSPASS} -alias server -keypass ${KSPASS} -file server.csr
# ca簽名
keytool -gencert -keystore mycastore.jks -storepass ${KSPASS} -alias myca -keypass ${KSPASS} -validity 365 -infile server.csr -outfile server.cer
# 檢視
keytool -printcert -file server.cer
# 導入ca證書,生成truststore
keytool -importcert -keystore server.truststore.jks -storepass ${KSPASS} -alias myca -keypass ${KSPASS} -file myca.cer
# 導入ca證書到keystore
keytool -importcert -keystore server.keystore.jks -storepass ${KSPASS} -alias myca -keypass ${KSPASS} -file myca.cer
# 導入server證書到keystore
keytool -importcert -keystore server.keystore.jks -storepass ${KSPASS} -alias server -keypass ${KSPASS} -file server.cer
用戶端證書
# 生成
keytool -genkeypair -keystore client1.keystore.jks -storepass ${CLIENT_PASS} -alias client1 -keypass ${CLIENT_PASS} -validity 365 -dname CN=client1,C=cn
# 生成證書請求
keytool -certreq -keystore client1.keystore.jks -storepass ${CLIENT_PASS} -alias client1 -keypass ${CLIENT_PASS} -file client1.csr
# ca簽名
keytool -gencert -keystore mycastore.jks -storepass ${KSPASS} -alias myca -keypass ${KSPASS} -validity 365 -infile client1.csr -outfile client1.cer
# 檢視
keytool -printcert -file client1.cer
# 導入ca證書,生成truststore
keytool -importcert -keystore client1.truststore.jks -storepass ${CLIENT_PASS} -alias myca -keypass ${CLIENT_PASS} -file myca.cer
# 導入ca證書到keystore
keytool -importcert -keystore client1.keystore.jks -storepass ${CLIENT_PASS} -alias myca -keypass ${CLIENT_PASS} -file myca.cer
# 導入server證書到keystore
keytool -importcert -keystore client1.keystore.jks -storepass ${CLIENT_PASS} -alias client1 -keypass ${CLIENT_PASS} -file client1.cer
kafka broker配置
(内網使用9092端口明文,外網使用9093端口SSL)
ssl.keystore.location=server.keystore.jks
ssl.keystore.password=xxx
ssl.key.password=xxx
ssl.truststore.location=server.truststore.jks
ssl.truststore.password=xxx
ssl.client.auth=required
listeners=PLAINTEXT://0.0.0.0:9092,SSL://:9093
advertised.listeners=PLAINTEXT://10.1.1.1:9092,SSL://x.x.x.x:9093
producer配置
bootstrap.servers=x.x.x.x:9093
ssl.protocol=SSL
security.protocol=SSL
ssl.keystore.location=client1.keystore.jks
ssl.keystore.password=xxx
ssl.key.password=xxx
ssl.truststore.location=client1.truststore.jks
ssl.truststore.password=xxx