参考文章:kafka学习笔记十kafka-SSL安全认证机制_hwhanwan的专栏-CSDN博客_kafka ssl认证

zookeeper配置SSL连接 

一、生成配置cert

1.1生成 server keystore

keytool -keystore server.keystore.jks -alias kafka-server -validity 365 -keyalg RSA -genkey

#注:在生成 server.keystore.jks 时,-alias需要指定为 localhost,此处是表示的主机的host,而且根本不需要生成client.keystore.jks文件

keytool -keystore server.keystore.jks -alias localhost -validity 365 -keyalg RSA -genkey

[root@iZbp19pf0xgaj0oo0041u6Z cert]# keytool -keystore server.keystore.jks -alias kafka-server -validity 365 -keyalg RSA -genkey
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  hanwan
What is the name of your organizational unit?
  [Unknown]:  kafka
What is the name of your organization?
  [Unknown]:  kafka
What is the name of your City or Locality?
  [Unknown]:  HZ
What is the name of your State or Province?
  [Unknown]:  ZJ
What is the two-letter country code for this unit?
  [Unknown]:  CN
Is CN=hanwan, OU=kafka, O=kafka, L=HZ, ST=ZJ, C=CN correct?
  [no]:  YES^H^H
 
Enter key password for <kafka-server>
        (RETURN if same as keystore password):  
Re-enter new password: 
 
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore server.keystore.jks -destkeystore server.keystore.jks -deststoretype pkcs12".

keytool -help

keytool -list --help

[root@confluent-control-center ssl2]# keytool -list --help
keytool -list [OPTION]...

Lists entries in a keystore

Options:

 -rfc                            output in RFC style
 -alias <alias>                  alias name of the entry to process
 -keystore <keystore>            keystore name
 -storepass <arg>                keystore password
 -storetype <storetype>          keystore type
 -providername <providername>    provider name
 -providerclass <providerclass>  provider class name
 -providerarg <arg>              provider argument
 -providerpath <pathlist>        provider classpath
 -v                              verbose output
 -protected                      password through protected mechanism

Use "keytool -help" for all available commands


# ============================================================ #
[root@confluent-control-center ssl2]# keytool -help
Key and Certificate Management Tool

Commands:

 -certreq            Generates a certificate request
 -changealias        Changes an entry's alias
 -delete             Deletes an entry
 -exportcert         Exports certificate
 -genkeypair         Generates a key pair
 -genseckey          Generates a secret key
 -gencert            Generates certificate from a certificate request
 -importcert         Imports a certificate or a certificate chain
 -importpass         Imports a password
 -importkeystore     Imports one or all entries from another keystore
 -keypasswd          Changes the key password of an entry
 -list               Lists entries in a keystore
 -printcert          Prints the content of a certificate
 -printcertreq       Prints the content of a certificate request
 -printcrl           Prints the content of a CRL file
 -storepasswd        Changes the store password of a keystore

Use "keytool -command_name -help" for usage of command_name

 keytool -list -keystore server.keystore.jks -v

[root@iZbp19pf0xgaj0oo0041u6Z cert]# keytool -list -keystore server.keystore.jks -v
Enter keystore password:  
Keystore type: jks
Keystore provider: SUN
 
Your keystore contains 1 entry
 
Alias name: kafka-server
Creation date: Aug 30, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=hanwan, OU=kafka, O=kafka, L=HZ, ST=ZJ, C=CN
Issuer: CN=hanwan, OU=kafka, O=kafka, L=HZ, ST=ZJ, C=CN
Serial number: 1a0a5446
Valid from: Thu Aug 30 09:13:14 CST 2018 until: Fri Aug 30 09:13:14 CST 2019
Certificate fingerprints:
         MD5:  DF:79:13:05:23:4F:56:FB:7C:E4:F1:33:C0:9F:53:61
         SHA1: CD:AE:2F:5B:F9:A1:11:4B:D5:8C:E2:52:2E:3E:0A:59:A2:F2:8A:64
         SHA256: 30:B1:0B:39:C1:AB:FC:AD:DD:86:C8:F8:F6:04:0C:71:A6:10:61:7D:37:91:2F:72:53:4C:A0:FC:57:7E:A9:2A
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions: 
 
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AB 31 16 F2 62 95 41 F2   2E C0 A2 49 A1 85 61 C1  .1..b.A....I..a.
0010: 0C C6 A1 83                                        ....
]
]
 
 
 
*******************************************
*******************************************
 
 
 
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore server.keystore.jks -destkeystore server.keystore.jks -deststoretype pkcs12".

1.2生成client keystore

keytool -keystore client.keystore.jks -alias kafka-client -validity 365 -keyalg RSA -genkey

keytool -keystore client.keystore.jks -alias localhost -validity 365 -keyalg RSA -genkey

# 查看:

keytool -list -keystore client.keystore.jks -v

[root@iZbp19pf0xgaj0oo0041u6Z cert]# keytool -keystore client.keystore.jks -alias kafka-client -validity 365 -keyalg RSA -genkey    
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  hanwan
What is the name of your organizational unit?
  [Unknown]:  kafka
What is the name of your organization?
  [Unknown]:  kafka
What is the name of your City or Locality?
  [Unknown]:  HZ
What is the name of your State or Province?
  [Unknown]:  ZJ
What is the two-letter country code for this unit?
  [Unknown]:  CN
Is CN=hanwan, OU=kafka, O=kafka, L=HZ, ST=ZJ, C=CN correct?
  [no]:  yes
Enter key password for <kafka-client>
        (RETURN if same as keystore password):  
Re-enter new password: 
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore client.keystore.jks -destkeystore client.keystore.jks -deststoretype pkcs12".
[root@iZbp19pf0xgaj0oo0041u6Z cert]# ls
client.keystore.jks  server.keystore.jks

1.3 生成CA证书

openssl req -new -x509 -keyout ca.key -out ca.crt -days 365

[root@iZbp19pf0xgaj0oo0041u6Z cert]# openssl req -new -x509 -keyout ca.key -out ca.crt -days 365
Generating a 2048 bit RSA private key
...............+++
...............................................................+++
writing new private key to 'ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ZJ
Locality Name (eg, city) [Default City]:HZ
Organization Name (eg, company) [Default Company Ltd]:kafka
Organizational Unit Name (eg, section) []:kafka
Common Name (eg, your name or your server's hostname) []:hanwan
Email Address []:hwhanwan@163.com


[root@iZbp19pf0xgaj0oo0041u6Z cert]# ls
ca.crt  ca.key  client.keystore.jks  server.keystore.jks

1.4 import the ca crt to server and client trust keystore.

keytool -keystore server.trustkeystore.jks -alias CARoot -import -file ca.crt

[root@iZbp19pf0xgaj0oo0041u6Z cert]# keytool -keystore server.trustkeystore.jks -alias CARoot -import -file ca.crt   
Enter keystore password:  
Re-enter new password: 
Owner: EMAILADDRESS=hwhanwan@163.com, CN=hanwan, OU=kafka, O=kafka, L=HZ, ST=ZJ, C=CN
Issuer: EMAILADDRESS=hwhanwan@163.com, CN=hanwan, OU=kafka, O=kafka, L=HZ, ST=ZJ, C=CN
Serial number: 9f37ba082b41d6b1
Valid from: Thu Aug 30 09:30:54 CST 2018 until: Fri Aug 30 09:30:54 CST 2019
Certificate fingerprints:
         MD5:  F7:B0:95:61:BE:30:E9:C1:22:BF:81:91:5D:AA:9E:CE
         SHA1: 26:9E:05:CE:AF:E5:53:19:1C:A9:A7:77:1F:21:88:C8:7F:F0:BC:1D
         SHA256: 9C:78:E5:86:48:91:EC:90:38:B3:38:C9:76:BE:C8:C0:B5:54:0B:7F:BD:32:99:10:9A:24:0E:3B:D8:87:C7:6F
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions: 
 
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: EB E7 38 B1 04 E3 CA 0C   30 E1 1E C1 55 95 42 0D  ..8.....0...U.B.
0010: CC 07 E1 D3                                        ....
]
]
 
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
 
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EB E7 38 B1 04 E3 CA 0C   30 E1 1E C1 55 95 42 0D  ..8.....0...U.B.
0010: CC 07 E1 D3                                        ....
]
]
 
Trust this certificate? [no]:  yes
Certificate was added to keystore
[root@iZbp19pf0xgaj0oo0041u6Z cert]# ls
ca.crt  ca.key  client.keystore.jks  server.keystore.jks  server.trustkeystore.jks
 
[root@iZbp19pf0xgaj0oo0041u6Z cert]# keytool -keystore client.trustkeystore.jks -alias CARoot -import -file ca.crt
Enter keystore password:  
Re-enter new password: 
Owner: EMAILADDRESS=hwhanwan@163.com, CN=hanwan, OU=kafka, O=kafka, L=HZ, ST=ZJ, C=CN
Issuer: EMAILADDRESS=hwhanwan@163.com, CN=hanwan, OU=kafka, O=kafka, L=HZ, ST=ZJ, C=CN
Serial number: 9f37ba082b41d6b1
Valid from: Thu Aug 30 09:30:54 CST 2018 until: Fri Aug 30 09:30:54 CST 2019
Certificate fingerprints:
         MD5:  F7:B0:95:61:BE:30:E9:C1:22:BF:81:91:5D:AA:9E:CE
         SHA1: 26:9E:05:CE:AF:E5:53:19:1C:A9:A7:77:1F:21:88:C8:7F:F0:BC:1D
         SHA256: 9C:78:E5:86:48:91:EC:90:38:B3:38:C9:76:BE:C8:C0:B5:54:0B:7F:BD:32:99:10:9A:24:0E:3B:D8:87:C7:6F
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions: 
 
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: EB E7 38 B1 04 E3 CA 0C   30 E1 1E C1 55 95 42 0D  ..8.....0...U.B.
0010: CC 07 E1 D3                                        ....
]
]
 
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
 
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EB E7 38 B1 04 E3 CA 0C   30 E1 1E C1 55 95 42 0D  ..8.....0...U.B.
0010: CC 07 E1 D3                                        ....
]
]
 
Trust this certificate? [no]:  yes
Certificate was added to keystore
[root@iZbp19pf0xgaj0oo0041u6Z cert]# ls
ca.crt  ca.key  client.keystore.jks  client.trustkeystore.jks  server.keystore.jks  server.trustkeystore.jks

 1.5 export the cert

keytool -keystore server.keystore.jks -alias kafka-server -certreq -file kafka.server.crt

keytool -keystore server.keystore.jks -alias localhost -certreq -file kafka.server.crt

[root@iZbp19pf0xgaj0oo0041u6Z cert]# keytool -keystore server.keystore.jks -alias kafka-server -certreq -file kafka.server.crt   
Enter keystore password:  
 
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore server.keystore.jks -destkeystore server.keystore.jks -deststoretype pkcs12".
[root@iZbp19pf0xgaj0oo0041u6Z cert]# ls
ca.crt  ca.key  client.keystore.jks  client.trustkeystore.jks  kafka.server.crt  server.keystore.jks  server.trustkeystore.jks
[root@iZbp19pf0xgaj0oo0041u6Z cert]# keytool -keystore client.keystore.jks -alias kafka-client -certreq -file kafka.client.crt      
Enter keystore password:  
 
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore client.keystore.jks -destkeystore client.keystore.jks -deststoretype pkcs12".
[root@iZbp19pf0xgaj0oo0041u6Z cert]# ls
ca.crt  client.keystore.jks       kafka.client.crt  server.keystore.jks
ca.key  client.trustkeystore.jks  kafka.server.crt  server.trustkeystore.jks

 1.6 use the ca cert do signed task

openssl x509 -req -CA ca.crt -CAkey ca.key -in kafka.server.crt -out kafka.server.signed.crt -days 365 -CAcreateserial

[root@iZbp19pf0xgaj0oo0041u6Z cert]# openssl x509 -req -CA ca.crt -CAkey ca.key -in kafka.server.crt -out kafka.server.signed.crt -days 365 -CAcreateserial 
Signature ok
subject=/C=CN/ST=ZJ/L=HZ/O=kafka/OU=kafka/CN=hanwan
Getting CA Private Key
Enter pass phrase for ca.key:

openssl x509 -req -CA ca.crt -CAkey ca.key -in kafka.client.crt -out kafka.client.signed.crt -days 365 -CAcreateserial 

[root@iZbp19pf0xgaj0oo0041u6Z cert]# openssl x509 -req -CA ca.crt -CAkey ca.key -in kafka.client.crt -out kafka.client.signed.crt -days 365 -CAcreateserial             
Signature ok
subject=/C=CN/ST=ZJ/L=HZ/O=kafka/OU=kafka/CN=hanwan
Getting CA Private Key
Enter pass phrase for ca.key:

[root@iZbp19pf0xgaj0oo0041u6Z cert]# ls
ca.crt  ca.srl               client.trustkeystore.jks  kafka.client.signed.crt  kafka.server.signed.crt  server.trustkeystore.jks
ca.key  client.keystore.jks  kafka.client.crt          kafka.server.crt         server.keystore.jks
[root@iZbp19pf0xgaj0oo0041u6Z cert]#

 1.7 import the ca cert into server and client keystore.

keytool -keystore server.keystore.jks -alias CARoot -import -file ca.crt

[root@iZbp19pf0xgaj0oo0041u6Z cert]# keytool -keystore server.keystore.jks -alias CARoot -import -file ca.crt 
Enter keystore password:  
Owner: EMAILADDRESS=hwhanwan@163.com, CN=hanwan, OU=kafka, O=kafka, L=HZ, ST=ZJ, C=CN
Issuer: EMAILADDRESS=hwhanwan@163.com, CN=hanwan, OU=kafka, O=kafka, L=HZ, ST=ZJ, C=CN
Serial number: 9f37ba082b41d6b1
Valid from: Thu Aug 30 09:30:54 CST 2018 until: Fri Aug 30 09:30:54 CST 2019
Certificate fingerprints:
         MD5:  F7:B0:95:61:BE:30:E9:C1:22:BF:81:91:5D:AA:9E:CE
         SHA1: 26:9E:05:CE:AF:E5:53:19:1C:A9:A7:77:1F:21:88:C8:7F:F0:BC:1D
         SHA256: 9C:78:E5:86:48:91:EC:90:38:B3:38:C9:76:BE:C8:C0:B5:54:0B:7F:BD:32:99:10:9A:24:0E:3B:D8:87:C7:6F
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions: 
 
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: EB E7 38 B1 04 E3 CA 0C   30 E1 1E C1 55 95 42 0D  ..8.....0...U.B.
0010: CC 07 E1 D3                                        ....
]
]
 
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
 
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EB E7 38 B1 04 E3 CA 0C   30 E1 1E C1 55 95 42 0D  ..8.....0...U.B.
0010: CC 07 E1 D3                                        ....
]
]
 
Trust this certificate? [no]:  yes
Certificate was added to keystore
 
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore server.keystore.jks -destkeystore server.keystore.jks -deststoretype pkcs12".

1.8 import the cert to server and client keystore after signed by CA cert.

keytool -keystore server.keystore.jks -alias kafka-server -import -file kafka.server.signed.crt

[root@iZbp19pf0xgaj0oo0041u6Z cert]# keytool -keystore server.keystore.jks -alias kafka-server -import -file kafka.server.signed.crt 
Enter keystore password:  
Certificate reply was installed in keystore
 
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore server.keystore.jks -destkeystore server.keystore.jks -deststoretype pkcs12".
[root@iZbp19pf0xgaj0oo0041u6Z cert]# keytool -keystore client.keystore.jks -alias kafka-client -import -file kafka.client.signed.crt 
Enter keystore password:  
Certificate reply was installed in keystore
 
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore client.keystore.jks -destkeystore client.keystore.jks -deststoretype pkcs12".

keytool -keystore client.keystore.jks -alias CARoot -import -file ca.crt 

[root@iZbp19pf0xgaj0oo0041u6Z cert]# keytool -keystore client.keystore.jks -alias CARoot -import -file ca.crt
Enter keystore password:  
Owner: EMAILADDRESS=hwhanwan@163.com, CN=hanwan, OU=kafka, O=kafka, L=HZ, ST=ZJ, C=CN
Issuer: EMAILADDRESS=hwhanwan@163.com, CN=hanwan, OU=kafka, O=kafka, L=HZ, ST=ZJ, C=CN
Serial number: 9f37ba082b41d6b1
Valid from: Thu Aug 30 09:30:54 CST 2018 until: Fri Aug 30 09:30:54 CST 2019
Certificate fingerprints:
         MD5:  F7:B0:95:61:BE:30:E9:C1:22:BF:81:91:5D:AA:9E:CE
         SHA1: 26:9E:05:CE:AF:E5:53:19:1C:A9:A7:77:1F:21:88:C8:7F:F0:BC:1D
         SHA256: 9C:78:E5:86:48:91:EC:90:38:B3:38:C9:76:BE:C8:C0:B5:54:0B:7F:BD:32:99:10:9A:24:0E:3B:D8:87:C7:6F
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions: 
 
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: EB E7 38 B1 04 E3 CA 0C   30 E1 1E C1 55 95 42 0D  ..8.....0...U.B.
0010: CC 07 E1 D3                                        ....
]
]
 
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
 
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EB E7 38 B1 04 E3 CA 0C   30 E1 1E C1 55 95 42 0D  ..8.....0...U.B.
0010: CC 07 E1 D3                                        ....
]
]
 
Trust this certificate? [no]:  yes
Certificate was added to keystore
 
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore client.keystore.jks -destkeystore client.keystore.jks -deststoretype pkcs12".

 1.9 拷贝jks文件到其他集群服务器上

[root@iZbp19pf0xgaj0oo0041u6Z cert]# scp /usr/local/*.jks root@10.174.32.122:/usr/local/cert/
root@10.174.32.122's password: 
/usr/local/*.jks: No such file or directory

[root@iZbp19pf0xgaj0oo0041u6Z cert]# scp /usr/local/cert/*.jks root@10.174.32.122:/usr/local/cert/ 
root@10.174.32.122's password: 
client.keystore.jks                                                                               100% 4189     6.5MB/s   00:00    
client.trustkeystore.jks                                                                          100% 1032     2.0MB/s   00:00    
server.keystore.jks                                                                               100% 4188     7.0MB/s   00:00    
server.trustkeystore.jks                                                                          100% 1032     2.1MB/s   00:00    

[root@iZbp19pf0xgaj0oo0041u6Z cert]# ls

 二、分别修改kafka配置文件server.properties

[root@iZbp1c8mn5lner8nhvreblZ config]# cp server.properties server-ssl.properties 
[root@iZbp1c8mn5lner8nhvreblZ config]# vim server-ssl.properties

[root@iZbp1c8mn5lner8nhvreblZ config]# cp server.properties server-ssl.properties 
[root@iZbp1c8mn5lner8nhvreblZ config]# vim server-ssl.properties 
ssl.keystore.location=/usr/local/cert/server.keystore.jks
ssl.keystore.password=123456
ssl.key.password=123456
ssl.truststore.location=/usr/local/cert/server.trustkeystore.jks
ssl.truststore.password=123456
ssl.client.auth=required
listeners=PLAINTEXT://121.40.200.37:9092,SSL://121.40.200.37:9093
security.inter.broker.protocol=SSL

并分别启动kafka程序:

bin/kafka-server-start.sh -daemon config/server-ssl.properties 

[root@iZbp1 kafka_2.11-0.11.0.1]# bin/kafka-server-start.sh -daemon config/server-ssl.properties

三、创建clientssl.properties

"clientssl.properties" [New File]                                                                                 0,0-1         All
security.protocol=SSL
ssl.truststore.location=/usr/local/cert/client.trustkeystore.jks
ssl.truststore.password=123456
ssl.keystore.passwrod=123456
ssl.key.password=123456
ssl.keystore.location=/usr/local/cert/client.keystore.jks

4.测试

4.1 创建测试用的topic   ssl-topic

bin/kafka-topics.sh --create --topic ssl-topic --partitions 3 --replication-factor 3 --zookeeper 10.174.32.122:2181,10.117.15.224:2181,10.168.96.198:2181
Created topic "ssl-topic".

 bin/kafka-topics.sh --describe --topic ssl-topic --zookeeper 10.174.32.122:2181

[root@iZbp14ouog5ocoeakj39prZ kafka_2.11-0.11.0.1]# bin/kafka-topics.sh --create --topic ssl-topic --partitions 3 --replication-factor 3 --zookeeper 10.174.32.122:2181,10.117.15.224:2181,10.168.96.198:2181
Created topic "ssl-topic".

[root@iZbp14ouog5ocoeakj39prZ kafka_2.11-0.11.0.1]# bin/kafka-topics.sh --describe --topic ssl-topic --zookeeper 10.174.32.122:2181
Topic:ssl-topic PartitionCount:3        ReplicationFactor:3     Configs:
        Topic: ssl-topic        Partition: 0    Leader: 1       Replicas: 1,2,0 Isr: 1,2,0
        Topic: ssl-topic        Partition: 1    Leader: 2       Replicas: 2,0,1 Isr: 2,0,1
        Topic: ssl-topic        Partition: 2    Leader: 0       Replicas: 0,1,2 Isr: 0,1,2

4.2 debug the ssl configuration by openssl tooling

openssl s_client -debug -connect 120.55.125.58:9093 -tls1

[root@iZbp19 config]# openssl s_client -debug -connect 120.55.125.58:9093 -tls1

4.3 produce the message by console producer script

bin/kafka-console-producer.sh --topic ssl-topic --broker-list 120.55.125.58:9093,120.26.198.248:9093,121.40.200.37:9093 --producer.config config/clientssl.properties 

[root@iZbp14ouog5ocoeakj39prZ kafka_2.11-0.11.0.1]# bin/kafka-console-producer.sh --topic ssl-topic --broker-list 120.55.125.58:9093,120.26.198.248:9093,121.40.200.37:9093 --producer.config config/clientssl.properties 
>hello
>ssl pass
>success
>

 4.4 consume the message by console consume script

bin/kafka-console-consumer.sh --topic ssl-topic --bootstrap-server 120.55.125.58:9093,120.26.198.248:9093,121.40.200.37:9093 --from-beginning --consumer.config config/clientssl.properties

[root@iZbp19 kafka_2.11-0.11.0.1]# bin/kafka-console-consumer.sh --topic ssl-topic --bootstrap-server 120.55.125.58:9093,120.26.198.248:9093,121.40.200.37:9093 --from-beginning --consumer.config config/clientssl.properties
success
hello
ssl pass

# kafka # ssl # 安全
Logo
华为开发者空间

华为开发者空间,是为全球开发者打造的专属开发空间,汇聚了华为优质开发资源及工具,致力于让每一位开发者拥有一台云主机,基于华为根生态开发、创新。

更多推荐

cover

一文解读GaussDB(DWS)监控运维诊断优化能力

avatar 华为开发者空间
cover

GaussDB技术解读——GaussDB架构介绍(四)

avatar 华为开发者空间
cover

华为云数据仓库专业级开发者认证重磅发布

avatar 华为开发者空间