创建密钥仓库以及CA
-
创建密匙仓库,用户存储证书文件
textkeytool -keystore server.keystore.jks -alias hello_kafka -validity 100000 -genkey -
创建CA
textopenssl req -new -x509 -keyout ca-key -out ca-cert -days 100000 -
将生成的CA添加到客户端信任库
textkeytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert -
为broker提供信任库以及所有客户端签名了密钥的CA证书
textkeytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
签名证书,用自己生成的CA来签名前面生成的证书
-
签名证书,用自己生成的CA来签名前面生成的证书
textkeytool -keystore server.keystore.jks -alias hello_kafka -certreq -file cert-file -
用CA签名:
textopenssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 100000 -CAcreateserial -passin pass:hello123 -
导入CA的证书和已签名的证书到密钥仓库
textkeytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert keytool -keystore server.keystore.jks -alias hello_kafka -import -file cert-signed
kafka集成ssl (服务端配置)
-
修改config/server.properties配置文件
textlisteners=PLAINTEXT://192.168.99.51:9092,SSL://192.168.99.51:8989 advertised.listeners=PLAINTEXT://192.168.99.51:9092,SSL://192.168.99.51:8989 ssl.keystore.location=/root/tools/ca_temp/server.keystore.jks ssl.keystore.password=hello123 ssl.key.password=hello123 ssl.truststore.location=/root/tools/ca_temp/server.truststore.jks ssl.truststore.password=hello123 -
重启kafka
-
使用openssl测试ssl端口
textopenssl s_client -debug -connect 192.168.99.51:8989 -tls1 -
打开防火墙端口
texta. firewall-cmd --zone=public --add-port=8989/tcp --permanent b. firewall-cmd --reload
kafka客户端ssl配置
-
配置修改
textsecurity.protocol=SSL ssl.endpoint.identification.algorithm= ssl.truststore.location=/root/tools/ca_temp/client.truststore.jks ssl.truststore.password=hello123