apache kafka可以使用SSL加密连接,还可以限制客户端访问,
给客户端发行证书,只允许持有证书的客户端访问。
下面使用jdk的keytool工具来生成证书,配置kafka。
为了便于演示,ca和服务器证书使用相同的密码,如下:
KSPASS=xxxx
客户端证书密码如下:
CLIENT_PASS=yyyy
# 生成 keytool -genkeypair -keystore mycastore.jks -storepass ${KSPASS} -alias myca -validity 365 -dname CN=ca,C=cn -ext bc:c #(注意有效天数。默认是90天。) # 导出 keytool -exportcert -keystore mycastore.jks -storepass ${KSPASS} -alias myca -rfc -file myca.cer # 查看 keytool -list -keystore mycastore.jks -storepass ${KSPASS} keytool -printcert -file myca.cer
# 生成 keytool -genkeypair -keystore server.keystore.jks -storepass ${KSPASS} -alias server -keypass ${KSPASS} -validity 365 -dname CN=127.0.0.1,C=cn # 生成证书请求 keytool -certreq -keystore server.keystore.jks -storepass ${KSPASS} -alias server -keypass ${KSPASS} -file server.csr # ca签名 keytool -gencert -keystore mycastore.jks -storepass ${KSPASS} -alias myca -keypass ${KSPASS} -validity 365 -infile server.csr -outfile server.cer # 查看 keytool -printcert -file server.cer # 导入ca证书,生成truststore keytool -importcert -keystore server.truststore.jks -storepass ${KSPASS} -alias myca -keypass ${KSPASS} -file myca.cer # 导入ca证书到keystore keytool -importcert -keystore server.keystore.jks -storepass ${KSPASS} -alias myca -keypass ${KSPASS} -file myca.cer # 导入server证书到keystore keytool -importcert -keystore server.keystore.jks -storepass ${KSPASS} -alias server -keypass ${KSPASS} -file server.cer
# 生成 keytool -genkeypair -keystore client1.keystore.jks -storepass ${CLIENT_PASS} -alias client1 -keypass ${CLIENT_PASS} -validity 365 -dname CN=client1,C=cn # 生成证书请求 keytool -certreq -keystore client1.keystore.jks -storepass ${CLIENT_PASS} -alias client1 -keypass ${CLIENT_PASS} -file client1.csr # ca签名 keytool -gencert -keystore mycastore.jks -storepass ${KSPASS} -alias myca -keypass ${KSPASS} -validity 365 -infile client1.csr -outfile client1.cer # 查看 keytool -printcert -file client1.cer # 导入ca证书,生成truststore keytool -importcert -keystore client1.truststore.jks -storepass ${CLIENT_PASS} -alias myca -keypass ${CLIENT_PASS} -file myca.cer # 导入ca证书到keystore keytool -importcert -keystore client1.keystore.jks -storepass ${CLIENT_PASS} -alias myca -keypass ${CLIENT_PASS} -file myca.cer # 导入server证书到keystore keytool -importcert -keystore client1.keystore.jks -storepass ${CLIENT_PASS} -alias client1 -keypass ${CLIENT_PASS} -file client1.cer
(内网使用9092端口明文,外网使用9093端口SSL)
ssl.keystore.location=server.keystore.jks ssl.keystore.password=xxx ssl.key.password=xxx ssl.truststore.location=server.truststore.jks ssl.truststore.password=xxx ssl.client.auth=required listeners=PLAINTEXT://0.0.0.0:9092,SSL://:9093 advertised.listeners=PLAINTEXT://10.1.1.1:9092,SSL://x.x.x.x:9093
bootstrap.servers=x.x.x.x:9093 ssl.protocol=SSL security.protocol=SSL ssl.keystore.location=client1.keystore.jks ssl.keystore.password=xxx ssl.key.password=xxx ssl.truststore.location=client1.truststore.jks ssl.truststore.password=xxx