All geek questions in one place

How to check SSL works for Kafka

I managed to configure SSL in my brokers and kafka client, and I can also see that when we create a message using port 9093, which is an SSL port, the messages are consumed by the consumer.

What I tried is to send a message through port 9093, and the message is sent to the consumer form of the manufacturer.

What I want, is there a way to make sure this really works, I mean, how can I prove that 9092 is not SSL, but 9093 is SSl and is secured?

Thanks in advance, Vishesh.

+5
source share
3 answers

Below are two ways to check your SSL configuration.

  • -Djavax.net.debug=all Add this property to bin/kafka-run-class.sh in the same place as:

     if [ -z "$KAFKA_JMX_OPTS" ]; then KAFKA_JMX_OPTS=" <**add here**> -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false " fi

    then close the kafka brokers log file, you will see some encoded messages.

  • To verify that the keystore and server trust stores are configured correctly, you can run the following command:

     openssl s_client -debug -connect localhost:9093 -tls1

    Note. TLSv1 must be specified in the ssl.enabled.protocols section.

    In the output of this command, you will see the server certificate:

     -----BEGIN CERTIFICATE----- {variable sized random bytes} -----END CERTIFICATE----- subject=/C=US/ST=CA/L=Santa Clara/O=org/OU=org/CN=Joe Smith issuer=/C=US/ST=CA/L=Santa Clara/O=org/OU=org/CN=kafka/ emailAddress=test@test.com

    If the certificate does not appear or there are any other error messages, your keystore is not configured correctly.

Link:

+2
source

We tried to configure kafka with SSL and faced the same problem for cross-validation, if its work on SSL I deleted the PLAINTEXT listener record and saved the configuration, which is required only for SSL and tested. We were able to send and receive a wirh SSL message on secure port 9093.

In the logs this gives a WARNING, but this is for client authentication, so no problem, after checking, I added the PLAINTEXT record again.

I know this is not the best way to check, but it worked for me.

0
source

When you specify security.protocol = SSL, it cannot use another protocol. For more evidence, as mentioned above, you can edit kafka-run-class.sh to enable debugging of all and verify that ssl handshakes are occurring and that metadata is being sent through the ssl channel.

Thanks Akasha

-1
source

Source: https://habr.com/ru/post/1244337/

More articles:


All Articles