momo-jun commented on code in PR #432: URL: https://github.com/apache/pulsar-site/pull/432#discussion_r1115786444
########## docs/security-tls-authentication.md: ########## @@ -1,45 +1,90 @@ --- id: security-tls-authentication -title: Authentication using TLS -sidebar_label: "Authentication using TLS" +title: Authentication using mTLS +sidebar_label: "Authentication using mTLS" --- ````mdx-code-block import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; ```` -## TLS authentication overview +## mTLS authentication overview -TLS authentication is an extension of [TLS transport encryption](security-tls-transport.md). Not only servers have keys and certs that the client uses to verify the identity of servers, clients also have keys and certs that the server uses to verify the identity of clients. You must have TLS transport encryption configured on your cluster before you can use TLS authentication. This guide assumes you already have TLS transport encryption configured. +Mutual TLS (mTLS) is a mutual authentication mechanism. Not only servers have keys and certs that the client uses to verify the identity of servers, clients also have keys and certs that the server uses to verify the identity of clients. This guide assumes you already have [TLS transport encryption](security-tls-transport.md) configured. Review Comment: Updated. ########## docs/security-tls-transport.md: ########## @@ -186,13 +186,21 @@ At this point, you have a cert `client.cert.pem` and a key `client.key-pk8.pem`, To configure a Pulsar [broker](reference-terminology.md#broker) to use TLS encryption, you need to add these values to `broker.conf` in the `conf` directory of your Pulsar installation. Substitute the appropriate certificate paths where necessary. ```properties +# configure TLS ports brokerServicePortTls=6651 webServicePortTls=8081 -tlsRequireTrustedClientCertOnConnect=true + +# configure CA certificate +tlsTrustCertsFilePath=/path/to/ca.cert.pem +# configure server certificate tlsCertificateFilePath=/path/to/broker.cert.pem +# configure server's priviate key tlsKeyFilePath=/path/to/broker.key-pk8.pem -tlsTrustCertsFilePath=/path/to/ca.cert.pem +# enable mTLS +tlsRequireTrustedClientCertOnConnect=true + +# configure mTLS Review Comment: Updated. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
