nodece commented on code in PR #432:
URL: https://github.com/apache/pulsar-site/pull/432#discussion_r1118803936
##########
docs/security-tls-authentication.md:
##########
@@ -1,45 +1,92 @@
---
id: security-tls-authentication
-title: Authentication using TLS
-sidebar_label: "Authentication using TLS"
+title: Authentication using mTLS
+sidebar_label: "Authentication using mTLS"
---
````mdx-code-block
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
````
-## TLS authentication overview
+## mTLS authentication overview
-TLS authentication is an extension of [TLS transport
encryption](security-tls-transport.md). Not only servers have keys and certs
that the client uses to verify the identity of servers, clients also have keys
and certs that the server uses to verify the identity of clients. You must have
TLS transport encryption configured on your cluster before you can use TLS
authentication. This guide assumes you already have TLS transport encryption
configured.
+Mutual TLS (mTLS) is a mutual authentication mechanism. Not only servers have
keys and certs that the client uses to verify the identity of servers, clients
also have keys and certs that the server uses to verify the identity of
clients.
-## Enable TLS authentication on brokers/proxies
+The following figure illustrates how Pulsar processes mTLS authentication
between clients and servers.
-To configure brokers/proxies to authenticate clients using Mutual TLS, add the
following parameters to the `conf/broker.conf` and the `conf/proxy.conf` file.
If you use a standalone Pulsar, you need to add these parameters to the
`conf/standalone.conf` file:
+
+
+## Enable mTLS authentication on brokers
+
+To configure brokers to authenticate clients using mTLS, add the following
parameters to the `conf/broker.conf`. If you use a standalone Pulsar, you need
to add these parameters to the `conf/standalone.conf` file:
```properties
-# Configuration to enable authentication
+# enable authentication
authenticationEnabled=true
+# set TLS authentication plugin
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderTls
+# configure TLS for client to connect brokers
+brokerClientTlsEnabled=true
+brokerClientTrustCertsFilePath=/path/to/ca.cert.pem
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
brokerClientAuthenticationParameters={"tlsCertFile":"/path/to/admin.cert.pem","tlsKeyFile":"/path/to/admin.key-pk8.pem"}
-brokerClientTrustCertsFilePath=/path/to/ca.cert.pem
+# configure TLS ports
+brokerServicePortTls=6651
+webServicePortTls=8081
+
+# configure CA certificate
+tlsTrustCertsFilePath=/path/to/ca.cert.pem
+# configure server certificate
tlsCertificateFilePath=/path/to/broker.cert.pem
+# configure server's private key
tlsKeyFilePath=/path/to/broker.key-pk8.pem
-tlsTrustCertsFilePath=/path/to/ca.cert.pem
+# enable mTLS
tlsRequireTrustedClientCertOnConnect=true
tlsAllowInsecureConnection=false
# Tls cert refresh duration in seconds (set 0 to check on every new connection)
tlsCertRefreshCheckDurationSec=300
```
-## Configure TLS authentication in Pulsar clients
+## Enable mTLS authentication on proxies
+
+To configure proxies to authenticate clients using mTLS, add the following
parameters to the `conf/proxy.conf` file.
-When using TLS authentication, clients connect via TLS transport. You need to
configure clients to use `https://` and the `8443` port for the web service
URL, use `pulsar+ssl://` and the `6651` port for the broker service URL.
+```properties
+# enable authentication
+authenticationEnabled=true
+# set TLS authentication plugin
Review Comment:
```suggestion
# set TLS authentication provider
```
##########
docs/security-tls-authentication.md:
##########
@@ -1,45 +1,92 @@
---
id: security-tls-authentication
-title: Authentication using TLS
-sidebar_label: "Authentication using TLS"
+title: Authentication using mTLS
+sidebar_label: "Authentication using mTLS"
---
````mdx-code-block
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
````
-## TLS authentication overview
+## mTLS authentication overview
-TLS authentication is an extension of [TLS transport
encryption](security-tls-transport.md). Not only servers have keys and certs
that the client uses to verify the identity of servers, clients also have keys
and certs that the server uses to verify the identity of clients. You must have
TLS transport encryption configured on your cluster before you can use TLS
authentication. This guide assumes you already have TLS transport encryption
configured.
+Mutual TLS (mTLS) is a mutual authentication mechanism. Not only servers have
keys and certs that the client uses to verify the identity of servers, clients
also have keys and certs that the server uses to verify the identity of
clients.
-## Enable TLS authentication on brokers/proxies
+The following figure illustrates how Pulsar processes mTLS authentication
between clients and servers.
-To configure brokers/proxies to authenticate clients using Mutual TLS, add the
following parameters to the `conf/broker.conf` and the `conf/proxy.conf` file.
If you use a standalone Pulsar, you need to add these parameters to the
`conf/standalone.conf` file:
+
+
+## Enable mTLS authentication on brokers
+
+To configure brokers to authenticate clients using mTLS, add the following
parameters to the `conf/broker.conf`. If you use a standalone Pulsar, you need
to add these parameters to the `conf/standalone.conf` file:
```properties
-# Configuration to enable authentication
+# enable authentication
authenticationEnabled=true
+# set TLS authentication plugin
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderTls
+# configure TLS for client to connect brokers
+brokerClientTlsEnabled=true
+brokerClientTrustCertsFilePath=/path/to/ca.cert.pem
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
brokerClientAuthenticationParameters={"tlsCertFile":"/path/to/admin.cert.pem","tlsKeyFile":"/path/to/admin.key-pk8.pem"}
-brokerClientTrustCertsFilePath=/path/to/ca.cert.pem
+# configure TLS ports
+brokerServicePortTls=6651
+webServicePortTls=8081
+
+# configure CA certificate
+tlsTrustCertsFilePath=/path/to/ca.cert.pem
+# configure server certificate
tlsCertificateFilePath=/path/to/broker.cert.pem
+# configure server's private key
tlsKeyFilePath=/path/to/broker.key-pk8.pem
-tlsTrustCertsFilePath=/path/to/ca.cert.pem
+# enable mTLS
tlsRequireTrustedClientCertOnConnect=true
tlsAllowInsecureConnection=false
# Tls cert refresh duration in seconds (set 0 to check on every new connection)
tlsCertRefreshCheckDurationSec=300
```
-## Configure TLS authentication in Pulsar clients
+## Enable mTLS authentication on proxies
+
+To configure proxies to authenticate clients using mTLS, add the following
parameters to the `conf/proxy.conf` file.
-When using TLS authentication, clients connect via TLS transport. You need to
configure clients to use `https://` and the `8443` port for the web service
URL, use `pulsar+ssl://` and the `6651` port for the broker service URL.
+```properties
+# enable authentication
+authenticationEnabled=true
+# set TLS authentication plugin
Review Comment:
```suggestion
# set mTLS authentication provider
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
