[GitHub] [pulsar] itskannanraj commented on issue #6236: SSL/TLS Configuration for Zookeeper,BookKeeper and Pulsar

Thu, 30 Sep 2021 11:40:35 -0700 


itskannanraj commented on issue #6236:
URL: https://github.com/apache/pulsar/issues/6236#issuecomment-931570875


   > @sijie @skyrocknroll @rounak11 , did not have time to prepare a document 
when i completed enabling TLS in February.Hope the following config is helpful 
bin/pulsar(sh file) and conf files,
   > 
   > # ZooKeeper:
   > ```
   > elif [ $COMMAND == "zookeeper" ]; then
   >     PULSAR_LOG_FILE=${PULSAR_LOG_FILE:-"zookeeper.log"}
   >     ZK_OPTS=" -Dzookeeper.4lw.commands.whitelist=* 
-Dzookeeper.snapshot.trust.empty=true 
-Djava.security.auth.login.config=conf/zk_jaas.conf 
-Dzookeeper.requireClientAuthScheme=sasl -Dzookeeper.sasl.client=true 
-Dzookeeper.sasl.clientconfig=Client 
-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
 -Dzookeeper.ssl.keyStore.location=keys/KeyStore.jks 
-Dzookeeper.ssl.keyStore.password=keys/jkspassword 
-Dzookeeper.ssl.trustStore.location=keys/TrustStore.jks 
-Dzookeeper.ssl.trustStore.password=keys/jkspassword  
-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty 
-Dzookeeper.client.secure=true 
-Dzookeeper.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
 
-Dzookeeper.authProvider.2=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
 
-Dzookeeper.authProvider.3=org.apache.zookeeper.server.auth.SASLAuthenticationProvider"
   > ```
   > 
   > # zookeeper.conf:
   > ```
   > secureClientPort=2281
   > 
   > quorum.auth.enableSasl=true
   > quorum.auth.learnerRequireSasl=true
   > quorum.auth.serverRequireSasl=true
   > quorum.auth.learner.saslLoginContext=QuorumLearner
   > quorum.auth.server.saslLoginContext=QuorumServer
   > 
   > requireClientAuthScheme=sasl
   > authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
   > authProvider.2=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
   > authProvider.3=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
   > ```
   > 
   > # Bookkeeper:
   > ```
   > elif [ $COMMAND == "bookie" ]; then
   >     PULSAR_LOG_FILE=${PULSAR_LOG_FILE:-"bookkeeper.log"}
   >     # Pass BOOKIE_EXTRA_OPTS option defined in pulsar_env.sh
   >     BOOKIE_EXTRA_OPTS=" -Djavax.net.debug=all 
-Djavax.net.debug=ssl:handshake:verbose -Dzookeeper.client.secure=true 
-Djava.security.auth.login.config=conf/bk_jaas.conf"
   >     OPTS="$OPTS $BOOKIE_EXTRA_OPTS"
   >     exec $JAVA $OPTS -Dpulsar.log.file=$PULSAR_LOG_FILE 
org.apache.bookkeeper.proto.BookieServer --conf $PULSAR_BOOKKEEPER_CONF $@
   > ```
   > 
   > # bookkeeper.conf:
   > ` tlsProvider=OpenSSL
   > 
   > tlsProviderFactoryClass=org.apache.bookkeeper.tls.TLSContextFactory
   > 
   > tlsClientAuthentication=true
   > 
   > tlsEnabledProtocols=TLSv1.2
   > 
   > tlsKeyStoreType=JKS
   > 
   > tlsKeyStore=bookie.keystore.jks
   > 
   > tlsKeyStorePasswordPath=bookie.keystore.passwd
   > 
   > tlsTrustStoreType=JKS
   > 
   > tlsTrustStore=bookie.truststore.jks
   > 
   > tlsTrustStorePasswordPath=bookie.truststore.passwd
   > 
   > clientTrustStore=client.truststore.jks 
clientTrustStorePasswordPath=client.truststore.passwd 
clientKeyStore=client.keystore.jks 
clientKeyStorePasswordPath=client.keystore.passwd`
   > 
   > # Pulsar(Broker):
   > `if [ $COMMAND == "broker" ]; then 
PULSAR_LOG_FILE=${PULSAR_LOG_FILE:-"pulsar-broker.log"} exec $JAVA $OPTS 
-Djavax.net.debug=all -Djavax.net.debug=ssl:handshake:verbose 
-Djava.security.auth.login.config=bk_jaas.conf $ASPECTJ_AGENT 
-Dpulsar.log.file=$PULSAR_LOG_FILE org.apache.pulsar.PulsarBrokerStarter 
--broker-conf $PULSAR_BROKER_CONF $@`
   > 
   > # broker.conf
   > `tlsEnabled=true
   > 
   > tlsCertRefreshCheckDurationSec=300
   > 
   > tlsCertificateFilePath=tls.crt.pem
   > 
   > tlsKeyFilePath=tls.key.pem
   > 
   > tlsTrustCertsFilePath=ca.cert.pem
   > 
   > tlsAllowInsecureConnection=false
   > 
   > tlsProtocols=TLSv1.2,TLSv1.1
   > 
   > tlsRequireTrustedClientCertOnConnect=false
   > 
   > authenticationEnabled=true
   > 
   > 
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderTls
   > 
   > authorizationEnabled=false
   > 
   > 
authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider
   > 
   > brokerClientTlsEnabled=true 
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
 
brokerClientAuthenticationParameters=tlsCertFile:tls.crt.pem,tlsKeyFile:tls.key.pem
 brokerClientTrustCertsFilePath=ca.cert.pem
   > 
   > 
bookkeeperTLSProviderFactoryClass=org.apache.bookkeeper.tls.TLSContextFactory
   > 
   > bookkeeperTLSClientAuthentication=true
   > 
   > bookkeeperTLSKeyFileType=JKS
   > 
   > bookkeeperTLSTrustCertTypes=JKS
   > 
   > bookkeeperTLSKeyStorePasswordPath=bookie.keystore.passwd
   > 
   > bookkeeperTLSTrustStorePasswordPath=bookie.truststore.passwd`
   
   @hari819 could you paste the jaas.conf file here?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to