jai1 commented on a change in pull request #1297: Add Configuration to set tlsClientAuth URL: https://github.com/apache/incubator-pulsar/pull/1297#discussion_r177008602
########## File path: pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsProducerConsumerBase.java ########## @@ -61,24 +67,42 @@ protected void internalSetUpForBroker() throws Exception { conf.setTlsEnabled(true); conf.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH); conf.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH); + conf.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH); conf.setClusterName(clusterName); + conf.setTlsRequireTrustedClientCertOnConnect(true); + Set<String> tlsProtocols = Sets.newConcurrentHashSet(); + tlsProtocols.add("TLSv1.2"); + conf.setTlsProtocols(tlsProtocols); } - protected void internalSetUpForClient() throws Exception { - String lookupUrl = new URI("pulsar+ssl://localhost:" + BROKER_PORT_TLS).toString(); - pulsarClient = PulsarClient.builder().serviceUrl(lookupUrl).tlsTrustCertsFilePath(TLS_SERVER_CERT_FILE_PATH) - .enableTls(true).build(); + protected void internalSetUpForClient(boolean addCertificates, String lookupUrl) throws Exception { + ClientConfiguration clientConf = new ClientConfiguration(); + clientConf.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH); + clientConf.setUseTls(true); + clientConf.setTlsAllowInsecureConnection(false); + if (addCertificates) { + Map<String, String> authParams = new HashMap<>(); + authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH); + authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH); + clientConf.setAuthentication(AuthenticationTls.class.getName(), authParams); Review comment: > We need to use AuthenticationTls to SEND client certs whenever we enable requireTrustedClientCertificate If TLS is enabled and we want to authenticate using the CNAME in the Client Certs (Default TLS authentication that pulsar provides) then we need to use AuthenticationTls irrespective of requireTrustedClientCertificate If we want to use a different authentication method where the connection is TLS but we don't use client certs to authenticate then `requireTrustedClientCertificate` should be false. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services