nkalmar commented on a change in pull request #826: ZOOKEEPER-2750. Document SSL Support for Atomic Broadcast protocol URL: https://github.com/apache/zookeeper/pull/826#discussion_r258562416
########## File path: zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md ########## @@ -1254,39 +1312,124 @@ to **org.apache.zookeeper.ClientCnxnSocketNetty**. TBD - tuning options for netty - currently there are none that are netty specific but we should add some. Esp around max bound on the number of reader worker threads netty creates. -TBD - how to manage encryption +<a name="Quorum+TLS"></a> -TBD - how to manage certificates +#### Quorum TLS -<a name="sc_adminserver_config"></a> +*New in 3.5.5* -#### AdminServer configuration +Based on the Netty Framework ZooKeeper ensembles can be set up +to use TLS encryption in their communication channels. This section +describes how to set up encryption on the quorum communication. -**New in 3.5.0:** The following -options are used to configure the [AdminServer](#sc_adminserver). +Please note that Quorum TLS encapsulates securing both leader election +and quorum communication protocols. -* *admin.enableServer* : - (Java system property: **zookeeper.admin.enableServer**) - Set to "false" to disable the AdminServer. By default the - AdminServer is enabled. +1. Create SSL keystore JKS to store local credentials -* *admin.serverAddress* : - (Java system property: **zookeeper.admin.serverAddress**) - The address the embedded Jetty server listens on. Defaults to 0.0.0.0. +One keystore should be created for each ZK instance. -* *admin.serverPort* : - (Java system property: **zookeeper.admin.serverPort**) - The port the embedded Jetty server listens on. Defaults to 8080. +In this example we generate a self-signed certificate and store it +together with the private key in `keystore.jks`. This is suitable for +testing purposes, but you probably need an official certificate to sign +your keys in a production environment. -* *admin.idleTimeout* : - (Java system property: **zookeeper.admin.idleTimeout**) - Set the maximum idle time in milliseconds that a connection can wait - before sending or receiving data. Defaults to 30000 ms. +Please note that the alias (`-alias`) and the (`-dname`) (distinguished name) +must match the hostname of the machine that is associated with, otherwise +hostname verification won't work. + +``` +keytool -genkeypair -alias $(hostname -f) -keyalg RSA -keysize 2048 -dname "cn=$(hostname -f)" -keypass password -keystore keystore.jks -storepass password +``` + +2. Extract the signed public key (certificate) from keystore + +*This step might only necessary for self-signed certificates.* Review comment: nit: This sounds strange, I think a "be" is missing (stem might be only ...), or rewrite to something like: This step might be unnecessary for official certificates. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
