[
https://issues.apache.org/jira/browse/STORM-3123?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vipin Rathor updated STORM-3123:
--------------------------------
Description:
Storm Kafka Monitor has no option to read / parse SSL truststore/keystore
properties which are required to connect to Kafka running over two-way SSL. As
a fix, it needs to understand the following additional Kafka properties:
{code:java}
ssl.truststore.location=<truststore-file>
ssl.truststore.password=<password>
ssl.keystore.location=<keystore-file>
ssl.keystore.password=<password>
ssl.key.password=<password>
{code}
Since, JVM has a fallback mechanism for loading SSL truststore, Storm Kafka
Monitor would always endup using some truststore and would eventually work with
one-way SSL (which is also a default for Kafka setup).
Since there is no such fallback for SSL keystore, Storm Kafka Monitor would
start without a keystore and would eventually throw this error (in SSL debug
mode):
{code:java}
Warning: no suitable certificate found - continuing without client
authentication
*** Certificate chain
<Empty>
***
{code}
At this time, Kafka broker would complain about above like this:
{code:java}
kafka-network-thread-1002-SSL-7, READ: TLSv1.2 Handshake, length = 141
*** Certificate chain
<Empty>
***
kafka-network-thread-1002-SSL-7, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
{code}
Therefore, in the absence of this fix, the only available workaround is to
stick to one-way SSL in Kafka (i.e. keep ssl.client.auth=none in Kafka).
was:
Storm Kafka Monitor has no option to read / parse SSL truststore/keystore
properties which are required to connect to Kafka running over two-way SSL. As
a fix, it needs to understand the following additional Kafka properties:
{code:java}
ssl.truststore.location=<truststore-file>
ssl.truststore.password=<password>
ssl.keystore.location=<keystore-file>
ssl.keystore.password=<password>
ssl.key.password=<password>
{code}
Since, JVM has a fallback mechanism for loading truststore, Storm Kafka Monitor
would always endup using some truststore and would eventually work with one-way
SSL (which is also a default for Kafka setup).
Therefore, in the absence of this fix, the only available workaround is to
stick to one-way SSL in Kafka (i.e. keep ssl.client.auth=none in Kafka).
> Storm Kafka Monitor does not work with Kafka over two-way SSL
> -------------------------------------------------------------
>
> Key: STORM-3123
> URL: https://issues.apache.org/jira/browse/STORM-3123
> Project: Apache Storm
> Issue Type: Bug
> Components: storm-kafka-monitor
> Affects Versions: 1.2.2
> Reporter: Vipin Rathor
> Priority: Major
>
> Storm Kafka Monitor has no option to read / parse SSL truststore/keystore
> properties which are required to connect to Kafka running over two-way SSL.
> As a fix, it needs to understand the following additional Kafka properties:
> {code:java}
> ssl.truststore.location=<truststore-file>
> ssl.truststore.password=<password>
> ssl.keystore.location=<keystore-file>
> ssl.keystore.password=<password>
> ssl.key.password=<password>
> {code}
> Since, JVM has a fallback mechanism for loading SSL truststore, Storm Kafka
> Monitor would always endup using some truststore and would eventually work
> with one-way SSL (which is also a default for Kafka setup).
> Since there is no such fallback for SSL keystore, Storm Kafka Monitor would
> start without a keystore and would eventually throw this error (in SSL debug
> mode):
> {code:java}
> Warning: no suitable certificate found - continuing without client
> authentication
> *** Certificate chain
> <Empty>
> ***
> {code}
> At this time, Kafka broker would complain about above like this:
> {code:java}
> kafka-network-thread-1002-SSL-7, READ: TLSv1.2 Handshake, length = 141
> *** Certificate chain
> <Empty>
> ***
> kafka-network-thread-1002-SSL-7, fatal error: 42: null cert chain
> javax.net.ssl.SSLHandshakeException: null cert chain
> {code}
> Therefore, in the absence of this fix, the only available workaround is to
> stick to one-way SSL in Kafka (i.e. keep ssl.client.auth=none in Kafka).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
