[
https://issues.apache.org/jira/browse/ZOOKEEPER-3482?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jörn Franke updated ZOOKEEPER-3482:
-----------------------------------
Description:
It seems that Kerberos authentication does not work for encrypted connections
of clients and quorum. It seems that only X509 Authentication works.
What I would have expected:
ClientSecurePort is defined
A keystore and truststore are deployed on the ZooKeeper servers
Only a truststore is deployed with the client (to validate the CA of the server
certificate)
Client can authenticate with SASL (Kerberos)
Similarly, it should work for the Quorum SSL connection.
Is there a way to configure this in ZooKeeper?
Note: Kerberos Authentication for SSL encrypted connection should be used
instead of X509 authentication for this case and not in addition. However, if
it only works in 3.5.5 in addition then I would be interested and willing to
test it.
was:
It seems that Kerberos authentication does not work for encrypted connections
of clients and quorum. It seems that only X509 Authentication works.
What I would have expected:
ClientSecurePort is defined
A keystore and truststore are deployed on the ZooKeeper servers
Only a truststore is deployed with the client (to validate the CA of the server
certificate)
Client can authenticate with SASL (Kerberos)
Similarly for the Quorum SSL connection.
Is there a way to configure this in ZooKeeper?
Note: Kerberos Authentication for SSL encrypted connection should be used
instead of X509 authentication for this case and not in addition. However, if
it only works in 3.5.5 in addition then I would be interested and willing to
test it.
> SASL (Kerberos) Authentication with SSL for clients and Quorum
> --------------------------------------------------------------
>
> Key: ZOOKEEPER-3482
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3482
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Affects Versions: 3.5.5
> Reporter: Jörn Franke
> Priority: Major
>
> It seems that Kerberos authentication does not work for encrypted connections
> of clients and quorum. It seems that only X509 Authentication works.
> What I would have expected:
> ClientSecurePort is defined
> A keystore and truststore are deployed on the ZooKeeper servers
> Only a truststore is deployed with the client (to validate the CA of the
> server certificate)
> Client can authenticate with SASL (Kerberos)
> Similarly, it should work for the Quorum SSL connection.
> Is there a way to configure this in ZooKeeper?
>
> Note: Kerberos Authentication for SSL encrypted connection should be used
> instead of X509 authentication for this case and not in addition. However, if
> it only works in 3.5.5 in addition then I would be interested and willing to
> test it.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
