PDavid commented on PR #2360:
URL: https://github.com/apache/zookeeper/pull/2360#issuecomment-4039969101
### Testing
Tested this locally as follows:
Created keystore:
```
keytool -genkeypair -alias zkAdmin -keyalg RSA -keysize 2048 \
-dname "CN=your.server.com" -validity 365 \
-keystore keystore.jks -storepass password -keypass password
```
Created truststore:
```
# Export the cert
keytool -export -alias zkAdmin -file zkAdmin.crt \
-keystore keystore.jks -storepass password
# Import into truststore
keytool -import -alias zkAdmin -file zkAdmin.crt \
-keystore truststore.jks -storepass password -noprompt
```
Added these to `zoo.cfg`:
```
...
ssl.enabledProtocols=TLSv1.2,TLSv1.3
ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ssl.keyStore.type=jks
ssl.keyStore.location=keystore.jks
ssl.keyStore.password=password
ssl.trustStore.type=jks
ssl.trustStore.location=truststore.jks
ssl.trustStore.password=password
ssl.quorum.enabledProtocols=TLSv1.2,TLSv1.3
ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ssl.quorum.keyStore.type=jks
ssl.quorum.keyStore.location=keystore.jks
ssl.quorum.keyStore.password=password
ssl.quorum.trustStore.type=jks
ssl.quorum.trustStore.location=truststore.jks
ssl.quorum.trustStore.password=password
ssl.clientAuth=none
metricsProvider.className=org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider
#metricsProvider.httpPort=7000
metricsProvider.httpsPort=7000
metricsProvider.ssl.keyStore.location=keystore.jks
metricsProvider.ssl.keyStore.password=password
metricsProvider.ssl.trustStore.location=keystore.jks
metricsProvider.ssl.trustStore.password=password
metricsProvider.ssl.need.client.auth=false
metricsProvider.ssl.enabledProtocols=TLSv1.2,TLSv1.3
metricsProvider.ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
```
Started ZooKeeper:
```
mvn clean install -DskipTests && bin/zkServer.sh start
```
ZooKeeper log:
```
...
2026-03-11 15:46:36,926 [myid:] - INFO
[main:o.a.z.s.q.QuorumPeerConfig@167] - Reading configuration from:
/home/david/projects/zookeeper/bin/../conf/zoo.cfg
2026-03-11 15:46:36,932 [myid:] - INFO
[main:o.a.z.s.q.QuorumPeerConfig@434] - clientPortAddress is 0.0.0.0:2181
2026-03-11 15:46:36,933 [myid:] - INFO
[main:o.a.z.s.q.QuorumPeerConfig@438] - secureClientPort is not set
2026-03-11 15:46:36,933 [myid:] - INFO
[main:o.a.z.s.q.QuorumPeerConfig@454] - observerMasterPort is not set
2026-03-11 15:46:36,933 [myid:] - INFO
[main:o.a.z.s.q.QuorumPeerConfig@471] - metricsProvider.className is
org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider
2026-03-11 15:46:36,935 [myid:] - INFO
[main:o.a.z.s.DatadirCleanupManager@78] - autopurge.snapRetainCount set to 3
2026-03-11 15:46:36,936 [myid:] - INFO
[main:o.a.z.s.DatadirCleanupManager@79] - autopurge.purgeInterval set to 0
2026-03-11 15:46:36,936 [myid:] - INFO
[main:o.a.z.s.DatadirCleanupManager@101] - Purge task is not scheduled.
2026-03-11 15:46:36,936 [myid:] - WARN [main:o.a.z.s.q.QuorumPeerMain@139]
- Either no config or no quorum defined in config, running in standalone mode
2026-03-11 15:46:36,939 [myid:] - INFO [main:o.a.z.j.ManagedUtil@46] -
Log4j 1.2 jmx support not found; jmx disabled.
2026-03-11 15:46:36,939 [myid:] - INFO
[main:o.a.z.s.q.QuorumPeerConfig@167] - Reading configuration from:
/home/david/projects/zookeeper/bin/../conf/zoo.cfg
2026-03-11 15:46:36,940 [myid:] - INFO
[main:o.a.z.s.q.QuorumPeerConfig@434] - clientPortAddress is 0.0.0.0:2181
2026-03-11 15:46:36,940 [myid:] - INFO
[main:o.a.z.s.q.QuorumPeerConfig@438] - secureClientPort is not set
2026-03-11 15:46:36,940 [myid:] - INFO
[main:o.a.z.s.q.QuorumPeerConfig@454] - observerMasterPort is not set
2026-03-11 15:46:36,940 [myid:] - INFO
[main:o.a.z.s.q.QuorumPeerConfig@471] - metricsProvider.className is
org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider
2026-03-11 15:46:36,940 [myid:] - INFO
[main:o.a.z.s.ZooKeeperServerMain@122] - Starting server
2026-03-11 15:46:36,946 [myid:] - INFO
[main:o.a.z.m.p.PrometheusMetricsProvider@122] - Initializing Prometheus
metrics with Jetty, configuration: {ssl.enabledProtocols=TLSv1.2,TLSv1.3,
ssl.trustStore.password=password, httpsPort=7000,
ssl.keyStore.location=keystore.jks, ssl.keyStore.password=password,
ssl.need.client.auth=false,
ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
ssl.trustStore.location=keystore.jks}
2026-03-11 15:46:36,978 [myid:] - INFO
[main:o.a.z.m.p.PrometheusMetricsProvider@161] - Starting Prometheus Jetty
server...
2026-03-11 15:46:36,983 [myid:] - INFO [main:o.e.j.u.l.Log@170] - Logging
initialized @436ms to org.eclipse.jetty.util.log.Slf4jLog
2026-03-11 15:46:36,997 [myid:] - INFO
[main:o.a.z.m.p.PrometheusMetricsProvider@245] - Setting enabled protocols:
'TLSv1.2,TLSv1.3'
2026-03-11 15:46:36,997 [myid:] - INFO
[main:o.a.z.m.p.PrometheusMetricsProvider@251] - Setting enabled cipherSuites:
'TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'
2026-03-11 15:46:37,036 [myid:] - INFO [main:o.e.j.s.Server@375] -
jetty-9.4.58.v20250814; built: 2025-08-14T02:28:49.637Z; git:
8f1440587e9e4ae7db3d74cf205643f3d707148d; jvm 1.8.0_422-b05
2026-03-11 15:46:37,065 [myid:] - INFO [main:o.e.j.s.h.ContextHandler@921]
- Started o.e.j.s.ServletContextHandler@1165b38{/,null,AVAILABLE}
2026-03-11 15:46:37,163 [myid:] - INFO
[main:o.e.j.u.s.SslContextFactory@358] -
x509=X509@4c39bec8(zkadmin,h=[your.server.com],a=[],w=[]) for
Server@1f59a598[provider=null,keyStore=file:///home/david/projects/zookeeper/keystore.jks,trustStore=file:///home/david/projects/zookeeper/keystore.jks]
2026-03-11 15:46:37,211 [myid:] - INFO [main:o.e.j.s.AbstractConnector@333]
- Started ServerConnector@16ec5519{SSL, (ssl, http/1.1)}{0.0.0.0:7000}
2026-03-11 15:46:37,212 [myid:] - INFO [main:o.e.j.s.Server@415] - Started
@665ms
2026-03-11 15:46:37,212 [myid:] - INFO
[main:o.a.z.m.p.PrometheusMetricsProvider@199] - Prometheus metrics provider
with Jetty started. HTTP port: disabled, HTTPS port: 7000
2026-03-11 15:46:37,218 [myid:] - INFO [main:o.a.z.s.ServerMetrics@64] -
ServerMetrics initialized with provider
org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider@68e965f5
2026-03-11 15:46:37,225 [myid:] - INFO
[main:o.a.z.s.a.DigestAuthenticationProvider@51] - ACL digest algorithm is: SHA1
2026-03-11 15:46:37,226 [myid:] - INFO
[main:o.a.z.s.a.DigestAuthenticationProvider@65] -
zookeeper.DigestAuthenticationProvider.enabled = true
2026-03-11 15:46:37,227 [myid:] - INFO [main:o.a.z.s.p.FileTxnSnapLog@124]
- zookeeper.snapshot.trust.empty : false
2026-03-11 15:46:37,232 [myid:] - INFO [main:o.a.z.ZookeeperBanner@42] -
2026-03-11 15:46:37,232 [myid:] - INFO [main:o.a.z.ZookeeperBanner@42] -
______ _
2026-03-11 15:46:37,232 [myid:] - INFO [main:o.a.z.ZookeeperBanner@42] -
|___ / | |
2026-03-11 15:46:37,232 [myid:] - INFO [main:o.a.z.ZookeeperBanner@42] -
/ / ___ ___ | | __ ___ ___ _ __ ___ _ __
2026-03-11 15:46:37,232 [myid:] - INFO [main:o.a.z.ZookeeperBanner@42] -
/ / / _ \ / _ \ | |/ / / _ \ / _ \ | '_ \ / _ \ | '__|
2026-03-11 15:46:37,232 [myid:] - INFO [main:o.a.z.ZookeeperBanner@42] -
/ /__ | (_) | | (_) | | < | __/ | __/ | |_) | | __/ | |
2026-03-11 15:46:37,232 [myid:] - INFO [main:o.a.z.ZookeeperBanner@42] -
/_____| \___/ \___/ |_|\_\ \___| \___| | .__/ \___| |_|
2026-03-11 15:46:37,232 [myid:] - INFO [main:o.a.z.ZookeeperBanner@42] -
| |
2026-03-11 15:46:37,232 [myid:] - INFO [main:o.a.z.ZookeeperBanner@42] -
|_|
2026-03-11 15:46:37,232 [myid:] - INFO [main:o.a.z.ZookeeperBanner@42] -
2026-03-11 15:46:37,233 [myid:] - INFO [main:o.a.z.Environment@98] - Server
environment:zookeeper.version=3.10.0-SNAPSHOT-c084c2537ec60ce47131bb61181b9833bd6630e6-dirty,
built on 2026-03-11 14:43 UTC
```
Call PrometheusMetricsProvider:
```
curl -k -v https://localhost:7000/metrics
* Host localhost:7000 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:7000...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / secp256r1 /
RSASSA-PSS
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: CN=your.server.com
* start date: Mar 10 12:58:28 2026 GMT
* expire date: Mar 10 12:58:28 2027 GMT
* issuer: CN=your.server.com
* SSL certificate verify result: self-signed certificate (18), continuing
anyway.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed
using sha256WithRSAEncryption
* Connected to localhost (::1) port 7000
* using HTTP/1.x
> GET /metrics HTTP/1.1
> Host: localhost:7000
> User-Agent: curl/8.15.0
> Accept: */*
>
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
< Date: Wed, 11 Mar 2026 15:15:54 GMT
< Content-Type: text/plain; version=0.0.4; charset=utf-8
< Content-Length: 38630
< Server: Jetty(9.4.58.v20250814)
<
# HELP add_dead_watcher_stall_time_total add_dead_watcher_stall_time counter
# TYPE add_dead_watcher_stall_time_total counter
add_dead_watcher_stall_time_total 0.0
# HELP approximate_data_size approximate_data_size
# TYPE approximate_data_size gauge
approximate_data_size 44.0
# HELP auth_failed_count auth_failed_count
# TYPE auth_failed_count gauge
auth_failed_count 0.0
# HELP avg_latency avg_latency
# TYPE avg_latency gauge
avg_latency 0.0
# HELP bytes_received_count_total bytes_received_count counter
# TYPE bytes_received_count_total counter
bytes_received_count_total 0.0
# HELP close_session_prep_time close_session_prep_time summary
# TYPE close_session_prep_time summary
close_session_prep_time{quantile="0.5"} NaN
close_session_prep_time{quantile="0.95"} NaN
close_session_prep_time{quantile="0.99"} NaN
close_session_prep_time_count 0
close_session_prep_time_sum 0.0
# HELP cnxn_closed_without_zk_server_running_total
cnxn_closed_without_zk_server_running counter
# TYPE cnxn_closed_without_zk_server_running_total counter
cnxn_closed_without_zk_server_running_total 0.0
...
# HELP write_final_proc_time_ms write_final_proc_time_ms summary
# TYPE write_final_proc_time_ms summary
write_final_proc_time_ms{quantile="0.5"} NaN
write_final_proc_time_ms{quantile="0.95"} NaN
write_final_proc_time_ms{quantile="0.99"} NaN
write_final_proc_time_ms_count 0
write_final_proc_time_ms_sum 0.0
# HELP znode_count znode_count
# TYPE znode_count gauge
znode_count 5.0
* Connection #0 to host localhost left intact
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
