[ https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16638309#comment-16638309 ]
Martin M edited comment on ZOOKEEPER-2125 at 10/4/18 2:40 PM: -------------------------------------------------------------- In this Jira item it is indicated that in order to configure SSL, one has to specify the secureClientPort in zoo.cfg. However, the documentation (https://zookeeper.apache.org/doc/r3.5.2-alpha/zookeeperReconfig.html) says: {noformat} Starting with 3.5.0 the clientPort and clientPortAddress configuration parameters should no longer be used {noformat} I have tried setting the SSL port in the dynamic configuration, but it doesnt work. The secureClientPort must be specified in zoo.cfg. When i specify both securePortClient in zoo.cfg and the dynamic configuration, ZK server doesnt start anymore. How to fix this? Thanks was (Author: mar.ian): In this Jira item it is indicated that in order to configure SSl, one has to specified secureClientPort in zoo.cfg. However, the documentation (https://zookeeper.apache.org/doc/r3.5.2-alpha/zookeeperReconfig.html) says: {noformat} Starting with 3.5.0 the clientPort and clientPortAddress configuration parameters should no longer be used {noformat} I have tried setting the SSL port in the dynamic configuration, but it doesnt work. The secureClientPort must be specified in zoo.cfg. When i specify both securePortClient in zoo.cfg and the dynamic configuration, ZK server doesnt start anymore. How to fix this? Thanks > SSL on Netty client-server communication > ---------------------------------------- > > Key: ZOOKEEPER-2125 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125 > Project: ZooKeeper > Issue Type: Sub-task > Reporter: Hongchao Deng > Assignee: Hongchao Deng > Priority: Major > Fix For: 3.5.1, 3.6.0 > > Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, > ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, testKeyStore.jks, > testTrustStore.jks > > > Supporting SSL on Netty client-server communication. > 1. It supports keystore and trustore usage. > 2. It adds an additional ZK server port which supports SSL. This would be > useful for rolling upgrade. > RB: https://reviews.apache.org/r/31277/ > The patch includes three files: > * testing purpose keystore and truststore under > "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/". > * latest ZOOKEEPER-2125.patch > h2. How to use it > You need to set some parameters on both ZK server and client. > h3. Server > You need to specify a listening SSL port in "zoo.cfg": > {code} > secureClientPort=2281 > {code} > Just like what you did with "clientPort". And then set some jvm flags: > {code} > export > SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > Please change keystore and truststore parameters accordingly. > h3. Client > You need to set jvm flags: > {code} > export > CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks > -Dzookeeper.ssl.keyStore.password=testpass > -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks > -Dzookeeper.ssl.trustStore.password=testpass" > {code} > change keystore and truststore parameters accordingly. > And then connect to the server's SSL port, in this case: > {code} > bin/zkCli.sh -server 127.0.0.1:2281 > {code} > If you have any feedback, you are more than welcome to discuss it here! -- This message was sent by Atlassian JIRA (v7.6.3#76005)