Re: Clarification: SSL Client: Need of keystore?
Il mar 30 lug 2019, 20:49 Jörn Franke ha scritto: > Hi, > > I have a kerberized Zookeeper cluster and would like to add SSL on the > client side and to the quorum. > > So far the server configuration is clear. However, according to > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide > > I need to specify on the client side > zookeeper.ssl.keyStore.location="/path/to/your/keystore" > zookeeper.ssl.keyStore.password="keystore_password" > zookeeper.ssl.trustStore.location="/path/to/your/truststore" > zookeeper.ssl.trustStore.password="truststore_password" > > I do understand the need to provide a truststore, but why does the client > need a keystore. As far as I understood the keystore is only needed for > X509 authentication, but I use the Kerberos authentication. > Your question is fair. Did you try not to configure a keystore for the client? Enrico > Does it mean the SSL client connection requires X509 authentication and > Kerberos is not possible? > Can you please clarify? > > thank you. > > best regards >
Re: Clarification: SSL Client: Need of keystore?
Hi Jorn, I cannot test this unfortunately, because I don’t have a working Kerberos environment at the moment. If you comment out keystore.location, ZooKeeper won’t start, because it’s unable to build the TrustManager. Would you please try to create a fake (possibly empty) truststore and see how it goes? Andor > On 2019. Jul 30., at 20:49, Jörn Franke wrote: > > Hi, > > I have a kerberized Zookeeper cluster and would like to add SSL on the > client side and to the quorum. > > So far the server configuration is clear. However, according to > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide > > I need to specify on the client side > zookeeper.ssl.keyStore.location="/path/to/your/keystore" > zookeeper.ssl.keyStore.password="keystore_password" > zookeeper.ssl.trustStore.location="/path/to/your/truststore" > zookeeper.ssl.trustStore.password="truststore_password" > > I do understand the need to provide a truststore, but why does the client > need a keystore. As far as I understood the keystore is only needed for > X509 authentication, but I use the Kerberos authentication. > > Does it mean the SSL client connection requires X509 authentication and > Kerberos is not possible? > Can you please clarify? > > thank you. > > best regards
Clarification: SSL Client: Need of keystore?
Hi, I have a kerberized Zookeeper cluster and would like to add SSL on the client side and to the quorum. So far the server configuration is clear. However, according to https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide I need to specify on the client side zookeeper.ssl.keyStore.location="/path/to/your/keystore" zookeeper.ssl.keyStore.password="keystore_password" zookeeper.ssl.trustStore.location="/path/to/your/truststore" zookeeper.ssl.trustStore.password="truststore_password" I do understand the need to provide a truststore, but why does the client need a keystore. As far as I understood the keystore is only needed for X509 authentication, but I use the Kerberos authentication. Does it mean the SSL client connection requires X509 authentication and Kerberos is not possible? Can you please clarify? thank you. best regards