From: Stephane Maarek
Sent: Tuesday, December 20, 2016 7:11 PM
To: Rajini Sivaram
Cc: users@kafka.apache.org
Subject: Re: Kafka SSL encryption plus external CA
Thanks Rajini.
I used a CNAME broker-bootstrap-A.example.com t
Stephane,
I believe that should work, though I haven't tried it myself.
On Wed, Dec 21, 2016 at 12:11 AM, Stephane Maarek <
steph...@simplemachines.com.au> wrote:
> Thanks Rajini.
>
> I used a CNAME broker-bootstrap-A.example.com that round robins to the
> actual brokers broker-1.example.com, br
Thanks Rajini.
I used a CNAME broker-bootstrap-A.example.com that round robins to the
actual brokers broker-1.example.com, broker-2.example.com (etc etc).
Therefore no brokers advertises the bootstrap DNS name we’re using. Is that
an issue? The SSL certificate wildcard will match both boostrap CNA
Stephane,
Bootstrap brokers are also verified by the client in exactly the same way,
so they should also match the wildcard of their certificate. Basically,
clients need to make a secure SSL connection to one of the bootstrap
brokers to obtain advertised hostnames of brokers, so they need to compl
Thanks Rajini!
Also, I currently have each broker advertising as broker1.mydomain.com,
broker2.mydomain.com broker6.mydomain.com etc…
I have setup CNAME with round robin fashion to group brokers by
availability zone i.e. broker-a.mydomain.com broker-b.mydomain.com
broker-c.mydomain.com. I use them
Stephane,
If you are using a trusted CA like Verisign, clients don't need to specify
a truststore. The host names specified in advertised.listeners in the
broker must match the wildcard DNS names in the certificates if clients
configure ssl.endpoint.identification.algorithm=https. If
ssl.endpoint.
Hi,
I have read the docs extensively but yet there are a few answers I can’t
find. It has to do with external CA
Please confirm my understanding if possible:
I can create my own CA to sign all the brokers and clients certificates.
Pros:
- cheap, easy, automated. I need to find a way to access tha