Hi Jorn, I cannot test this unfortunately, because I don’t have a working Kerberos environment at the moment. If you comment out keystore.location, ZooKeeper won’t start, because it’s unable to build the TrustManager.
Would you please try to create a fake (possibly empty) truststore and see how it goes? Andor > On 2019. Jul 30., at 20:49, Jörn Franke <[email protected]> wrote: > > Hi, > > I have a kerberized Zookeeper cluster and would like to add SSL on the > client side and to the quorum. > > So far the server configuration is clear. However, according to > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide > > I need to specify on the client side > zookeeper.ssl.keyStore.location="/path/to/your/keystore" > zookeeper.ssl.keyStore.password="keystore_password" > zookeeper.ssl.trustStore.location="/path/to/your/truststore" > zookeeper.ssl.trustStore.password="truststore_password" > > I do understand the need to provide a truststore, but why does the client > need a keystore. As far as I understood the keystore is only needed for > X509 authentication, but I use the Kerberos authentication. > > Does it mean the SSL client connection requires X509 authentication and > Kerberos is not possible? > Can you please clarify? > > thank you. > > best regards
