Hi, We can override per listener security settings. This way we can configure each listener to with different configs.
https://issues.apache.org/jira/browse/KAFKA-4636 On Fri, Sep 22, 2017 at 2:00 PM, Jakub Scholz <[email protected]> wrote: > Hi, > > I would like to setup my Kafka cluster so that it has several SSL listeners > (for replication, for clients in internal network, for clients in external > network etc.). But I need to use different certificates for each listener. > In particular I need: > * different server keys (keystore) because the clients connecting from > within internal network use different hostnames to connect then the clients > connecting from external network and I want hostname verification to work. > (With some private CA the different hostnames can be in the same > certificate as alternate subjects. But I would like to have private CA key > for the internal interface with internal addresses and key from a public CA > for the external address. So I need two keys.) > * different truststore because two separate groups of users are > authenticating over the different interfaces. > > Kafka allows to create several different listeners with different > configurations. That is great. But it seems that when I create several SSL > interfaces they all share the same keystore and truststore file. Is my > understanding correct? Or is there some way how to configure each listener > to use different keystore / truststore? > > Thanks & Regards > Jakub >
