Hi, Thanks for your answer. The "listener.name.client.ssl.keystore.location" trick is exactly what I was looking for. Did I missed it somewhere in the regular documentation? Or is it mentioned only in the KIP?
Thanks & Regards Jakub On Sat, Sep 23, 2017 at 11:05 AM, Manikumar <[email protected]> wrote: > Hi, > > We can override per listener security settings. This way we can configure > each listener > to with different configs. > > https://issues.apache.org/jira/browse/KAFKA-4636 > > On Fri, Sep 22, 2017 at 2:00 PM, Jakub Scholz <[email protected]> wrote: > > > Hi, > > > > I would like to setup my Kafka cluster so that it has several SSL > listeners > > (for replication, for clients in internal network, for clients in > external > > network etc.). But I need to use different certificates for each > listener. > > In particular I need: > > * different server keys (keystore) because the clients connecting from > > within internal network use different hostnames to connect then the > clients > > connecting from external network and I want hostname verification to > work. > > (With some private CA the different hostnames can be in the same > > certificate as alternate subjects. But I would like to have private CA > key > > for the internal interface with internal addresses and key from a public > CA > > for the external address. So I need two keys.) > > * different truststore because two separate groups of users are > > authenticating over the different interfaces. > > > > Kafka allows to create several different listeners with different > > configurations. That is great. But it seems that when I create several > SSL > > interfaces they all share the same keystore and truststore file. Is my > > understanding correct? Or is there some way how to configure each > listener > > to use different keystore / truststore? > > > > Thanks & Regards > > Jakub > > >
