Yes, It was missing in the Kafka documentation. I will raise PR to the update docs.
On Sat, Sep 23, 2017 at 8:06 PM, Jakub Scholz <[email protected]> wrote: > Hi, > > Thanks for your answer. The "listener.name.client.ssl.keystore.location" > trick is exactly what I was looking for. Did I missed it somewhere in the > regular documentation? Or is it mentioned only in the KIP? > > Thanks & Regards > Jakub > > On Sat, Sep 23, 2017 at 11:05 AM, Manikumar <[email protected]> > wrote: > > > Hi, > > > > We can override per listener security settings. This way we can > configure > > each listener > > to with different configs. > > > > https://issues.apache.org/jira/browse/KAFKA-4636 > > > > On Fri, Sep 22, 2017 at 2:00 PM, Jakub Scholz <[email protected]> wrote: > > > > > Hi, > > > > > > I would like to setup my Kafka cluster so that it has several SSL > > listeners > > > (for replication, for clients in internal network, for clients in > > external > > > network etc.). But I need to use different certificates for each > > listener. > > > In particular I need: > > > * different server keys (keystore) because the clients connecting from > > > within internal network use different hostnames to connect then the > > clients > > > connecting from external network and I want hostname verification to > > work. > > > (With some private CA the different hostnames can be in the same > > > certificate as alternate subjects. But I would like to have private CA > > key > > > for the internal interface with internal addresses and key from a > public > > CA > > > for the external address. So I need two keys.) > > > * different truststore because two separate groups of users are > > > authenticating over the different interfaces. > > > > > > Kafka allows to create several different listeners with different > > > configurations. That is great. But it seems that when I create several > > SSL > > > interfaces they all share the same keystore and truststore file. Is my > > > understanding correct? Or is there some way how to configure each > > listener > > > to use different keystore / truststore? > > > > > > Thanks & Regards > > > Jakub > > > > > >
