Share your new configs and logs בתאריך יום ו׳, 4 ביוני 2021, 12:06, מאת Dhirendra Singh < dhirendr...@gmail.com>:
> I tried the keytool command suggested by you. still getting the same error. > > On Fri, Jun 4, 2021 at 10:50 AM Ran Lupovich <ranlupov...@gmail.com> > wrote: > > > The default format is jks, > > > > > > use keytool to create a Java KeyStore (JKS) with the certificate and key > > for use by Kafka. You'll be prompted to create a new password for the > > resulting file as well as enter the password for the PKCS12 file from the > > previous step. Hang onto the new JKS password for use in configuration > > below. > > > > $ keytool -importkeystore -srckeystore server.p12 -destkeystore > > kafka.server.keystore.jks -srcstoretype pkcs12 -alias > > myserver.internal.net > > > > Note: It's safe to ignore the following warning from keytool. > > > > The JKS keystore uses a proprietary format. It is recommended to > > migrate to PKCS12 which is an industry standard format using "keytool > > -importkeystore -srckeystore server.p12 -destkeystore > > kafka.server.keystore.jks -srcstoretype pkcs12" > > > > > > בתאריך יום ו׳, 4 ביוני 2021, 07:40, מאת Dhirendra Singh < > > dhirendr...@gmail.com>: > > > > > I am trying to setup 2 way ssl authentication. My requirement is broker > > > should authenticate only specific clients. > > > My organization has a CA which issue all certificates in pkcs12 format. > > > steps i followed are as follows. > > > > > > 1. get a certificate for the broker and configured it in the broker > > > keystore > > > ssl.keystore.location=/home/kafka/certificate.p12 > > > ssl.keystore.password=xxxxx > > > ssl.client.auth=required > > > 2. get a certificate for the client and configured it in the client > > > keystore > > > ssl.keystore.location=/home/kafka/certificate.p12 > > > ssl.keystore.password=xxxxx > > > 3. extracted the public certificate from the client certificate using > > > keytool command > > > keytool -export -file cert -keystore certificate.p12 -alias "12345" > > > -storetype pkcs12 -storepass xxxxx > > > 4. imported the certificate into broker truststore. broker truststore > > > contains only the client 12345 certificate. > > > keytool -keystore truststore.p12 -import -file cert -alias 12345 > > > -storetype pkcs12 -storepass xxxxx -noprompt > > > 5. configured the truststore in the broker. > > > ssl.truststore.location=/home/kafka/truststore.p12 > > > ssl.truststore.password=xxxxx > > > 6. configured the truststore in client. client truststore contains CA > > > certificates. > > > ssl.truststore.location=/etc/pki/java/cacerts > > > ssl.truststore.password=xxxxx > > > > > > When i run the broker and client i expect the broker to authenticate > the > > > client and establish ssl connection. but instead following error is > > thrown. > > > [2021-06-03 23:32:06,864] ERROR [AdminClient clientId=adminclient-1] > > > Connection to node -1 (abc.com/10.129.140.212:9093) failed > > authentication > > > due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient) > > > [2021-06-03 23:32:06,866] WARN [AdminClient clientId=adminclient-1] > > > Metadata update failed due to authentication error > > > (org.apache.kafka.clients.admin.internals.AdminMetadataManager) > > > org.apache.kafka.common.errors.SslAuthenticationException: SSL > handshake > > > failed > > > Caused by: javax.net.ssl.SSLProtocolException: Unexpected handshake > > > message: server_hello > > > > > > I tried various things but nothing seems to work. when i replace the > > broker > > > truststore with /etc/pki/java/cacerts truststore file which contains > only > > > the CA certificate > > > then it works fine. but it will authenticate any client which has > > > certificate issued by the CA. > > > > > > what could be the issue ? > > > > > >