Kafka-security
Opened this issue · 5 comments
Hi,
I have deployed Kafka with three nodes in kubernetes and it is working all good but now I want to implement SSL security. I have created all key-store and trust-store necessary for implementing SSL authentication between Kafka broker and client and I tried to configure my certificates through config-map with a particular directory but it gives me the following error.
java.io.IOException: Invalid keystore format
Is there any another way to pass those certificates inside Kafka pods like secrets ....
Please help me if anyone has any idea.
Thanks.
I haven't tried this with Kafka, but a few years ago with Keycloak that is also java. I seem to recall that jks tooling and format came with a bit of a learning curve. Care to describe how you produced the configmap? I've never tried configmap with binary files.
@solsson Thanks for the help. And I was using k8s config-map instead of k8s secret. It worked with passing certificates as a secret.
Hi,
I have implemented Kafka-SSL security inside my pod there no error during startup and also I can produce/consume message from inside/outside K8s cluster successfully also I am able to telnet on both plaintext and SSL port within the containers. But when I am trying to connect to Kafka on SSL port is giving me the following error.
Also, I have verified the key(Keystore/Truststore) are fine and its working properly with the Kafka running on Server (outside K8s).
Please help me here...
at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:389)
at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:469)
at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:328)
at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:255)
at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:79)
at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:474)
at org.apache.kafka.common.network.Selector.poll(Selector.java:412)
... 3 more
Caused by: java.security.InvalidKeyException: The security strength of SHA-1 digest algorithm is not sufficient for this key size
at sun.security.provider.DSA.checkKey(DSA.java:111)
at sun.security.provider.DSA.engineInitSign(DSA.java:143)
at java.security.SignatureSpi.engineInitSign(SignatureSpi.java:103)
at java.security.Signature$Delegate.init(Signature.java:1155)
at java.security.Signature$Delegate.chooseProvider(Signature.java:1112)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1185)
at java.security.Signature.initSign(Signature.java:550)
at sun.security.ssl.HandshakeMessage$DH_ServerKeyExchange.(HandshakeMessage.java:750)
at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:882)
... 16 more
The error message looks pretty clear. Could it be due to how your key was generated?
@ankitraijr I'm trying to get the same thing done, could you please list the steps you took to get the broker running with the required security config? Is it similar to setting the required fields in x.properties files as we would do on a kafka broker not specifically inside a kubernetes pod?