Skip to content

Instantly share code, notes, and snippets.

@vikaspatil0021

vikaspatil0021/gist:6fbd1b3dba425d780b51c60817fae898

Last active September 30, 2024 13:20
Show Gist options
  • Save vikaspatil0021/6fbd1b3dba425d780b51c60817fae898 to your computer and use it in GitHub Desktop.
Save vikaspatil0021/6fbd1b3dba425d780b51c60817fae898 to your computer and use it in GitHub Desktop.
Download ZIP
ssl (secure socket layer) authentication and encyption
Raw
gistfile1.md

Screenshot from 2024-09-29 19-48-48

SSL Handshake Process Between Zookeeper and Kafka Broker

  1. Zookeeper and the Kafka broker are running and want to connect via SSL handshake.
  2. Both services have:
    • Their own CA-signed certificate in the keystore.
    • The same CA certificate (ca-cert) from the CA in the truststore.
  3. The broker sends its CA-signed certificate to Zookeeper.
  4. Zookeeper verifies the broker's certificate using the CA certificate (ca-cert) in its truststore.
  5. Upon verification, Zookeeper sends its own CA-signed certificate to the broker.
  6. The broker verifies Zookeeper's certificate using the CA certificate (ca-cert) in its truststore.
  7. Once both certificates are verified, they start secure communication.

Step-by-Step Commands and Explanations

  1. Generate CA Key and Certificate:

    openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650
    • Creates a new CA private key (ca-key) and self-signed CA certificate (ca-cert).

  2. Create Truststore and Import CA Certificate:

    keytool -keystore kafka.zookeeper.truststore.jks -alias ca-cert -import -file ca-cert
    • Creates a truststore (kafka.zookeeper.truststore.jks) and imports the CA certificate.

  3. Create Keystore and Generate a Key Pair:

    keytool -keystore kafka.zookeeper.keystore.jks -alias zookeeper -validity 3650 -genkey -keyalg RSA -ext SAN=dns:localhost
    • Creates a keystore (kafka.zookeeper.keystore.jks) and generates a key pair for Zookeeper.

  4. Create Certificate Signing Request (CSR):

    keytool -keystore kafka.zookeeper.keystore.jks -alias zookeeper -certreq -file ca-request-zookeeper
    • Generates a CSR (ca-request-zookeeper) using the Zookeeper key pair.

  5. Sign the CSR with CA Certificate:

    openssl x509 -req -CA ca-cert -CAkey ca-key -in ca-request-zookeeper -out ca-signed-zookeeper -days 3650 -CAcreateserial
    • Signs the CSR to create a CA-signed certificate (ca-signed-zookeeper).

  6. Import CA Certificate into Keystore::

    keytool -keystore kafka.zookeeper.keystore.jks -alias ca-cert -import -file ca-cert
    • Imports the CA certificate into Zookeeper's keystore.

  7. Import the Signed Certificate into Keystore:

    keytool -keystore kafka.zookeeper.keystore.jks -alias zookeeper -import -file ca-signed-zookeeper
    • Imports the CA-signed certificate into Zookeeper's keystore.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment