Reply
Highlighted
New Contributor
Posts: 1
Registered: ‎10-18-2018

Problem configuring SSL secure connection in Kafka using Cloudera Manager 5.13.0 and S.O Centos 6

 

Hi  People

 

I am trying to make a secure communication between a producer and a consumer in Kafka (1.0.1)

by enabling the SSL protocol, however after the generation of the certificates and configure

the server.properties file through the Cloudera Manager(Version 5.13.0 and S.O Centos 6), when

I made the connection test using the openssl s_client -debug -connect localhost:9093 -tls1

 

I have the following error, someone can help me

 

CONNECTED(00000003)

write to 0x1a9e670 [0x1ae9713] (155 bytes => 155 (0x9B))

0000 - 16 03 01 00 96 01 00 00-92 03 01 5b c6 7c 3d 62   ...........[.|=b

0010 - 53 b1 25 75 34 88 fd 60-7a 41 93 51 68 3a 63 d5   S.%u4..`zA.Qh:c.

0020 - 57 14 37 6e 78 bd bc 38-e4 d7 ef 00 00 4c c0 14   W.7nx..8.....L..

0030 - c0 0a 00 39 00 38 00 88-00 87 c0 0f c0 05 00 35   ...9.8.........5

0040 - 00 84 c0 13 c0 09 00 33-00 32 c0 12 c0 08 00 9a   .......3.2......

0050 - 00 99 00 45 00 44 00 16-00 13 c0 0e c0 04 c0 0d   ...E.D..........

0060 - c0 03 00 2f 00 96 00 41-00 0a 00 07 c0 11 c0 07   .../...A........

0070 - c0 0c c0 02 00 05 00 04-00 ff 01 00 00 1d 00 0b   ................

0080 - 00 04 03 00 01 02 00 0a-00 08 00 06 00 19 00 18   ................

0090 - 00 17 00 23 00 00 00 0f-00 01 01                  ...#.......

read from 0x1a9e670 [0x1ae51c3] (5 bytes => 5 (0x5))

0005 - <SPACES/NULS>

write to 0x1a9e670 [0x1aeebe0] (7 bytes => 7 (0x7))

0000 - 15 03 01 00 02 02 46                              ......F

140660245464904:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 5 bytes and written 7 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol  : TLSv1

Cipher    : 0000

Session-ID:

Session-ID-ctx:

Master-Key:

Key-Arg   : None

Krb5 Principal: None

PSK identity: None

PSK identity hint: None

Start Time: 1539734589

Timeout   : 7200 (sec)

Verify return code: 0 (ok)

---

Additionally my logs says

 

2018-10-11 12:38:16,510 WARN org.apache.kafka.common.network.SslTransportLayer: Failed to send SSL Close message

java.io.IOException: Connection reset by peer

        at sun.nio.ch.FileDispatcherImpl.write0(Native Method)

        at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:47)

        at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:93)

        at sun.nio.ch.IOUtil.write(IOUtil.java:65)

        at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:487)

        at org.apache.kafka.common.network.SslTransportLayer.flush(SslTransportLayer.java:212)

        at org.apache.kafka.common.network.SslTransportLayer.close(SslTransportLayer.java:175)

        at org.apache.kafka.common.utils.Utils.closeAll(Utils.java:703)

        at org.apache.kafka.common.network.KafkaChannel.close(KafkaChannel.java:61)

        at org.apache.kafka.common.network.Selector.doClose(Selector.java:739)

        at org.apache.kafka.common.network.Selector.close(Selector.java:727)

        at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:520)

        at org.apache.kafka.common.network.Selector.poll(Selector.java:412)

        at kafka.network.Processor.poll(SocketServer.scala:551)

        at kafka.network.Processor.run(SocketServer.scala:468)

        at java.lang.Thread.run(Thread.java:745)

 

 

 

PROCEDURE TO MAKE THE CERTIFICATES

 

CERTIFICATION AUTHORITY

=======================

openssl req -new -newkey rsa:4096 -days 365 -x509 -subj "/CN=Kafka-Security-CA" -keyout ca-key -out ca-cert -nodes

openssl req -new -newkey rsa:4096 -days 365 -x509 -subj "/CN=Kafka-Security-CA" -keyout ca-key -out ca-cert -nodes

 

CREATING SERVER CERTIFICATE

===========================

Using my hostname (quickstart.cloudera)

 

keytool -genkey -keystore kafka.server.keystore.jks -validity 365 -storepass $SRVPASS -keypass $SRVPASS  -dname "CN=quickstart.cloudera" -storetype pkcs12

 

CREATE A CERTIFICATION REQUEST FILE

===================================

keytool -keystore kafka.server.keystore.jks -certreq -file cert-file -storepass $SRVPASS -keypass $SRVPASS

openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:$SRVPASS

 

CHECK CERTIFICATES

===================

keytool -printcert -v -file cert-signed

keytool -list -v -keystore kafka.server.keystore.jks

 

keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file ca-cert -storepass $SRVPASS -keypass $SRVPASS -noprompt

 

IMPORT CA AND THE SIGNED SERVER CERTIFICATE INTO KEYSTORE

=========================================================

keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file ca-cert -storepass $SRVPASS -keypass $SRVPASS -noprompt

keytool -keystore kafka.server.keystore.jks -import -file cert-signed -storepass $SRVPASS -keypass $SRVPASS -noprompt

 

keytool -keystore kafka.client.keystore.jks -alias localhost -certreq -file cert-file

openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days $VALIDITY -CAcreateserial -passin pass:$PASSWORD

 

keytool -keystore kafka.client.keystore.jks -alias CARoot -import -file ca-cert

keytool -keystore kafka.client.keystore.jks -alias localhost -import -file cert-signed

 

////////////////////////////

 

KAFKA SERVER PROPERTIES

listeners=PLAINTEXT://0.0.0.0:9092,SSL://0.0.0.0:9093

ssl.keystore.location=/var/private/ssl-new-5/kafka.server.keystore.jks

ssl.keystore.password=XXXXXX

ssl.key.password=XXXXXX

ssl.truststore.location=/var/private/ssl-new-5/kafka.server.truststore.jks

ssl.truststore.password=XXXXXXX

 

offsets.topic.replication.factor=1

transaction.state.log.replication.factor=1

transaction.state.log.min.isr=1

 

I appreciate any help to solve this problem

Announcements