Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Kafka SSL issue

Highlighted

Kafka SSL issue

Expert Contributor

Hello All

- I was able to set up SSL for the Kafka brokers, using OpenSSL.

however, I'm having issues with setting up SSL using the pem file (i.e. SSL certificate - certified by CA, provided by the company)

Here is what i've done - created the server/client keystore & truststore files and imported the provided cert.pem file

keytool -keystore kafka.server.keystore.jks -alias localhost -validity 365 -genkey
keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file cert.pem
keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file cert.pem
keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file cert.pem
keytool -keystore kafka.client.keystore.jks -alias localhost -validity 365 -genkey
keytool -keystore kafka.client.keystore.jks -alias CARoot -import -file cert.pem 

I've a console producer pushing data in to the topic, and gives error as shown below ->

Any ideas on what the issue might be ?

Caused by: javax.net.ssl.SSLProtocolException: Handshake message sequence violation, state = 1, type = 1
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:213)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:966)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:963)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416)
at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:336)
at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:417)
... 7 more 

thanks for the help in advance!

6 REPLIES 6

Re: Kafka SSL issue

Expert Contributor

@mqureshi, @Jasper - any ideas on this ?

Re: Kafka SSL issue

Mentor

@Karan Alang


Can you have a look at this ssl_kafka

Re: Kafka SSL issue

Super Collaborator

Hi @Karan Along,

Looks you hit the issue with ciphers.

can you please include "-keyalg rsa" to your key tool genkey command,

keytool -keystore kafka.server.keystore.jks -alias localhost -validity 365 -genkey -keyalg rsa

looks there was some issue with openssl ciphers in centos 6.5 (got to know from some website)

however, I use the following script to generate host, client certs (ca.pem,ca.crt are the private, output keys to authorize the keys)

openssl openssl req -new -x509 -keyout ca.pem -out ca.crt -days 365 -sha256
#!/bin/bash
set -x

hstnm=${1}
ipaddr=${2}

keytool -keystore ${hstnm}.keystore.jks -alias ${hstnm} -validity 365 -genkey -keyalg rsa -ext SAN=dns:${hstnm},ip:${ipaddr} -storepass changeme -dname "CN=${hstnm}, OU=IT, O=Project Labs, L=Melbourne, ST=Victoria, C=AU" -keypass changeme -keysize 2048

keytool -keystore ${hstnm}.keystore.jks -alias "${hstnm}" -certreq -file ${hstnm}.crtreq -storepass changeme -keypass changeme -ext SAN=dns:${hstnm},ip:${ipaddr}

openssl x509 -req -CA ca.crt -CAkey ca.pem -in ${hstnm}.crtreq -out ${hstnm}.signed -days 365 -CAcreateserial -passin pass:changeme

keytool -keystore ${hstnm}.keystore.jks -alias CARoot -import -file ca.crt -storepass changeme -noprompt

keytool -keystore ${hstnm}.keystore.jks -alias "${hstnm}" -import -file ${hstnm}.signed -storepass changeme -noprompt

keytool -exportcert -keystore ${hstnm}.keystore.jks -alias "${hstnm}" -file ${hstnm}.crt.DER -storepass changeme

openssl x509 -inform der -in ${hstnm}.crt.DER -out ${hstnm}.crt

keytool -delete -alias "${hstnm}" -file ${hstnm}.crt -keystore server.truststore.jks -storepass changeme

keytool -import -alias "${hstnm}" -file ${hstnm}.crt -keystore server.truststore.jks -storepass changeme -noprompt

Re: Kafka SSL issue

Mentor

@bkosaraju

How do you generate using the script ..interesting!¨!!!

Re: Kafka SSL issue

Super Collaborator

Hi @Geoffrey Shelton Okot,

the second snippet generate a key and sign the key and import the common trust store ( incase if you want two way SSL) and then import into the trust store.

<second_script(last snippet)> fqdn_host_name ip_addr

Re: Kafka SSL issue

Super Guru

@Karan Alang

You have only imported a CARoot certificate assuming cert.pem is a root certificate. Where is your certificate that was issued to you by your CA? That certificate contains your private key.

follow the steps in this link of "Creating your Own CA".

http://kafka.apache.org/documentation.html#security_ssl_ca