Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Kafka SSL issue

Labels:
karan_alang1
Expert Contributor

Created ‎09-19-2017 09:52 PM

Hello All

- I was able to set up SSL for the Kafka brokers, using OpenSSL.

however, I'm having issues with setting up SSL using the pem file (i.e. SSL certificate - certified by CA, provided by the company)

Here is what i've done - created the server/client keystore & truststore files and imported the provided cert.pem file 

keytool -keystore kafka.server.keystore.jks -alias localhost -validity 365 -genkey
keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file cert.pem
keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file cert.pem
keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file cert.pem
keytool -keystore kafka.client.keystore.jks -alias localhost -validity 365 -genkey
keytool -keystore kafka.client.keystore.jks -alias CARoot -import -file cert.pem

I've a console producer pushing data in to the topic, and gives error as shown below ->

Any ideas on what the issue might be ? 

Caused by: javax.net.ssl.SSLProtocolException: Handshake message sequence violation, state = 1, type = 1
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:213)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:966)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:963)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416)
at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:336)
at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:417)
... 7 more

thanks for the help in advance!

5,681 Views
0 Kudos
6 REPLIES 6

karan_alang1
Expert Contributor

Created ‎09-19-2017 09:53 PM

@mqureshi, @Jasper - any ideas on this ?

3,370 Views
0 Kudos

Shelton
Mentor

Created ‎09-20-2017 06:33 AM

@Karan Alang


Can you have a look at this ssl_kafka

3,370 Views
0 Kudos

bkosaraju
Super Collaborator

Created ‎09-20-2017 07:30 AM

Hi @Karan Along,

Looks you hit the issue with ciphers.

can you please include "-keyalg rsa" to your key tool genkey command, 

keytool -keystore kafka.server.keystore.jks -alias localhost -validity 365 -genkey -keyalg rsa

looks there was some issue with openssl ciphers in centos 6.5 (got to know from some website)

however, I use the following script to generate host, client certs (ca.pem,ca.crt are the private, output keys to authorize the keys)

openssl openssl req -new -x509 -keyout ca.pem -out ca.crt -days 365 -sha256
#!/bin/bash
set -x

hstnm=${1}
ipaddr=${2}

keytool -keystore ${hstnm}.keystore.jks -alias ${hstnm} -validity 365 -genkey -keyalg rsa -ext SAN=dns:${hstnm},ip:${ipaddr} -storepass changeme -dname "CN=${hstnm}, OU=IT, O=Project Labs, L=Melbourne, ST=Victoria, C=AU" -keypass changeme -keysize 2048

keytool -keystore ${hstnm}.keystore.jks -alias "${hstnm}" -certreq -file ${hstnm}.crtreq -storepass changeme -keypass changeme -ext SAN=dns:${hstnm},ip:${ipaddr}

openssl x509 -req -CA ca.crt -CAkey ca.pem -in ${hstnm}.crtreq -out ${hstnm}.signed -days 365 -CAcreateserial -passin pass:changeme

keytool -keystore ${hstnm}.keystore.jks -alias CARoot -import -file ca.crt -storepass changeme -noprompt

keytool -keystore ${hstnm}.keystore.jks -alias "${hstnm}" -import -file ${hstnm}.signed -storepass changeme -noprompt

keytool -exportcert -keystore ${hstnm}.keystore.jks -alias "${hstnm}" -file ${hstnm}.crt.DER -storepass changeme

openssl x509 -inform der -in ${hstnm}.crt.DER -out ${hstnm}.crt

keytool -delete -alias "${hstnm}" -file ${hstnm}.crt -keystore server.truststore.jks -storepass changeme

keytool -import -alias "${hstnm}" -file ${hstnm}.crt -keystore server.truststore.jks -storepass changeme -noprompt
3,370 Views
0 Kudos

Shelton
Mentor

Created ‎09-20-2017 07:46 AM

@bkosaraju

How do you generate using the script ..interesting!¨!!!

3,370 Views
0 Kudos

bkosaraju
Super Collaborator

Created ‎09-20-2017 08:22 AM

Hi @Geoffrey Shelton Okot,

the second snippet generate a key and sign the key and import the common trust store ( incase if you want two way SSL) and then import into the trust store.

<second_script(last snippet)> fqdn_host_name ip_addr

3,370 Views
0 Kudos

mqureshi
Super Guru

Created ‎09-22-2017 05:38 PM

@Karan Alang

You have only imported a CARoot certificate assuming cert.pem is a root certificate. Where is your certificate that was issued to you by your CA? That certificate contains your private key.

follow the steps in this link of "Creating your Own CA".

http://kafka.apache.org/documentation.html#security_ssl_ca

3,370 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
What's New @ Cloudera
Cloudera Operational Database (COD) UI supports creating a smaller cluster using a predefined Data Lake template
What's New @ Cloudera
Cloudera Operational Database (COD) supports scaling up the clusters vertically
Product Announcements
CDP Public Cloud: April 2023 Release Summary
What's New @ Cloudera
Cloudera Machine Learning launches "Add Data" feature to simplify data ingestion
What's New @ Cloudera
Simplify Data Access with Custom Connection Support in CML
View More Announcements