Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Problem configuring SSL secure connection in Kafka using Cloudera Manager 5.13.0 and S.O Centos 6

avatar
author-rank JuanPa
New Contributor

Created on ‎10-19-2018 04:21 PM - edited ‎09-16-2022 06:49 AM

 

Hi  People

 

I am trying to make a secure communication between a producer and a consumer in Kafka (1.0.1)

by enabling the SSL protocol, however after the generation of the certificates and configure

the server.properties file through the Cloudera Manager(Version 5.13.0 and S.O Centos 6), when

I made the connection test using the openssl s_client -debug -connect localhost:9093 -tls1

 

I have the following error, someone can help me

 

CONNECTED(00000003)

write to 0x1a9e670 [0x1ae9713] (155 bytes => 155 (0x9B))

0000 - 16 03 01 00 96 01 00 00-92 03 01 5b c6 7c 3d 62   ...........[.|=b

0010 - 53 b1 25 75 34 88 fd 60-7a 41 93 51 68 3a 63 d5   S.%u4..`zA.Qh:c.

0020 - 57 14 37 6e 78 bd bc 38-e4 d7 ef 00 00 4c c0 14   W.7nx..8.....L..

0030 - c0 0a 00 39 00 38 00 88-00 87 c0 0f c0 05 00 35   ...9.8.........5

0040 - 00 84 c0 13 c0 09 00 33-00 32 c0 12 c0 08 00 9a   .......3.2......

0050 - 00 99 00 45 00 44 00 16-00 13 c0 0e c0 04 c0 0d   ...E.D..........

0060 - c0 03 00 2f 00 96 00 41-00 0a 00 07 c0 11 c0 07   .../...A........

0070 - c0 0c c0 02 00 05 00 04-00 ff 01 00 00 1d 00 0b   ................

0080 - 00 04 03 00 01 02 00 0a-00 08 00 06 00 19 00 18   ................

0090 - 00 17 00 23 00 00 00 0f-00 01 01                  ...#.......

read from 0x1a9e670 [0x1ae51c3] (5 bytes => 5 (0x5))

0005 - <SPACES/NULS>

write to 0x1a9e670 [0x1aeebe0] (7 bytes => 7 (0x7))

0000 - 15 03 01 00 02 02 46                              ......F

140660245464904:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 5 bytes and written 7 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol  : TLSv1

Cipher    : 0000

Session-ID:

Session-ID-ctx:

Master-Key:

Key-Arg   : None

Krb5 Principal: None

PSK identity: None

PSK identity hint: None

Start Time: 1539734589

Timeout   : 7200 (sec)

Verify return code: 0 (ok)

---

Additionally my logs says

 

2018-10-11 12:38:16,510 WARN org.apache.kafka.common.network.SslTransportLayer: Failed to send SSL Close message

java.io.IOException: Connection reset by peer

        at sun.nio.ch.FileDispatcherImpl.write0(Native Method)

        at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:47)

        at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:93)

        at sun.nio.ch.IOUtil.write(IOUtil.java:65)

        at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:487)

        at org.apache.kafka.common.network.SslTransportLayer.flush(SslTransportLayer.java:212)

        at org.apache.kafka.common.network.SslTransportLayer.close(SslTransportLayer.java:175)

        at org.apache.kafka.common.utils.Utils.closeAll(Utils.java:703)

        at org.apache.kafka.common.network.KafkaChannel.close(KafkaChannel.java:61)

        at org.apache.kafka.common.network.Selector.doClose(Selector.java:739)

        at org.apache.kafka.common.network.Selector.close(Selector.java:727)

        at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:520)

        at org.apache.kafka.common.network.Selector.poll(Selector.java:412)

        at kafka.network.Processor.poll(SocketServer.scala:551)

        at kafka.network.Processor.run(SocketServer.scala:468)

        at java.lang.Thread.run(Thread.java:745)

 

 

 

PROCEDURE TO MAKE THE CERTIFICATES

 

CERTIFICATION AUTHORITY

=======================

openssl req -new -newkey rsa:4096 -days 365 -x509 -subj "/CN=Kafka-Security-CA" -keyout ca-key -out ca-cert -nodes

openssl req -new -newkey rsa:4096 -days 365 -x509 -subj "/CN=Kafka-Security-CA" -keyout ca-key -out ca-cert -nodes

 

CREATING SERVER CERTIFICATE

===========================

Using my hostname (quickstart.cloudera)

 

keytool -genkey -keystore kafka.server.keystore.jks -validity 365 -storepass $SRVPASS -keypass $SRVPASS  -dname "CN=quickstart.cloudera" -storetype pkcs12

 

CREATE A CERTIFICATION REQUEST FILE

===================================

keytool -keystore kafka.server.keystore.jks -certreq -file cert-file -storepass $SRVPASS -keypass $SRVPASS

openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:$SRVPASS

 

CHECK CERTIFICATES

===================

keytool -printcert -v -file cert-signed

keytool -list -v -keystore kafka.server.keystore.jks

 

keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file ca-cert -storepass $SRVPASS -keypass $SRVPASS -noprompt

 

IMPORT CA AND THE SIGNED SERVER CERTIFICATE INTO KEYSTORE

=========================================================

keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file ca-cert -storepass $SRVPASS -keypass $SRVPASS -noprompt

keytool -keystore kafka.server.keystore.jks -import -file cert-signed -storepass $SRVPASS -keypass $SRVPASS -noprompt

 

keytool -keystore kafka.client.keystore.jks -alias localhost -certreq -file cert-file

openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days $VALIDITY -CAcreateserial -passin pass:$PASSWORD

 

keytool -keystore kafka.client.keystore.jks -alias CARoot -import -file ca-cert

keytool -keystore kafka.client.keystore.jks -alias localhost -import -file cert-signed

 

////////////////////////////

 

KAFKA SERVER PROPERTIES

listeners=PLAINTEXT://0.0.0.0:9092,SSL://0.0.0.0:9093

ssl.keystore.location=/var/private/ssl-new-5/kafka.server.keystore.jks

ssl.keystore.password=XXXXXX

ssl.key.password=XXXXXX

ssl.truststore.location=/var/private/ssl-new-5/kafka.server.truststore.jks

ssl.truststore.password=XXXXXXX

 

offsets.topic.replication.factor=1

transaction.state.log.replication.factor=1

transaction.state.log.min.isr=1

 

I appreciate any help to solve this problem

7,829 Views
0 Kudos
1 REPLY 1

avatar
author-rank RemiB
New Contributor

Created ‎07-12-2021 07:30 AM

please check https://github.com/edenhill/librdkafka/issues/1765

 

I basically added "-keyalg RSA" to keytool commands that generate or import keys

4,588 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements