Kafka-node: How to pass the SSL config like truststore location and password?

Created on 7 Feb 2019  ·  12Comments  ·  Source: SOHU-Co/kafka-node

Right now I have configured my Kafka server with a self-signed certificate.

version: '2'
services:
  zookeeper:
    image: wurstmeister/zookeeper:latest
    ports:
      - 2181:2181
    hostname: zookeeper
  kafka:
    image: wurstmeister/kafka:2.11-2.0.0
    command: [start-kafka.sh]
    ports:
      - 9093:9093
    hostname: kafka
    environment:
      KAFKA_LISTENERS: SSL://0.0.0.0:9093
      KAFKA_ADVERTISED_LISTENERS: SSL://alfrescokafka.leafycode.com:9093
      KAFKA_SSL_KEYSTORE_LOCATION: /home/amur42s/ssl/kafka.server.keystore.jks
      KAFKA_SSL_KEYSTORE_PASSWORD: oE4KJ9FVMjMXGpgpp0qwLzUDy0uz
      KAFKA_SSL_KEY_PASSWORD: oE4KJ9FVMjMXGpgpp0qwLzUDy0uz
      KAFKA_SSL_TRUSTSTORE_LOCATION: /home/amur42s/ssl/kafka.server.truststore.jks
      KAFKA_SSL_TRUSTSTORE_PASSWORD: 123
      KAFKA_ADVERTISED_HOST_NAME: 116.203.65.132 # docker-machine ip
      KAFKA_ZOOKEEPER_CONNECT: "zookeeper:2181"
      KAFKA_CREATE_TOPICS: ""
      KAFKA_SSL_CLIENT_AUTH: 'required'
      KAFKA_SECURITY_INTER_BROKER_PROTOCOL: 'SSL'
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /home/ssl:/home/ssl
    depends_on:
      - "zookeeper"

Unfortunetely, I'm unable to connect to it using kafka node. Looks like I need to set the ssl.truststore.location and ssl.trsutstore.password. How can I do this?

Most helpful comment

Here is my solution:

var kafkaClientOption = {
  clientId: 'kafkaadmin',
  kafkaHost : 'broker1:9092,broker2:9092,broker3:9092',
  ssl: true,
  sslOptions: {
    rejectUnauthorized: false,
    ca: [fs.readFileSync('./bin/chain.pem', 'utf-8')],
    cert: [fs.readFileSync('./bin/kafkaadmin.pem', 'utf-8')],
    key: [fs.readFileSync('./bin/kafkaadmin.key', 'utf-8')],
    passphrase: "mypass",
  },
  autoConnect: true,
  connectTimeout: 1000,
  requestTimeout: 1000
}

var client = new kafka.KafkaClient( kafkaClientOption );

All 12 comments

You should not need to pass those options in the client. If it's self-signed you will need to include this option in the KafkaClient option:

        sslOptions: {
          rejectUnauthorized: false
        }

@hyperlink Thanks it worked!

Hi, what to do if its properly signed certificate? I need these values to set in my code.
security.protocol=SSL
ssl.truststore.location=kafka.client.truststore.jks
ssl.truststore.password=clientpass

Nothing. Just pass an empty sslOptions object and provide the correct kafka port.

Nothing. Just pass an empty sslOptions object and provide the correct kafka port.

Hi, I hava the same question.

Hi, what to do if its properly signed certificate? I need these values to set in my code.
security.protocol=SSL
ssl.truststore.location=kafka.client.truststore.jks
ssl.truststore.password=clientpass

Hi, I get the same question. How do you fix it? Just pass an empty sslOptions?

I am facing the same issue. Has anyone bee able to figure this out?

You should not need to pass those options in the client. If it's self-signed you will need to include this option in the KafkaClient option:

        sslOptions: {
          rejectUnauthorized: false
        }

The above did not work me.

add ca option with the contents of your .pem file.

you should make an example for ssl

An example for TLS/SSL connection would help a lot. Eventually a tutorial.

Here is my solution:

var kafkaClientOption = {
  clientId: 'kafkaadmin',
  kafkaHost : 'broker1:9092,broker2:9092,broker3:9092',
  ssl: true,
  sslOptions: {
    rejectUnauthorized: false,
    ca: [fs.readFileSync('./bin/chain.pem', 'utf-8')],
    cert: [fs.readFileSync('./bin/kafkaadmin.pem', 'utf-8')],
    key: [fs.readFileSync('./bin/kafkaadmin.key', 'utf-8')],
    passphrase: "mypass",
  },
  autoConnect: true,
  connectTimeout: 1000,
  requestTimeout: 1000
}

var client = new kafka.KafkaClient( kafkaClientOption );

Thank u very much, and I solved this problem by the method u provide

发送自 Windows 10 版邮件https://go.microsoft.com/fwlink/?LinkId=550986应用


发件人: Ferdy2003 notifications@github.com
发送时间: Wednesday, August 14, 2019 4:44:58 PM
收件人: SOHU-Co/kafka-node kafka-node@noreply.github.com
抄送: marugechen marugezte@outlook.com; Comment comment@noreply.github.com
主题: Re: [SOHU-Co/kafka-node] How to pass the SSL config like truststore location and password? (#1185)

Here is my solution:

var kafkaClientOption = {
clientId: 'kafkaadmin',
kafkaHost : 'broker1:9092,broker2:9092,broker3:9092',
ssl: true,
sslOptions: {
rejectUnauthorized: false,
ca: [fs.readFileSync('./bin/chain.pem', 'utf-8')],
cert: [fs.readFileSync('./bin/kafkaadmin.pem', 'utf-8')],
key: [fs.readFileSync('./bin/kafkaadmin.key', 'utf-8')],
passphrase: "mypass",
},
autoConnect: true,
connectTimeout: 1000,
requestTimeout: 1000
}

var client = new kafka.KafkaClient( kafkaClientOption );


You are receiving this because you commented.
Reply to this email directly, view it on GitHubhttps://github.com/SOHU-Co/kafka-node/issues/1185?email_source=notifications&email_token=AILZFEYHNDVWA5UU7LJ4I3DQEPAYVA5CNFSM4GU25EA2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4ID6SA#issuecomment-521158472, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AILZFE6ODZFKRKGPEV6LPE3QEPAYVANCNFSM4GU25EAQ.

Hello, Don't we have support for the JKS file ?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Sonivaibhav26 picture Sonivaibhav26  ·  5Comments

muradm picture muradm  ·  5Comments

comrat picture comrat  ·  5Comments

kobuti picture kobuti  ·  4Comments

quorak picture quorak  ·  5Comments