Confluent Kafka SSL - console-consumer on node5 not receiving messages from producer on node4

84 views
Skip to first unread message

karan alang

unread,
Sep 5, 2017, 5:45:48 PM9/5/17
to Confluent Platform

Hi All -

I've Confluent 3.2.2 (Kafka 0.10) .. I've enabled SSL(Non-kerberized) for Kafka Broker on Node 4, and i'm able to produce/consume messages using console-producer & console-consumer from Node 4.

However, i'm having issues enabling ssl connection between Node 4 & Node 5 & try to consume messages from Node5 (using console-consumer), i'm facing issues.


here are the steps -

On node4 : Started console-producer, publishing on SSL port (9192)

  1. $CONFLUENT/bin/kafka-console-producer --broker-list node4:9192 --topic ssl --producer.config client-ssl.properties

Started console-consumer on node4, consuming messages from console producer (port 9192)

  1. $CONFLUENT/bin/kafka-console-consumer --bootstrap-server node4:9192 --topic ssl --new-consumer --consumer.config client-ssl.properties

contents of client-ssl.properties ---------------------------------

  1. security.protocol=SSL 
  2. ssl.truststore.location=/usr/hdp/2.5.3.0-37/confluent-3.2.2/kafkaSSL/kafka.client.truststore.jks 
  3. ssl.truststore.password=<passwd> 
  4. ssl.keystore.location=/usr/hdp/2.5.3.0-37/confluent-3.2.2/kafkaSSL/kafka.client.keystore.jks 
  5. ssl.keystore.password=<passwd> 
  6. ssl.key.password=<passwd>

This is working fine, and consumer is able to consumer messages produced by the producer.

On Node5, i've another Kafka instance, i start another console-consumer from Node5, for consuming the data from console-producer in node4

To enable SSL (between client on Node5 & Broker on Node4),

Steps on Node 4 ->

1) create kafka.client05.keystore.jks (set the CN -> Node5)

  1. keytool -keystore kafka.client05.keystore.jks -alias localhost -validity 365 -genkey

- Export certificate from keystore

  1. keytool -keystore kafka.client05.keystore.jks -alias localhost -certreq -file cert05-file

- Get certificate signed by CA

  1. openssl x509 -req -CA ca-cert -CAkey ca-key -in cert05-file -out cert05-signed -days 365 -CAcreateserial -passin pass:<passwd>

- Import the CA Certificate & Signed certificate into the keystore

  1. keytool -keystore kafka.client05.keystore.jks -alias CARoot -import -file ca-cert
  2. keytool -keystore kafka.client05.keystore.jks -alias localhost -import -file cert05-signed

Add the generated CA to the client's truststore

  1. keytool -keystore kafka.client05.truststore.jks -alias CARoot -import -file ca-cert

On Node5, i do the same steps above,and start the console-consumer (to read data produced by console-producer on node4)

  1. $CONFLUENT1/bin/kafka-console-consumer --bootstrap-server node4:9192 --topic ssl --new-consumer --consumer.config client-ssl.properties

This is not working.. messages produced by console-producer and not being read by console-consumer on Node5

(however, they are being read by console-consumer on Node4)  


what do i need to make this work ?

karan alang

unread,
Sep 7, 2017, 3:03:34 PM9/7/17
to Confluent Platform
hello All 
- here is the update on this...
I was able to fix this by copying the CA files (ca-cert & ca-key) from Node4 to Node5 and using the existing CA to sign the client certificates,
and adding the CA to the client truststore. 
Reply all
Reply to author
Forward
0 new messages