要生成相应的密钥文件并配置 Kafka 和 Kafka Manager 以使用这些文件进行安全通信,您需要执行以下步骤:
-
生成证书和密钥:
您需要生成 Kafka 所需的密钥库 (.keystore) 和信任库 (.truststore) 文件。您可以使用keytool和openssl工具来完成这项工作。 -
创建 Kafka 服务器的密钥库:
keytool -genkey -alias kafka-server -keyalg RSA -keystore kafka.server.keystore.jks -validity 3650 -storepass passwordstorepass -keypass passwordkeypass -dname "CN=localhost, OU=IT, O=MyCompany, L=City, ST=State, C=US" -
创建信任库并导入根证书:
首先,生成一个根证书(CA),然后使用它来签署服务器证书。
openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650 -passout pass:passwordstorepass -subj "/CN=RootCA/OU=IT/O=MyCompany/L=City/ST=State/C=US"将根证书导入信任库:
keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file ca-cert -storepass passwordstorepass -noprompt -
生成服务器证书请求(CSR)并使用根证书签名:
keytool -keystore kafka.server.keystore.jks -alias kafka-server -certreq -file cert-file -storepass passwordstorepass openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 3650 -CAcreateserial -passin pass:passwordstorepass -
将签名的证书导入密钥库:
首先导入根证书:
keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file ca-cert -storepass passwordstorepass -noprompt然后导入已签名的服务器证书:
keytool -keystore kafka.server.keystore.jks -alias kafka-server -import -file cert-signed -storepass passwordstorepass -
生成
kafka_server_jaas.conf文件:创建
kafka_server_jaas.conf文件并添加以下内容:KafkaServer { org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret" user_admin="admin-secret"; }; -
配置
docker-compose.yml中的证书路径:确保
docker-compose.yml中的volumes指向正确的证书路径,并确保映射的目录包含生成的.jks和.conf文件:volumes: - ./certs:/etc/kafka/secrets -
启动 Docker 容器:
使用
docker-compose up启动容器:docker-compose up -d
这将生成所需的密钥文件并配置 Kafka 和 Kafka Manager 以使用这些文件进行安全通信。确保 certs 目录包含以下文件:
kafka.server.keystore.jkskafka.server.truststore.jkskafka_server_jaas.conf
这些步骤完成后,您的 Kafka 集群将通过 SSL/TLS 和 SASL 进行安全通信。
- 总结
安装keytool
sudo apt update
sudo apt install openjdk-11-jdk服务端配置
keytool -genkey -alias kafka-server -keyalg RSA -keystore kafka.server.keystore.jks -validity 3650 -storepass passwordstore -keypass passwordkey -dname "CN=localhost, OU=IT, O=MyCompany, L=City, ST=State, C=US"
openssl req -new -x509 -keyout ca-key.pem -out ca-cert.pem -days 3650 -passout pass:passwordkey -subj "/CN=RootCA/OU=IT/O=MyCompany/L=City/ST=State/C=US"
keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file ca-cert.pem -storepass passwordstore -noprompt
keytool -keystore kafka.server.keystore.jks -alias kafka-server -certreq -file cert-file.csr -storepass passwordstore
openssl x509 -req -CA ca-cert.pem -CAkey ca-key.pem -in cert-file.csr -out cert-signed.crt -days 3650 -CAcreateserial -passin pass:passwordkey
keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file ca-cert.pem -storepass passwordstore -noprompt
keytool -keystore kafka.server.keystore.jks -alias kafka-server -import -file cert-signed.crt -storepass passwordstore -keypass passwordkey -noprompt客户端配置
keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file ca-cert.pem -storepass passwordstore -noprompt
keytool -genkey -alias kafka-client -keyalg RSA -keystore kafka.client.keystore.jks -validity 3650 -storepass passwordstore -keypass passwordkey -dname "CN=localhost, OU=IT, O=MyCompany, L=City, ST=State, C=US"
keytool -keystore kafka.client.keystore.jks -alias kafka-client -certreq -file client-cert-file.csr -storepass passwordstore
openssl x509 -req -CA ca-cert.pem -CAkey ca-key.pem -in client-cert-file.csr -out client-cert-signed.crt -days 3650 -CAcreateserial -passin pass:passwordkey
keytool -keystore kafka.client.keystore.jks -alias CARoot -import -file ca-cert.pem -storepass passwordstore -noprompt
keytool -keystore kafka.client.keystore.jks -alias kafka-client -import -file client-cert-signed.crt -storepass passwordstore -keypass passwordkey -noprompt