Repository: kafka
Updated Branches:
refs/heads/trunk 7b16b4731 -> f153407c4
MINOR: Fix typos in security section
1. I think the instructions in step 2 of the security section which describe
adding the CA to server/client truststores are swapped. That is, the
instruction that says to add the CA to the server truststore adds it to the
client truststore (and vice versa).
2. "clients keys" should be possessive ("clients' keys").
This contribution is my original work, and I license the work to the project
under the project's open source license.
Author: Samuel Taylor <[email protected]>
Reviewers: Ismael Juma <[email protected]>
Closes #1651 from ssaamm/trunk
Project: http://git-wip-us.apache.org/repos/asf/kafka/repo
Commit: http://git-wip-us.apache.org/repos/asf/kafka/commit/f153407c
Tree: http://git-wip-us.apache.org/repos/asf/kafka/tree/f153407c
Diff: http://git-wip-us.apache.org/repos/asf/kafka/diff/f153407c
Branch: refs/heads/trunk
Commit: f153407c42716f4f4d9abe8be39ab1112f36a8be
Parents: 7b16b47
Author: Samuel Taylor <[email protected]>
Authored: Mon Aug 22 23:16:56 2016 +0100
Committer: Ismael Juma <[email protected]>
Committed: Mon Aug 22 23:16:56 2016 +0100
----------------------------------------------------------------------
docs/security.html | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/kafka/blob/f153407c/docs/security.html
----------------------------------------------------------------------
diff --git a/docs/security.html b/docs/security.html
index 0a5e561..d51c340 100644
--- a/docs/security.html
+++ b/docs/security.html
@@ -75,11 +75,11 @@ Apache Kafka allows clients to connect over SSL. By default
SSL is disabled but
The next step is to add the generated CA to the **clients'
truststore** so that the clients can trust this CA:
<pre>
- keytool -keystore server.truststore.jks -alias CARoot <b>-import</b>
-file ca-cert</pre>
+ keytool -keystore client.truststore.jks -alias CARoot -import -file
ca-cert</pre>
- <b>Note:</b> If you configure the Kafka brokers to require client
authentication by setting ssl.client.auth to be "requested" or "required" on
the <a href="#config_broker">Kafka brokers config</a> then you must provide a
truststore for the Kafka brokers as well and it should have all the CA
certificates that clients keys were signed by.
+ <b>Note:</b> If you configure the Kafka brokers to require client
authentication by setting ssl.client.auth to be "requested" or "required" on
the <a href="#config_broker">Kafka brokers config</a> then you must provide a
truststore for the Kafka brokers as well and it should have all the CA
certificates that clients' keys were signed by.
<pre>
- keytool -keystore client.truststore.jks -alias CARoot -import -file
ca-cert</pre>
+ keytool -keystore server.truststore.jks -alias CARoot <b>-import</b>
-file ca-cert</pre>
In contrast to the keystore in step 1 that stores each machine's own
identity, the truststore of a client stores all the certificates that the
client should trust. Importing a certificate into one's truststore also means
trusting all certificates that are signed by that certificate. As the analogy
above, trusting the government (CA) also means trusting all passports
(certificates) that it has issued. This attribute is called the chain of trust,
and it is particularly useful when deploying SSL on a large Kafka cluster. You
can sign all certificates in the cluster with a single CA, and have all
machines share the same truststore that trusts the CA. That way all machines
can authenticate all other machines.</li>
