[ https://issues.apache.org/jira/browse/STORM-3123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16523973#comment-16523973 ]
Rajkumar Singh commented on STORM-3123: --------------------------------------- I guess https://issues.apache.org/jira/browse/STORM-3068 will resolve this > Storm Kafka Monitor does not work with Kafka over two-way SSL > ------------------------------------------------------------- > > Key: STORM-3123 > URL: https://issues.apache.org/jira/browse/STORM-3123 > Project: Apache Storm > Issue Type: Bug > Components: storm-kafka-monitor > Affects Versions: 1.2.2 > Reporter: Vipin Rathor > Priority: Major > > Storm Kafka Monitor has no option to read / parse SSL truststore/keystore > properties which are required to connect to Kafka running over two-way SSL. > As a fix, it needs to understand the following additional Kafka properties: > {code:java} > ssl.truststore.location=<truststore-file> > ssl.truststore.password=<password> > ssl.keystore.location=<keystore-file> > ssl.keystore.password=<password> > ssl.key.password=<password> > {code} > Since, JVM has a fallback mechanism for loading SSL truststore, Storm Kafka > Monitor would always endup using some truststore and would eventually work > with one-way SSL (which is also a default for Kafka setup). > Since there is no such fallback for SSL keystore, Storm Kafka Monitor would > start without a keystore and would eventually throw this error (in SSL debug > mode): > {code:java} > Warning: no suitable certificate found - continuing without client > authentication > *** Certificate chain > <Empty> > *** > {code} > At this time, Kafka broker would complain about above like this: > {code:java} > kafka-network-thread-1002-SSL-7, READ: TLSv1.2 Handshake, length = 141 > *** Certificate chain > <Empty> > *** > kafka-network-thread-1002-SSL-7, fatal error: 42: null cert chain > javax.net.ssl.SSLHandshakeException: null cert chain > {code} > Therefore, in the absence of this fix, the only available workaround is to > stick to one-way SSL in Kafka (i.e. keep ssl.client.auth=none in Kafka). -- This message was sent by Atlassian JIRA (v7.6.3#76005)