[ https://issues.apache.org/jira/browse/ZOOKEEPER-3482?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jörn Franke updated ZOOKEEPER-3482: ----------------------------------- Description: It seems that Kerberos authentication does not work for encrypted connections of clients and quorum. It seems that only X509 Authentication works. What I would have expected: ClientSecurePort is defined A keystore and truststore are deployed on the ZooKeeper servers Only a truststore is deployed with the client (to validate the CA of the server certificate) Client can authenticate with SASL (Kerberos) Similarly for the Quorum SSL connection. Is there a way to configure this in ZooKeeper? Note: Kerberos Authentication for SSL encrypted connection should be used instead of X509 authentication for this case and not in addition. However, if it only works in 3.5.5 in addition then I would be interested and willing to test it. was: It seems that Kerberos authentication does not work for encrypted connections of clients and quorum. It seems that only X509 Authentication works. What I would have expected: ClientSecurePort is defined A keystore and truststore are deployed on the ZooKeeper servers Only a truststore is deployed with the client (to validate the CA of the server certificate) Client can authenticate with SASL (Kerberos) Similarly for the Quorum SSL connection. Is there a way to configure this in ZooKeeeper? > SASL (Kerberos) Authentication with SSL for clients and Quorum > -------------------------------------------------------------- > > Key: ZOOKEEPER-3482 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3482 > Project: ZooKeeper > Issue Type: Bug > Components: server > Affects Versions: 3.5.5 > Reporter: Jörn Franke > Priority: Major > > It seems that Kerberos authentication does not work for encrypted connections > of clients and quorum. It seems that only X509 Authentication works. > What I would have expected: > ClientSecurePort is defined > A keystore and truststore are deployed on the ZooKeeper servers > Only a truststore is deployed with the client (to validate the CA of the > server certificate) > Client can authenticate with SASL (Kerberos) > Similarly for the Quorum SSL connection. > Is there a way to configure this in ZooKeeper? > > Note: Kerberos Authentication for SSL encrypted connection should be used > instead of X509 authentication for this case and not in addition. However, if > it only works in 3.5.5 in addition then I would be interested and willing to > test it. -- This message was sent by Atlassian JIRA (v7.6.14#76016)