[ https://issues.apache.org/jira/browse/KAFKA-8191?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sriharsha Chintalapani updated KAFKA-8191: ------------------------------------------ Fix Version/s: (was: 1.1.1) (was: 1.1.0) > Add pluggability of KeyManager to generate the broker Private Keys and > Certificates > ----------------------------------------------------------------------------------- > > Key: KAFKA-8191 > URL: https://issues.apache.org/jira/browse/KAFKA-8191 > Project: Kafka > Issue Type: Bug > Components: security > Affects Versions: 1.1.0, 1.1.1 > Reporter: Sai Sandeep > Priority: Minor > Labels: security > Original Estimate: 24h > Remaining Estimate: 24h > > > *Context:* Currently, in SslFactory.java, if the keystore is created null > (caused by passing an empty config value to ssl.keystore.location), the > default Sun KeyManager is used ignoring the 'ssl.keymanager.algorithm' > provided. > We need changes to fetch KeyManager from the KeyManagerFactory based on the > provided keymanager algorithm, populated by 'ssl.keymanager.algorithm' if the > keystore is found empty > > *Background and Use Case:* Kafka allows users to configure truststore and > keystore to enable TLS connections from clients to brokers. Often this means > during deployment, one needs to pre-provision keystores to enable clients to > communicate with brokers on TLS port. Most of the time users end up > configuring a long-lived certificate which is not good for security. Although > KAFKA-4701 introduced the reload of keystores it still a cumbersome to > distribute these files onto compute system for clients. > There are several projects that allows one to distribute the certificates > through a local agent, example [Spiffe|[https://spiffe.io/]]. To take > advantage of such systems we need changes to consider > 'ssl.keymanager.algorithm' for KeyManagerFactory creation > -- This message was sent by Atlassian JIRA (v7.6.3#76005)