[
https://issues.apache.org/jira/browse/KAFKA-8191?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sriharsha Chintalapani reassigned KAFKA-8191:
---------------------------------------------
Assignee: Sai Sandeep
> Add pluggability of KeyManager to generate the broker Private Keys and
> Certificates
> -----------------------------------------------------------------------------------
>
> Key: KAFKA-8191
> URL: https://issues.apache.org/jira/browse/KAFKA-8191
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 1.1.0, 1.1.1
> Reporter: Sai Sandeep
> Assignee: Sai Sandeep
> Priority: Minor
> Labels: security
> Original Estimate: 24h
> Remaining Estimate: 24h
>
>
> *Context:* Currently, in SslFactory.java, if the keystore is created null
> (caused by passing an empty config value to ssl.keystore.location), the
> default Sun KeyManager is used ignoring the 'ssl.keymanager.algorithm'
> provided.
> We need changes to fetch KeyManager from the KeyManagerFactory based on the
> provided keymanager algorithm, populated by 'ssl.keymanager.algorithm' if the
> keystore is found empty
>
> *Background and Use Case:* Kafka allows users to configure truststore and
> keystore to enable TLS connections from clients to brokers. Often this means
> during deployment, one needs to pre-provision keystores to enable clients to
> communicate with brokers on TLS port. Most of the time users end up
> configuring a long-lived certificate which is not good for security. Although
> KAFKA-4701 introduced the reload of keystores it still a cumbersome to
> distribute these files onto compute system for clients.
> There are several projects that allows one to distribute the certificates
> through a local agent, example [Spiffe|[https://spiffe.io/]]. To take
> advantage of such systems we need changes to consider
> 'ssl.keymanager.algorithm' for KeyManagerFactory creation
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
