[
https://issues.apache.org/jira/browse/KAFKA-9114?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17198843#comment-17198843
]
Sankalp Bhatia commented on KAFKA-9114:
---------------------------------------
Can you share what the issue was?
> Kafka broker fails to establish secure zookeeper connection via SSL.
> --------------------------------------------------------------------
>
> Key: KAFKA-9114
> URL: https://issues.apache.org/jira/browse/KAFKA-9114
> Project: Kafka
> Issue Type: Bug
> Components: core
> Affects Versions: 2.3.0, 2.3.1
> Reporter: Gangadhar Balikai
> Priority: Minor
>
> When i try to enable TLS/SSL between Kafka broker (tried 2.3.0 && 2.3.1) and
> zookeeper (3.5.5 & 3.5.6) cluster of 3 nodes.
> kafka broker fails with following stack trace, i have given stacktrace, kafka
> & zookeeper configurations used below.
> *JDK*: 1_8_0_161_64
> {color:#de350b}[2019-10-30 03:52:10,036] ERROR Fatal error during KafkaServer
> startup. Prepare to shutdown (kafka.server.KafkaServer){color}
> {color:#de350b}java.io.IOException: Couldn't instantiate
> org.apache.zookeeper.ClientCnxnSocketNetty{color}
> {color:#de350b} at
> org.apache.zookeeper.ZooKeeper.getClientCnxnSocket(ZooKeeper.java:1851){color}
> {color:#de350b} at
> org.apache.zookeeper.ZooKeeper.<init>(ZooKeeper.java:453){color}
> {color:#de350b} at
> org.apache.zookeeper.ZooKeeper.<init>(ZooKeeper.java:384){color}
> {color:#de350b} at
> kafka.zookeeper.ZooKeeperClient.<init>(ZooKeeperClient.scala:103){color}
> {color:#de350b} at
> kafka.zk.KafkaZkClient$.apply(KafkaZkClient.scala:1826){color}
> {color:#de350b} at
> kafka.server.KafkaServer.createZkClient$1(KafkaServer.scala:364){color}
> {color:#de350b} at
> kafka.server.KafkaServer.initZkClient(KafkaServer.scala:387){color}
> {color:#de350b} at
> kafka.server.KafkaServer.startup(KafkaServer.scala:207){color}
> {color:#de350b} at
> kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:38){color}
> {color:#de350b} at kafka.Kafka$.main(Kafka.scala:84){color}
> {color:#de350b} at kafka.Kafka.main(Kafka.scala){color}
> {color:#de350b}Caused by: java.lang.NoSuchMethodException:
> org.apache.zookeeper.ClientCnxnSocketNetty.<init>(){color}
> {color:#de350b} at java.lang.Class.getConstructor0(Class.java:3082){color}
> {color:#de350b} at
> java.lang.Class.getDeclaredConstructor(Class.java:2178){color}
> {color:#de350b} at
> org.apache.zookeeper.ZooKeeper.getClientCnxnSocket(ZooKeeper.java:1848){color}
> {color:#de350b} ... 10 more{color}
> {color:#de350b}[2019-10-30 03:52:10,039] INFO shutting down
> (kafka.server.KafkaServer){color}
> {color:#de350b}[2019-10-30 03:52:10,046] INFO shut down completed
> (kafka.server.KafkaServer){color}
> {color:#de350b}[2019-10-30 03:52:10,046] ERROR Exiting Kafka.
> (kafka.server.KafkaServerStartable){color}
> {color:#de350b}[2019-10-30 03:52:10,048] INFO shutting down
> (kafka.server.KafkaServer){color}
> STEPS.
> 1) I copied following zookeeper dependencies into kafka bin.
> a) kafka 2.3.0 and zookeer 3.5.5
> "zookeeper-3.5.6.jar" "zookeeper-jute-3.5.6.jar" "netty*.jar"
> "commons-cli-1.2.jar"
> b) kafka 2.3.1 and zookeer 3.5.6
> "zookeeper-3.5.6.jar" "zookeeper-jute-3.5.6.jar"
> "netty-buffer-4.1.42.Final.jar" "netty-buffer-4.1.42.Final.LICENSE.txt"
> "netty-codec-4.1.42.Final.jar" "netty-codec-4.1.42.Final.LICENSE.txt"
> "netty-common-4.1.42.Final.jar" "netty-common-4.1.42.Final.LICENSE.txt"
> "netty-handler-4.1.42.Final.jar" "netty-handler-4.1.42.Final.LICENSE.txt"
> "netty-resolver-4.1.42.Final.jar" "netty-resolver-4.1.42.Final.LICENSE.txt"
> "netty-transport-4.1.42.Final.jar" "netty-transport-4.1.42.Final.LICENSE.txt"
> "netty-transport-native-epoll-4.1.42.Final.jar"
> "netty-transport-native-epoll-4.1.42.Final.LICENSE.txt"
> "netty-transport-native-unix-common-4.1.42.Final.jar"
> "netty-transport-native-unix-common-4.1.42.Final.LICENSE.txt"
> "commons-cli-1.2.jar"
> *2) Configurations:*
> The *zookeeper* cluster looks good with
> 1) configuration *zoo.conf*.
> {color:#505f79}quorum.auth.server.loginContext=QuorumServer{color}
> {color:#505f79}quorum.auth.learner.loginContext=QuorumLearner{color}
> {color:#505f79}syncLimit=2{color}
> {color:#505f79}tickTime=2000{color}
> {color:#505f79}server.3=broker1\:2888\:3888{color}
> {color:#505f79}server.2=broker2\:2888\:3888{color}
> {color:#505f79}server.1=broker3\:2888\:3888{color}
> {color:#505f79}authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider{color}
> {color:#505f79}initLimit=10{color}
> {color:#505f79}secureClientPort=2281{color}
> {color:#505f79}quorum.auth.learnerRequireSasl=true{color}
> {color:#505f79}quorum.auth.enableSasl=true{color}
> {color:#505f79}quorum.auth.kerberos.servicePrincipal=servicename/_HOST{color}
> {color:#505f79}quorum.cnxn.threads.size=20{color}
> {color:#505f79}zookeeper.client.secure=true{color}
> {color:#505f79}quorum.auth.serverRequireSasl=true{color}
> {color:#505f79}zookeeper.serverCnxnFactory=org.apache.zookeeper.ClientCnxnSocketNetty{color}
> {color:#505f79}dataDir=../data/zookeeper/data/{color}
> 2) with *SERVER_JVMFLAGS* set to
> -Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
>
> -Dzookeeper.ssl.client.auth=none
> -Dzookeeper.ssl.keyStore.location=/path/to/keystore/key-store.jks-Dzookeeper.ssl.keyStore.password=****
> -Dzookeeper.ssl.trustStore.location=/path/to/trust/store/trust-store.jks
> -Dzookeeper.ssl.trustStore.password=****
> before *zkServer.sh start*
> B) *Kafka configurations.*
> *Server.properties*
> {color:#505f79}_sasl.mechanism.inter.broker.protocol=PLAIN_{color}
> {color:#505f79}_socket.send.buffer.bytes=102400_{color}
> {color:#505f79}_default.replication.factor=2_{color}
> {color:#505f79}_socket.request.max.bytes=104857600_{color}
> {color:#505f79}_ssl.keystore.location=/path/to/key/store/key-store.jks_{color}
> {color:#505f79}_allow.auto.create.topics.enable=true_{color}
> {color:#505f79}_log.retention.check.interval.ms=300000_{color}
> {color:#505f79}_security.inter.broker.protocol=SASL_SSL_{color}
> {color:#505f79}_super.users=User\:admin_{color}
> {color:#505f79}_log.retention.hours=12_{color}
> {color:#505f79}_num.io.threads=8_{color}
> {color:#505f79}_sasl.enabled.mechanisms=PLAIN_{color}
> {color:#505f79}_broker.id=2_{color}
> {color:#505f79}_ssl.truststore.location=/path/to/trust/store/trust-store.jks_{color}
> {color:#505f79}_gds.realm.file.path=*_{color}
> {color:#505f79}_authorizer.class.name=CustomAuthorizer_{color}
> {color:#505f79}_ssl.client.auth=none_{color}
> {color:#505f79}_group.initial.rebalance.delay.ms=0_{color}
> {color:#505f79}_log.dirs=data/kafka/logs/_{color}
> {color:#505f79}_listeners=SASL_SSL\://domain-name\:9093_{color}
> {color:#505f79}_ssl.endpoint.identification.algorithm=_{color}
> {color:#505f79}_num.network.threads=3_{color}
> {color:#505f79}_socket.receive.buffer.bytes=102400_{color}
> {color:#505f79}_com.dresdnerkb.gdsrealm.credential=*_{color}
> {color:#505f79}_log.segment.bytes=1073741824_{color}
> {color:#505f79}_num.recovery.threads.per.data.dir=1_{color}
> {color:#505f79}_num.partitions=2_{color}
> {color:#505f79}_zookeeper.connection.timeout.ms=6000_{color}
> {color:#505f79}_allow.everyone.if.no.acl.found=true_{color}
> {color:#505f79}_zookeeper.connect=zoo1\:2281,__zoo2__\:2281,__zoo3__\:2281_{color}
> 2) *KAFKA_OPTS set to*
> {color:#505f79}_export KAFKA_OPTS=" export KAFKA_OPTS="
> -Dzookeeper.client.secure=true
> -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
> -Dzookeeper.ssl.keyStore.location=key-store.jks
> -Dzookeeper.ssl.keyStore.password=**
> -Dzookeeper.ssl.trustStore.location=trustStore.jks
> -Dzookeeper.ssl.trustStore.password=**
> -Djava.security.auth.login.config=$KAFKA_JAAS_FILE_DIR/kafka-server-jaas.conf"_{color}
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
