Re: Anyone have guide for setting up the rest proxy using SSL and Client authentication

[Martin Gainty]

so the server is doing a forward instead of a redirect so chrome client 
*should* be safe


would a self-signed cert be flagged as "non-secure connection" in Chrome

https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/2LXKVWYkOus%5B1-25%5D

https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure

[https://lh3.googleusercontent.com/iqplifxSx_wSl7SIq6UVlYg6PdxJxgCAoF-6D06PPfC3CN9GZE0NzeWF72jRa4wi2E2ACnt9L24-sv69phA8WCBhVQGlYqlV1YUxlaJU3_8OwQNxzM4AJK6dE4k_-X8n5g]

Marking HTTP As Non-Secure - The Chromium 
Projects
www.chromium.org
Proposal. We, the Chrome Security Team, propose that user agents (UAs) 
gradually change their UX to display non-secure origins as affirmatively 
non-secure.

?

Martin
__




From: Gene Robichaux 
Sent: Wednesday, February 1, 2017 5:16 PM
To: users@kafka.apache.org
Subject: RE: Anyone have guide for setting up the rest proxy using SSL and 
Client authentication

The MSFT Certificate Server does not have a product name per se. We have an 
internal Certificate Server in our AD infrastructure. In this use case I just 
generate a key pair on the UNIX side in a JKS. Then create a Certificate 
Signing Request (CSR) from that key. Then I sign it with our internal 
Certificate Authority. The result is a DER encoded cert which is imported back 
into the key store for the original alias. I also import our Root CA.

At this point the JKS used by the Rest Proxy has a trustedCertEntry for the 
RootCA and a PrivateKeyEntry for my server.

Then I take the keystore and dump it to PKCS12 format. This file is then 
imported into the local cert store on the Windows server. From that point I can 
specify the thumbprint of the cert to use when calling the Rest Proxy. Not 
exactly pretty, but we have to deal with Windows in our environment.

This is a test script in powershell

#*
#CERTIFICATE LOADING**
#*
$checkURL="https://whateveryourURL.company.com:8082/topics;
$CertNumber="C47156654F949E8058E83F30D61C520E6FA209C2"

# LOAD CERTIFICATE FROM STORE
$Certificate = Get-ChildItem -Path Cert:\LocalMachine\My\$CertNumber
# CREATE WEB REQUEST
$req = [system.Net.HttpWebRequest]::Create($checkURL)
# ADD CERTS TO WEB REQUEST
$req.ClientCertificates.AddRange($Certificate)

#*
#***READING SITE**
#*

#SET TIMEOUT
$req.Timeout=1
# GET WEB RESPONSE
$res = $req.GetResponse()
# GET DATA FROM RESPONSE
$ResponseStream = $res.GetResponseStream()
# Create a stream reader and read the stream returning the string value.
$StreamReader = New-Object System.IO.StreamReader -ArgumentList $ResponseStream
# BUILD STRING FROM RESPONSE
$strHtml = $StreamReader.ReadToEnd()
$strHtml

Gene Robichaux
Senior Architect, Site Operations
Match.com
8750 North Central Expressway I Suite 1400 I Dallas, TX  75231



-Original Message-
From: Martin Gainty [mailto:mgai...@hotmail.com]
Sent: Wednesday, February 01, 2017 3:56 PM
To: users@kafka.apache.org
Subject: Re: Anyone have guide for setting up the rest proxy using SSL and 
Client authentication

Unfortunately im more of a nix guy

I take it  windows has a CA server which will parse cert and lookup attrs (CN?) 
to name-server?

what is the Microsoft CA server called?

if cert is parsed and keys match which name-server do you use to lookup attrs 
(CN?) in that scenario?


Merci Eugene

Martin
__

 _ _  _ _  _ ___ _  
  _   _ _   _  |_   _| |_ ___   |  _  |___ ___ 
___| |_ ___   |   __|___|  _| |_ _ _ _ ___ ___ ___   |   __|___ _ _ ___ _| 
|___| |_|_|___ ___| | |   | -_|  | | . | .'|  _|   | -_|  |__   | . |  
_|  _| | | | .'|  _| -_|  |   __| . | | |   | . | .'|  _| | . |   |   |_| 
|_|_|___|  |__|__|  _|__,|___|_|_|___|  |_|___|_| |_| |_|__,|_| |___|  
|__|  |___|___|_|_|___|__,|_| |_|___|_|_||_|




From: Gene Robichaux 
Sent: Wednesday, February 1, 2017 2:31 PM
To: users@kafka.apache.org
Subject: RE: Anyone have guide for setting up the rest proxy using SSL and 
Client authentication

Not really.

I have managed to generate a cert with a single common CN, sign that with my 
internal CA and import that to the keystore that is referenced by the 
Kafka-Rest Proxy. I then distribute that Java Keystore (JKS) to all of the 
servers running the Rest API. The last part is to export that cert and import 
that to 

RE: Anyone have guide for setting up the rest proxy using SSL and Client authentication

[Gene Robichaux]

The MSFT Certificate Server does not have a product name per se. We have an 
internal Certificate Server in our AD infrastructure. In this use case I just 
generate a key pair on the UNIX side in a JKS. Then create a Certificate 
Signing Request (CSR) from that key. Then I sign it with our internal 
Certificate Authority. The result is a DER encoded cert which is imported back 
into the key store for the original alias. I also import our Root CA.

At this point the JKS used by the Rest Proxy has a trustedCertEntry for the 
RootCA and a PrivateKeyEntry for my server.

Then I take the keystore and dump it to PKCS12 format. This file is then 
imported into the local cert store on the Windows server. From that point I can 
specify the thumbprint of the cert to use when calling the Rest Proxy. Not 
exactly pretty, but we have to deal with Windows in our environment.

This is a test script in powershell

#*
#CERTIFICATE LOADING**
#*
$checkURL="https://whateveryourURL.company.com:8082/topics;
$CertNumber="C47156654F949E8058E83F30D61C520E6FA209C2"

# LOAD CERTIFICATE FROM STORE
$Certificate = Get-ChildItem -Path Cert:\LocalMachine\My\$CertNumber
# CREATE WEB REQUEST
$req = [system.Net.HttpWebRequest]::Create($checkURL)
# ADD CERTS TO WEB REQUEST
$req.ClientCertificates.AddRange($Certificate)

#*
#***READING SITE**
#*

#SET TIMEOUT 
$req.Timeout=1
# GET WEB RESPONSE
$res = $req.GetResponse()
# GET DATA FROM RESPONSE
$ResponseStream = $res.GetResponseStream()
# Create a stream reader and read the stream returning the string value.
$StreamReader = New-Object System.IO.StreamReader -ArgumentList $ResponseStream
# BUILD STRING FROM RESPONSE
$strHtml = $StreamReader.ReadToEnd()
$strHtml

Gene Robichaux
Senior Architect, Site Operations
Match.com
8750 North Central Expressway I Suite 1400 I Dallas, TX  75231



-Original Message-
From: Martin Gainty [mailto:mgai...@hotmail.com] 
Sent: Wednesday, February 01, 2017 3:56 PM
To: users@kafka.apache.org
Subject: Re: Anyone have guide for setting up the rest proxy using SSL and 
Client authentication

Unfortunately im more of a nix guy

I take it  windows has a CA server which will parse cert and lookup attrs (CN?) 
to name-server?

what is the Microsoft CA server called?

if cert is parsed and keys match which name-server do you use to lookup attrs 
(CN?) in that scenario?


Merci Eugene

Martin
__

 _ _  _ _  _ ___ _  
  _   _ _   _  |_   _| |_ ___   |  _  |___ ___ 
___| |_ ___   |   __|___|  _| |_ _ _ _ ___ ___ ___   |   __|___ _ _ ___ _| 
|___| |_|_|___ ___| | |   | -_|  | | . | .'|  _|   | -_|  |__   | . |  
_|  _| | | | .'|  _| -_|  |   __| . | | |   | . | .'|  _| | . |   |   |_| 
|_|_|___|  |__|__|  _|__,|___|_|_|___|  |_|___|_| |_| |_|__,|_| |___|  
|__|  |___|___|_|_|___|__,|_| |_|___|_|_||_|




From: Gene Robichaux 
Sent: Wednesday, February 1, 2017 2:31 PM
To: users@kafka.apache.org
Subject: RE: Anyone have guide for setting up the rest proxy using SSL and 
Client authentication

Not really.

I have managed to generate a cert with a single common CN, sign that with my 
internal CA and import that to the keystore that is referenced by the 
Kafka-Rest Proxy. I then distribute that Java Keystore (JKS) to all of the 
servers running the Rest API. The last part is to export that cert and import 
that to the local certificate stores only on the windows web servers that need 
access. When a webrequest is made it is made using that certificate. Also the 
rootCA and any intermediate certs are in the truststore on the server AND in 
the local cert store on the web servers.

So I got it to work.

Gene Robichaux
Senior Architect, Site Operations
Match.com
8750 North Central Expressway I Suite 1400 I Dallas, TX  75231



-Original Message-
From: Martin Gainty [mailto:mgai...@hotmail.com]
Sent: Wednesday, February 01, 2017 12:54 PM
To: users@kafka.apache.org
Subject: Re: Anyone have guide for setting up the rest proxy using SSL and 
Client authentication

probably fighting an uphill battle sending cleartext POSTS and GETS with REST 
calls


most apache server folk who secure HTTP 1.1 server will front end with CA 
(provided by thawte,verisign,GeoTrust)

https://www.geotrust.com

[https://seal.geotrust.com/getgeotrustsslseal?at=0=1=www.geotrust.com=en=0]

GeoTrust® | Purchase SSL Certificates & Code Signing 
... www.geotrust.com 
Guarantee online customer security with SSL certificates from GeoTrust. 
Purchase in bulk, manage multiple certificates & become your own Certificate 

Re: Anyone have guide for setting up the rest proxy using SSL and Client authentication

[Martin Gainty]

Unfortunately im more of a nix guy

I take it  windows has a CA server which will parse cert and lookup attrs (CN?) 
to name-server?

what is the Microsoft CA server called?

if cert is parsed and keys match which name-server do you use to lookup attrs 
(CN?) in that scenario?


Merci Eugene

Martin
__

 _ _  _ _  _ ___ _  
  _   _ _   _  |_   _| |_ ___   |  _  |___ ___ 
___| |_ ___   |   __|___|  _| |_ _ _ _ ___ ___ ___   |   __|___ _ _ ___ _| 
|___| |_|_|___ ___| | |   | -_|  | | . | .'|  _|   | -_|  |__   | . |  
_|  _| | | | .'|  _| -_|  |   __| . | | |   | . | .'|  _| | . |   |   |_| 
|_|_|___|  |__|__|  _|__,|___|_|_|___|  |_|___|_| |_| |_|__,|_| |___|  
|__|  |___|___|_|_|___|__,|_| |_|___|_|_||_|




From: Gene Robichaux 
Sent: Wednesday, February 1, 2017 2:31 PM
To: users@kafka.apache.org
Subject: RE: Anyone have guide for setting up the rest proxy using SSL and 
Client authentication

Not really.

I have managed to generate a cert with a single common CN, sign that with my 
internal CA and import that to the keystore that is referenced by the 
Kafka-Rest Proxy. I then distribute that Java Keystore (JKS) to all of the 
servers running the Rest API. The last part is to export that cert and import 
that to the local certificate stores only on the windows web servers that need 
access. When a webrequest is made it is made using that certificate. Also the 
rootCA and any intermediate certs are in the truststore on the server AND in 
the local cert store on the web servers.

So I got it to work.

Gene Robichaux
Senior Architect, Site Operations
Match.com
8750 North Central Expressway I Suite 1400 I Dallas, TX  75231



-Original Message-
From: Martin Gainty [mailto:mgai...@hotmail.com]
Sent: Wednesday, February 01, 2017 12:54 PM
To: users@kafka.apache.org
Subject: Re: Anyone have guide for setting up the rest proxy using SSL and 
Client authentication

probably fighting an uphill battle sending cleartext POSTS and GETS with REST 
calls


most apache server folk who secure HTTP 1.1 server will front end with CA 
(provided by thawte,verisign,GeoTrust)

https://www.geotrust.com

[https://seal.geotrust.com/getgeotrustsslseal?at=0=1=www.geotrust.com=en=0]

GeoTrust® | Purchase SSL Certificates & Code Signing 
... www.geotrust.com 
Guarantee online customer security with SSL certificates from GeoTrust. 
Purchase in bulk, manage multiple certificates & become your own Certificate 
Authority.





once the credentials from cert are validated against  nameserver 
(LDAP) and the keys match

a secure handshake is initiated and the SSL request is redirected to your HTTP 
1.1 server


does this help?

Martin
__

LoveChatTranscript October 2016

>From Huma Mahmood Abedin>Single lady looking for Love From 
>LoveStruckValidimir>Yes i am rich single caucasian looking for love From Huma 
>Mahmood Abedin>where are your from Vladimir?
>From LoveStruckValidimir>currently in Crimea From Huma Mahmood Abedin>is that 
>in Ukraine?
>From LoveStruckValidimir>no crimea is part of Russia now From 
>LoveStruckValidimir>what do you do?
>From Huma Mahmood Abedin>Chief of Staff for "We are stronger Together" 
>campaign From LoveStruckValidimir>i send you gift ..Elf on Shelf ..place next 
>to bosses InternetRouter From Huma Mahmood Abedin>ok



















From: Gene Robichaux 
Sent: Wednesday, February 1, 2017 12:52 PM
To: users@kafka.apache.org
Subject: Anyone have guide for setting up the rest proxy using SSL and Client 
authentication


We are looking at the Rest Proxy for our environment but we want to secure 
connections to the Rest proxy via SSL AND Client Certificate authentication.



The SSL part is no big deal but I am struggling mightly with the client 
authentication portion.



Does someone have some details on how to properly set this up?



The general architecture is 3 rest proxies behind a load balancer. Windows web 
servers posting messages through the LB to the three proxies.



I have not really seen anyone running this configuration with client 
authentication. Any help would be appreciated.



Gene Robichaux

Senior Architect, Site Operations

Match.com

8750 North Central Expressway I Suite 1400 I Dallas, TX  75231



[cid:59D28919-2E4F-4F4A-9F0D-F4C776859901]

RE: Anyone have guide for setting up the rest proxy using SSL and Client authentication

[Gene Robichaux]

Not really.

I have managed to generate a cert with a single common CN, sign that with my 
internal CA and import that to the keystore that is referenced by the 
Kafka-Rest Proxy. I then distribute that Java Keystore (JKS) to all of the 
servers running the Rest API. The last part is to export that cert and import 
that to the local certificate stores only on the windows web servers that need 
access. When a webrequest is made it is made using that certificate. Also the 
rootCA and any intermediate certs are in the truststore on the server AND in 
the local cert store on the web servers.

So I got it to work.

Gene Robichaux
Senior Architect, Site Operations
Match.com
8750 North Central Expressway I Suite 1400 I Dallas, TX  75231



-Original Message-
From: Martin Gainty [mailto:mgai...@hotmail.com] 
Sent: Wednesday, February 01, 2017 12:54 PM
To: users@kafka.apache.org
Subject: Re: Anyone have guide for setting up the rest proxy using SSL and 
Client authentication

probably fighting an uphill battle sending cleartext POSTS and GETS with REST 
calls


most apache server folk who secure HTTP 1.1 server will front end with CA 
(provided by thawte,verisign,GeoTrust)

https://www.geotrust.com

[https://seal.geotrust.com/getgeotrustsslseal?at=0=1=www.geotrust.com=en=0]

GeoTrust® | Purchase SSL Certificates & Code Signing 
... www.geotrust.com Guarantee online customer 
security with SSL certificates from GeoTrust. Purchase in bulk, manage multiple 
certificates & become your own Certificate Authority.





once the credentials from cert are validated against  nameserver 
(LDAP) and the keys match

a secure handshake is initiated and the SSL request is redirected to your HTTP 
1.1 server


does this help?

Martin
__

LoveChatTranscript October 2016

>From Huma Mahmood Abedin>Single lady looking for Love From 
>LoveStruckValidimir>Yes i am rich single caucasian looking for love From Huma 
>Mahmood Abedin>where are your from Vladimir?
>From LoveStruckValidimir>currently in Crimea From Huma Mahmood Abedin>is that 
>in Ukraine?
>From LoveStruckValidimir>no crimea is part of Russia now From 
>LoveStruckValidimir>what do you do?
>From Huma Mahmood Abedin>Chief of Staff for "We are stronger Together" 
>campaign From LoveStruckValidimir>i send you gift ..Elf on Shelf ..place next 
>to bosses InternetRouter From Huma Mahmood Abedin>ok



















From: Gene Robichaux 
Sent: Wednesday, February 1, 2017 12:52 PM
To: users@kafka.apache.org
Subject: Anyone have guide for setting up the rest proxy using SSL and Client 
authentication


We are looking at the Rest Proxy for our environment but we want to secure 
connections to the Rest proxy via SSL AND Client Certificate authentication.



The SSL part is no big deal but I am struggling mightly with the client 
authentication portion.



Does someone have some details on how to properly set this up?



The general architecture is 3 rest proxies behind a load balancer. Windows web 
servers posting messages through the LB to the three proxies.



I have not really seen anyone running this configuration with client 
authentication. Any help would be appreciated.



Gene Robichaux

Senior Architect, Site Operations

Match.com

8750 North Central Expressway I Suite 1400 I Dallas, TX  75231



[cid:59D28919-2E4F-4F4A-9F0D-F4C776859901]

Re: Anyone have guide for setting up the rest proxy using SSL and Client authentication

[Martin Gainty]

probably fighting an uphill battle sending cleartext POSTS and GETS with REST 
calls


most apache server folk who secure HTTP 1.1 server will front end with CA 
(provided by thawte,verisign,GeoTrust)

https://www.geotrust.com

[https://seal.geotrust.com/getgeotrustsslseal?at=0=1=www.geotrust.com=en=0]

GeoTrust® | Purchase SSL Certificates & Code Signing 
...
www.geotrust.com
Guarantee online customer security with SSL certificates from GeoTrust. 
Purchase in bulk, manage multiple certificates & become your own Certificate 
Authority.





once the credentials from cert are validated against  nameserver 
(LDAP) and the keys match

a secure handshake is initiated and the SSL request is redirected to your HTTP 
1.1 server


does this help?

Martin
__

LoveChatTranscript October 2016

>From Huma Mahmood Abedin>Single lady looking for Love
>From LoveStruckValidimir>Yes i am rich single caucasian looking for love
>From Huma Mahmood Abedin>where are your from Vladimir?
>From LoveStruckValidimir>currently in Crimea
>From Huma Mahmood Abedin>is that in Ukraine?
>From LoveStruckValidimir>no crimea is part of Russia now
>From LoveStruckValidimir>what do you do?
>From Huma Mahmood Abedin>Chief of Staff for "We are stronger Together" campaign
>From LoveStruckValidimir>i send you gift ..Elf on Shelf ..place next to bosses 
>InternetRouter
>From Huma Mahmood Abedin>ok



















From: Gene Robichaux 
Sent: Wednesday, February 1, 2017 12:52 PM
To: users@kafka.apache.org
Subject: Anyone have guide for setting up the rest proxy using SSL and Client 
authentication


We are looking at the Rest Proxy for our environment but we want to secure 
connections to the Rest proxy via SSL AND Client Certificate authentication.



The SSL part is no big deal but I am struggling mightly with the client 
authentication portion.



Does someone have some details on how to properly set this up?



The general architecture is 3 rest proxies behind a load balancer. Windows web 
servers posting messages through the LB to the three proxies.



I have not really seen anyone running this configuration with client 
authentication. Any help would be appreciated.



Gene Robichaux

Senior Architect, Site Operations

Match.com

8750 North Central Expressway I Suite 1400 I Dallas, TX  75231



[cid:59D28919-2E4F-4F4A-9F0D-F4C776859901]