Hello Zookeeper-Users, I noticed in the Zookeeper documentation that transport-layer encryption (SSL/TLS) could now be achieved through the introduction of a ServerCnxnFactory implementation based on Apache Netty, org.apache.zookeeper.server.NettyServerCnxnFactory, which is available starting with Zookeeper 3.4. Unfortunately, there appears to be little to no documentation surrounding this functionality. In fact, the pertinent sections in the Zookeeper Administrator’s Guide are marked “TBD”. I’ve done quite a bit of searching without much success. Past questions regarding this functionality seem to have gone unanswered:
http://zookeeper-user.578899.n2.nabble.com/Netty-amp-SSL-td7579346.html http://zookeeper-user.578899.n2.nabble.com/Zookeeper-Netty-SSL-PKI-td7578089.html My apologies if the questions I put forth have been answered previously or are documented elsewhere; if this is indeed the case, I would greatly appreciate being pointed in the right direction. 1. The small amount of documentation that does exist surrounding the Netty functionality seems to imply that the “zookeeper.serverCnxnFactory” property is applicable to both the client and server-side. Is this correct, or is there a client-specific property that should be used? 2. How does one force the server to only leverage SSL, refusing non-encrypted connections? 3. How does one specify both the client certificate to be presented to the server (for client-auth) and the server certificate to be presented during incoming handshakes? I realize that keeping documentation updated with active development is a difficult task, especially when the time involved is essentially donated to the community. As I stated previously, any assistance in this matter will be greatly appreciated (even “RTFM” if you can point me to the right manual). Best Regards, Steve
