Hi Chris, The short answer is yes, all you need to do is don't specify the clientPort in the zoo.cfg.
An example for the zoo.cfg in this case: tickTime=3000 initLimit=10 syncLimit=5 dataDir=/data/zkdata secureClientPort=2191 serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory ssl.keyStore.location=/etc/zookeeper/ssl/server.jks ssl.keyStore.password=password ssl.trustStore.location=/etc/zookeeper/ssl/servertrust.jks ssl.trustStore.password=password These are the main options you can choose from, when configuring client SSL: - option 1: only unsecure (this is when you specify only the clientPort in the zoo.cfg) - option 2: only SSL (I think this is what you want... this happens if you don't specify clientPort in the zoo.cfg, but you specify the secureClientPort. Of course in this case you also have to set a few other parameters, like setting the serverCnxnFactory to netty and defining the ssl.keyStore / ssl.trustStore locations and passwords - see the example above) - option 3: both secure and unsecure client connections on different server ports (this happens when you set both the clientPort and the secureClientPort in the zoo.cfg to different ports) - option 4: both secure and unsecure client connections using the same server port (this happens when you set the 'client.portUnification=true' in the config file and set the clientPort in the zoo.cfg. In this case the clientPort will be able to serve both unsecure and SSL connections. Of course, in this case you still have to set the other SSL related parameters, like the serverCnxnFactory and the ssl.keyStore / ssl.trustStore locations and passwords) AFAIK, the option 4 is not available yet in any released 3.5 version. It will be part of the first 3.6 release candidate soon. Also there is a backport PR for it just under review ( https://github.com/apache/zookeeper/pull/1174) so it's likely to be in the next 3.5.7 release, if / whenever that will happen. Regards, Mate On Thu, Dec 12, 2019 at 2:31 PM Chris T. <[email protected]> wrote: > Hi, > > we're working on securing our clusters. For quorum, once we set > sslQuorum=true, there is no more unsecured quorum port. > Is such an option available or in the works for the client port as well ? > Or is ssl client port always in addition to unsecured client port ? > > Regards, > > Chris >
