Great, thanks. On Thu, Dec 12, 2019 at 3:53 PM Szalay-Bekő Máté <[email protected]> wrote:
> Hi Chris, > > The short answer is yes, all you need to do is don't specify the clientPort > in the zoo.cfg. > > An example for the zoo.cfg in this case: > > tickTime=3000 > initLimit=10 > syncLimit=5 > dataDir=/data/zkdata > > secureClientPort=2191 > serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > ssl.keyStore.location=/etc/zookeeper/ssl/server.jks > ssl.keyStore.password=password > ssl.trustStore.location=/etc/zookeeper/ssl/servertrust.jks > ssl.trustStore.password=password > > These are the main options you can choose from, when configuring client > SSL: > > - option 1: only unsecure (this is when you specify only the clientPort in > the zoo.cfg) > - option 2: only SSL (I think this is what you want... this happens if you > don't specify clientPort in the zoo.cfg, but you specify the > secureClientPort. Of course in this case you also have to set a few other > parameters, like setting the serverCnxnFactory to netty and defining the > ssl.keyStore / ssl.trustStore locations and passwords - see the example > above) > - option 3: both secure and unsecure client connections on different server > ports (this happens when you set both the clientPort and > the secureClientPort in the zoo.cfg to different ports) > - option 4: both secure and unsecure client connections using the same > server port (this happens when you set the 'client.portUnification=true' in > the config file and set the clientPort in the zoo.cfg. In this case the > clientPort will be able to serve both unsecure and SSL connections. Of > course, in this case you still have to set the other SSL related > parameters, like the serverCnxnFactory and the ssl.keyStore / > ssl.trustStore locations and passwords) > > AFAIK, the option 4 is not available yet in any released 3.5 version. It > will be part of the first 3.6 release candidate soon. Also there is a > backport PR for it just under review ( > https://github.com/apache/zookeeper/pull/1174) so it's likely to be in the > next 3.5.7 release, if / whenever that will happen. > > Regards, > Mate > > On Thu, Dec 12, 2019 at 2:31 PM Chris T. <[email protected]> wrote: > > > Hi, > > > > we're working on securing our clusters. For quorum, once we set > > sslQuorum=true, there is no more unsecured quorum port. > > Is such an option available or in the works for the client port as well ? > > Or is ssl client port always in addition to unsecured client port ? > > > > Regards, > > > > Chris > > >
