Raghav, 1. Yes, your customers can use certificates signed by a trusted authority. You can simply omit the truststore configuration for your broker in server.properties, and Kafka would use the default, which will trust the client certificates. If your brokers are using SSL for inter-broker communication and you are still using your private CA for broker's keystore, then you will need two separate endpoints in your listener configuration, one for your customer's clients and another for inter-broker communication so that you can specify a truststore with your private ca-cert for your broker connections.
2. Yes, all the commands can specify password on the command line, so you should be able to generate all the stores using a script without any interactions. Regards, Rajini On Wed, May 17, 2017 at 2:49 PM, Raghav <raghavas...@gmail.com> wrote: > One follow up questions Rajini: > > 1. Can we use some other mechanism like have our customer's use a well > known CA which JKS understands, and in that case we don't have to ask our > customers to do this certificate-in and certificate-out thing ? I am just > trying to understand if we can make our customer's workflow easier. > Anything else that you can suggest here.... > > 2. Can we automate the key gen steps mentioned on apache website and > adding to keystone and trust store so that we don't have to manually supply > password ? Currently, everytime I tried to do steps mentioned in > https://kafka.apache.org/documentation/#security I have to manually give > password. It would be great if we can automate this process either through > script or Java code. Any suggestions ... > > > Many thanks. > > On Tue, May 16, 2017 at 10:58 AM, Raghav <raghavas...@gmail.com> wrote: > >> Many thanks, Rajini. >> >> On Tue, May 16, 2017 at 8:43 AM, Rajini Sivaram <rajinisiva...@gmail.com> >> wrote: >> >>> Hi Raghav, >>> >>> If your Kafka broker is configured with *ssl.client.auth=required,* your >>> customer's clients need to provide a keystore. In any case, they need a >>> truststore since your broker is using SSL. For the truststore, you can >>> given them ca-cert, as you mentioned. Client keystore contains a >>> certificate and a private key. >>> >>> In the round-trip you described, customers generate the keys and give >>> you the certificate signing request, keeping their private key private. You >>> then send them back a signed certificate that goes into their keystore. >>> This is the standard way of signing and is secure. >>> >>> In the single step scenario that you described, you generate the >>> customer's key-pair consisting of certificate and private key. You then >>> need to send them both the signed certificate and the private key. This is >>> less secure. Unlike the round-trip, you now have the private key of the >>> customer. >>> >>> Regards, >>> >>> Rajini >>> >>> >>> On Tue, May 16, 2017 at 10:47 AM, Raghav <raghavas...@gmail.com> wrote: >>> >>>> Hi Rajini >>>> >>>> This was very helpful. I have another questions on similar lines. >>>> >>>> We host Kafka Broker, and we also have our own private CA. We want our >>>> customers to setup their Kafka Clients (Producer and Consumer) using SSL >>>> using *ssl.client.auth=required*. >>>> >>>> Is there a way, we can generate certificate for our clients, sign it >>>> using our private CA, and then hand over our customers these two >>>> certificates (1. ca-cert 2. cert-signed), which if they add to their >>>> keystroke and truststore, they can send message to our Kafka brokers while >>>> keeping *ssl.client.auth=required*. >>>> >>>> We are looking to minimize our customer's pre-setup steps. For example >>>> in normal scenario, customers will need to generate certificate, and hand >>>> over their certificate request to our private CA, which we then sign it, >>>> and send them signed certificate and private CA's certificate. So there is >>>> one round trip. Just wondering if we can reduce this 2 step into 1 step. >>>> >>>> Thanks. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Fri, May 12, 2017 at 8:53 AM, Rajini Sivaram < >>>> rajinisiva...@gmail.com> wrote: >>>> >>>>> Raqhav, >>>>> >>>>> 1. Clients need a keystore if you are using TLS client authentication. >>>>> To >>>>> enable client authentication, you need to configure ssl.client.auth in >>>>> server.properties. This can be set to required|requested|none. If you >>>>> don't >>>>> enable client authentication, any client will be able to connect to >>>>> your >>>>> broker. You could alternatively use SASL for client authentication. >>>>> . >>>>> 2. Client keystore is mandatory if ssl.client.auth=required, optional >>>>> for >>>>> requested and not used for none. The truststore configured on the >>>>> client is >>>>> used to authenticate the server. So you have to provide it unless your >>>>> broker is using certificates signed by a trusted authority. >>>>> >>>>> Hope that helps. >>>>> >>>>> Rajini >>>>> >>>>> On Fri, May 12, 2017 at 11:35 AM, Raghav <raghavas...@gmail.com> >>>>> wrote: >>>>> >>>>> > Hi >>>>> > >>>>> > I read the documentation here: >>>>> > https://kafka.apache.org/documentation/#security_ssl >>>>> > >>>>> > I have few questions about trust store and keystore based on this >>>>> scenario: >>>>> > >>>>> > We have 5 Kafka Brokers in our cluster. We want our clients to write >>>>> to our >>>>> > Kafka brokers in a secure way. Suppose, we also host a private CA as >>>>> > mentioned in the documentation above, and provide our clients the >>>>> *ca-cert* >>>>> > file, which they add it to their trust store. >>>>> > >>>>> > 1. Do we require our clients to generate their certificate and have >>>>> it >>>>> > signed by our private CA, and add it to their keystore? >>>>> > >>>>> > 2. When is keystore used by clients, and when is truststore used by >>>>> clients >>>>> > ? >>>>> > >>>>> > >>>>> > Thanks. >>>>> > >>>>> > -- >>>>> > R >>>>> > >>>>> >>>> >>>> >>>> >>>> -- >>>> Raghav >>>> >>> >>> >> >> >> -- >> Raghav >> > > > > -- > Raghav >
