kafka单机安装&配置安全证书

kafka单机安装&配置安全证书

单机kafka安装

下载安装包

$ wget https://mirrors.tuna.tsinghua.edu.cn/apache/kafka/2.5.0/kafka_2.12-2.5.0.tgz
$ tar xvzf kafka_2.12-2.5.0.tgz
$ cd kafka_2.12-2.5.0

修改配置启动Kafka

$ vi config/server.properties
zookeeper.connect=192.168.0.26:2181,192.168.0.27:2181,192.168.0.28:2181
listeners=PLAINTEXT://:9092
$ nohup bin/kafka-server-start.sh config/server.properties &

创建topic测试一下生产消费数据

# bin/kafka-topics.sh --create --bootstrap-server localhost:9092 --replication-factor 1 --partitions 1 --topic test
# bin/kafka-topics.sh --list --bootstrap-server localhost:9092
# bin/kafka-console-producer.sh --bootstrap-server localhost:9092 --topic test
# bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic test --from-beginning

安全证书配置

SSL配置

生成证书
里面host和密码请根据实际情况填写

$ mkdir my-ca
$ cd my-ca
#Step 1
$ keytool -keystore server.keystore.jks -alias localhost -validity 365 -keyalg RSA -genkey
#Step 2
$ openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
$ keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
$ keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
#Step 3
$ keytool -keystore server.keystore.jks -alias localhost -certreq -file cert-file
$ openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:test1234
$ keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
$ keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed

配置server配置文件

$ vi config/server.properties
listeners=PLAINTEXT://host.name:port,SSL://host.name:port
listeners=PLAINTEXT://:9092,SSL://:9093
ssl.keystore.location=/usr/local/kafka_2.12-2.5.0/my-ca/server.keystore.jks
ssl.keystore.password=123
ssl.key.password=123
ssl.truststore.location=/usr/local/kafka_2.12-2.5.0/my-ca/server.truststore.jks
ssl.truststore.password=123
ssl.client.auth=none
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
$ openssl s_client -debug -connect localhost:9093 -tls1

如果能看见证书信息则表示启动成功

配置客户端

vi vi config/client-ssl.properties
security.protocol=SSL
ssl.truststore.location=/usr/local/kafka_2.12-2.5.0/my-ca/client.truststore.jks
ssl.truststore.password=123
#2.0以后版本要配置这个选项取消host认证
ssl.endpoint.identification.algorithm=

测试客户端

$ bin/kafka-console-producer.sh --bootstrap-server localhost:9093 --topic test --producer.config config/client-ssl.properties
$ bin/kafka-console-consumer.sh --bootstrap-server localhost:9093 --topic test --consumer.config config/client-ssl.properties --from-beginning