Kafka configuration 1-install and configure Kafka in Windows environment
Kafka configuration 2-configure Kafka SASL-PLAIN authentication under Windows
Kafka configuration 3-configure Kafka cluster under Windows
Kafka configuration 4-configure Kafka SSL certificate under Windows
Kafka configuration 5-Kafka cluster + SASL + SSL under Windows
Kafka configuration 6-setting and adding SASL users or user permissions under Windows
Modify hosts, configure the host name and
Windows path to C:\Windows\System32\drivers\etc, and add the following configuration to the hosts file:
# Kafka related configuration
192.168.2.200 kafka-main
1. Server-side SSL certificate issuance
1.1, generate kafka1.keystore.jks
Run CMD as an administrator, locate the bin folder of the Java installation directory, such as D:\Net_Program\Net_Java\bin, and enter the following command:
keytool -keystore D:\Net_Program\Net_KafkaSsl\kafka1.keystore.jks -alias kafka1 -validity 3650 -genkey -keyalg RSA
Then enter the password twice, such as qubernet.
What are your first and last names? Enter the host's IP address or the domain name bound to the host, such as kafka-main.
What is your organizational unit name? ~ The two-letter country of the unit/ What is the area code? Enter cn and
finally enter y after confirming that there is no problem.
Enter the password again, qubernet
1.2. Generate CA
Run CMD as an administrator, and enter the following command:
openssl req -new -x509 -keyout D:\Net_Program\Net_KafkaSsl\ca-key -out D:\Net_Program\Net_KafkaSsl\ca-cert -days 3650
Then enter the password twice, such as qubernet
Country Name (2 letter code) [AU] ~ Organizational Unit Name (eg, section) [] Enter cn
Common Name (eg server FQDN or YOUR name) [] Enter the IP of the host Address or domain name bound to the host, such as kafka-main
Email Address [] Enter an email address, such as [email protected]
1.3. Create truststore.jks
Run CMD as an administrator, locate the bin folder of the Java installation directory, such as D:\Net_Program\Net_Java\bin, and enter the following command:
keytool -keystore D:\Net_Program\Net_KafkaSsl\ca.truststore.jks -alias CARoot -import -file D:\Net_Program\Net_KafkaSsl\ca-cert
Then enter the password twice, such as qubernet
and enter y to confirm
1.4. Sign the keystore
1.4.1. Export the unsigned certificate from the keystore.
Run CMD as an administrator, locate the bin folder of the Java installation directory, such as D:\Net_Program\Net_Java\bin, and enter the following command :
keytool -keystore D:\Net_Program\Net_KafkaSsl\kafka1.keystore.jks -alias kafka1 -certreq -file D:\Net_Program\Net_KafkaSsl\cert-kafka1
Then enter the password qubernet
1.4.2. Use CA to sign the cert-kafka1 exported in the previous step.
Run CMD as an administrator and enter the following command:
openssl x509 -req -CA D:\Net_Program\Net_KafkaSsl\ca-cert -CAkey D:\Net_Program\Net_KafkaSsl\ca-key -in D:\Net_Program\Net_KafkaSsl\cert-kafka1 -out D:\Net_Program\Net_KafkaSsl\cert-signed-kafka1 -days 3650 -CAcreateserial -passin pass:qubernet
1.4.3. Import the CA certificate and the signed certificate into the keystore
to run CMD as an administrator, locate the bin folder of the Java installation directory, such as D:\Net_Program\Net_Java\bin, and enter the following command:
keytool -keystore D:\Net_Program\Net_KafkaSsl\kafka1.keystore.jks -alias CARoot -import -file D:\Net_Program\Net_KafkaSsl\ca-cert
Then enter the password once, such as qubernet
and enter y to confirm
keytool -keystore D:\Net_Program\Net_KafkaSsl\kafka1.keystore.jks -alias kafka1 -import -file D:\Net_Program\Net_KafkaSsl\cert-signed-kafka1
Then enter the password once, such as qubernet
and enter y to confirm
At this point, the SSL certificate of the server is generated, we can use the following command to test whether the certificate is correct (the prerequisite is that the SSL certificate has been configured in the Kafka service)
openssl s_client -debug -connect kafka-main:9092 -tls1
2. Client SSL certificate issuance
The generation of the client SSL certificate is similar to
that of the server 2.1.
Run CMD as an administrator, locate the bin folder of the Java installation directory, such as D:\Net_Program\Net_Java\bin, and enter The following command:
keytool -keystore D:\Net_Program\Net_KafkaSsl\client.keystore.jks -alias client -validity 3650 -genkey -keyalg RSA
Then enter the password twice, such as qubernet.
What are your first and last names? Enter the host's IP address or the domain name bound to the host, such as kafka-main.
What is your organizational unit name? ~ The two-letter country of the unit/ What is the area code? Enter cn and
finally enter y after confirming that there is no problem.
Enter the password again, qubernet
2.2.
Run CMD as an administrator, locate the bin folder of the Java installation directory, such as D:\Net_Program\Net_Java\bin, and enter the following command:
keytool -keystore D:\Net_Program\Net_KafkaSsl\client.keystore.jks -alias client -certreq -file D:\Net_Program\Net_KafkaSsl\cert-client
Then enter the password once, such as qubernet
2.3.
Run CMD as an administrator, and enter the following command:
openssl x509 -req -CA D:\Net_Program\Net_KafkaSsl\ca-cert -CAkey D:\Net_Program\Net_KafkaSsl\ca-key -in D:\Net_Program\Net_KafkaSsl\cert-client -out D:\Net_Program\Net_KafkaSsl\cert-signed-client -days 3650 -CAcreateserial -passin pass:qubernet
2.4.
Run CMD as an administrator, locate the bin folder of the Java installation directory, such as D:\Net_Program\Net_Java\bin, and enter the following command:
keytool -keystore D:\Net_Program\Net_KafkaSsl\client.keystore.jks -alias CARoot -import -file D:\Net_Program\Net_KafkaSsl\ca-cert
Then enter the password once, such as qubernet
and enter y to confirm
2.5.
Run CMD as an administrator, locate the bin folder of the Java installation directory, such as D:\Net_Program\Net_Java\bin, and enter the following command:
keytool -keystore D:\Net_Program\Net_KafkaSsl\client.keystore.jks -alias client -import -file D:\Net_Program\Net_KafkaSsl\cert-signed-client
Then enter the password once, such as qubernet
2.6, generate C # p12 certificate required
when we are using C # client development Kafka, if you are using Confluent.Kafka library, you need to generate a certificate corresponding to the p12 client.keystore.jks format, enter the following command:
to Run CMD as an administrator, locate the bin folder of the Java installation directory, such as D:\Net_Program\Net_Java\bin, and enter the following command:
keytool -importkeystore -srckeystore D:\Net_Program\Net_KafkaSsl\client.keystore.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore D:\Net_Program\Net_KafkaSsl\client.keystore.p12
At this point, the client's SSL certificate has been generated, and the complete certificate directory file generated is as follows: