KAFKA SECURITY - vasanthsumanath/MyWIKI GitHub Wiki

CREATING CA

  1. Create Sub directory ssl.

mkdir ssl; cd ssl

  1. Create our Certificate Authority by using openssl command

openssl req -new -newkey rsa:4096 -days 365 -x509 -subj "/CN=Kafka-Security-CA" -keyout ca-key -out ca-cert -nodes

ca-key will hold the private key and ca-cert will hold the public key.

CREATING KEYSTORE AT SERVER SIDE

  1. Creating KeyStore at the server side export SRVPASS=serversecret keytool -genkey -keystore kafka.server.keystore.jks -validity 365 -storepass $SRVPASS -keypass $SRVPASS -dname "CN=ec2-52-77-68-20.ap-southeast-1.compute.amazonaws.com" -storetype pkcs12

keytool -genkey -keystore kafka.server.keystore.jks -validity 365 -storepass $SRVPASS -keypass $SRVPASS -dname "CN=ec2-52-77-68-20.ap-southeast-1.compute.amazonaws.com" -storetype pkcs12 -keyalg RSA

Use above command to avoid below error why trying to connect to seerveering using port 9093 4506648172:error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number

  1. How to list the keystore

keytool -list -v -keystore kafka.server.keystore.jks

  1. Digitally signing the certificate with CA, is a 2 step process

Create the public key certificate

keytool -keystore kafka.server.keystore.jks -certreq -file cert-file -storepass $SRVPASS -keypass $SRVPASS

Now digitally sign the cert-file with the CA.

openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:$SRVPASS

  1. To view the signed certificate in verbose mode

keytool -printcert -v -file cert-signed

  1. Creating trust store client side.

keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file ca-cert -storepass $SRVPASS -keypass $SRVPASS -noprompt

  1. Import the CA public key and the Signed public Certificate into the keystore

keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file ca-cert -storepass $SRVPASS -keypass $SRVPASS -noprompt Certificate was added to keystore

keytool -keystore kafka.server.keystore.jks -import -file cert-signed -storepass $SRVPASS -keypass $SRVPASS -noprompt

Add below properties into the kafka server properties file

listeners=PLAINTEXT://0.0.0.0:9092,SSL://0.0.0.0:9093 advertised.listeners=PLAINTEXT://ec2-52-77-68-20.ap-southeast-1.compute.amazonaws.com:9092,SSL://ec2-52-77-68-20.ap-southeast-1.compute.amazonaws.com:9093 ssl.keystore.location=/home/ubuntu/ssl/kafka.server.keystore.jks ssl.keystore.password=serversecret ssl.key.password=serversecret ssl.truststore.location=/home/ubuntu/ssl/kafka.server.truststore.jks ssl.truststore.password=serversecret

Below command to validate whether the SSL setting is success

openssl s_client -connect ec2-52-77-68-20.ap-southeast-1.compute.amazonaws.com:9093

CREATING TRUSTSTORE AT CLIENT SIDE

  1. create a subdirectory to hold the SSL details

mkdir -p ./kafka_security/ssl

  1. Copy the public key of the CA from CA source.

cd ./kafka_security/ssl

export CLIPASS=clientsecret

scp -i ~/.ssh/kafka-security.pem [email protected]:/home/ubuntu/ssl/ca-cert .

  1. Add the downloaded public key into the keystore at client side (truststore)

keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file ca-cert -storepass $CLIPASS -keypass $CLIPASS -noprompt

  1. Now add below properties into the kafka client properties

security.protocol=SSL ssl.truststore.location=/Users/vasanths/kafka_security/ssl/kafka.client.truststore.jks ssl.truststore.password=clientsecret

Can test this using below

kafka-console-producer --broker-list ec2-52-77-68-20.ap-southeast-1.compute.amazonaws.com:9093 --topic kafka-security-topic --producer.config ~/kafka_security/ssl/kafka_client.properties

kafka-console-consumer --bootstrap-server ec2-52-77-68-20.ap-southeast-1.compute.amazonaws.com:9093 --topic kafka-security-topic --consumer.config ~/kafka_security/ssl/kafka_client.properties

Enabling SSL Authentication

Creating certificate at the client side

keytool -genkey -keystore kafka.client.keystore.jks -validity 365 -storepass $CLIPASS -keypass $CLIPASS -dname "CN=MyLaptop" -alias my-local-pc -storetype pkcs12 -keyalg RSA

Generate the public key requesting to be digitally signed by the CA authority

keytool -keystore kafka.client.keystore.jks -certreq -file client-cert-sign-request -alias my-local-pc -storepass $CLIPASS -keypass $CLIPASS

Move the public certificate generated into the CA server to create the digitally signed certificate.

scp -i ~/.ssh/kafka-security.pem ./client-cert-sign-request [email protected]:/tmp/

openssl x509 -req -CA ca-cert -CAkey ca-key -in /tmp/client-cert-sign-request -out /tmp/client-cert-signed -days 365 -CAcreateserial -passin pass:serversecret

Copy the generated signed certificate back into the client machine

scp -i ~/.ssh/kafka-security.pem [email protected]:/tmp/client-cert-signed ./

Now import both the CA public certificate and the client signed certificate into the Keystore at client side.

keytool -keystore kafka.client.keystore.jks -alias CARoot -import -file ca-cert -storepass $CLIPASS -keypass $CLIPASS -noprompt

keytool -keystore kafka.client.keystore.jks -alias my-local-pc -import -file client-cert-signed -storepass $CLIPASS -keypass $CLIPASS -noprompt

Now edit the server.properties to enable SSL authentication.

ssl.client.auth=required

At the client side add the below properties

security.protocol=SSL ssl.truststore.location=/Users/vasanths/kafka_security/ssl/kafka.client.truststore.jks ssl.truststore.password=clientsecret ssl.keystore.location=/Users/vasanths/kafka_security/ssl/kafka.client.keystore.jks ssl.keystore.password=clientsecret ssl.key.password=clientsecret

Installing Kerberos Server

sudo yum install -y krb5-server

Edit the kdc.conf to include the KAFKA.SECURE realm sudo vi /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 default_realm=KAFKA.SECURE [realms] KAFKA.SECURE = { acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }

Edit the kadm5.acl to include the principle related to KAFKA.SECURE realm

sudo vi /var/kerberos/krb5kdc/kadm5.acl

*/[email protected] *

Adding our realm info into the kerberos conf

sudo vi /etc/krb5.conf

Configuration snippets may be placed in this directory as well

includedir /etc/krb5.conf.d/

` [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log

[libdefaults] default_realm = KAFKA.SECURE kdc_timesync = 1 ticket_lifetime = 24h

[realms] KAFKA.SECURE = { kdc = ec2-18-141-169-36.ap-southeast-1.compute.amazonaws.com admin_server = ec2-18-141-169-36.ap-southeast-1.compute.amazonaws.com } `

To create DB for our Realm sudo /usr/sbin/kdb5_util create -s -r KAFKA.SECURE -P this-is-unsecure

Creating Principle

sudo kadmin.local -q "add_principal -pw this-is-unsecure admin/admin"

Restart Kerberos services

sudo systemctl restart krb5kdc

sudo systemctl restart kadmin