setup ca for secured kafka

CA 인증서 생성

private key와 public key를 생성합니다.

openssl req -new -newkey rsa:4096 -days 365 -x509 -subj "/CN=Kafka-Security-CA" -keyout ca-key -out ca-cert -nodes

KeyStore 생성

keystore를 생성합니다.

export SRVPASS=serversecurity
keytool -genkey -keystore kafka.server.keystore.jks -validity 365 -storepass $SRVPASS -keypass $SRVPASS -dname "CN=kafka1.mydomain.com" -storetype pkcs12 
keytool -list -v -keystore kafka.server.keystore.jks

인증서 요청파일 생성

keytool -keystore kafka.server.keystore.jks -certreq -file cert-file -storepass $SRVPASS -keypass $SRVPASS

cert-signed 인증서를 생성

cert-signed 인증서를 생성합니다.

openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:$SRVPASS

keytool -printcert -v -file cert-signed

truststore 를 생성, ca-cert파일을 truststore에 import

truststore 를 생성하고, ca-cert파일을 truststore에 import 합니다.

keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file ca-cert -storepass $SRVPASS -keypass $SRVPASS -noprompt

import keystore에 ca 인증서

import keystore에 ca 인증서

keytool -keystore kafka.server.keystore.jks   -alias CAroot -import -file ca-cert -storepass $SRVPASS -keypass $SRVPASS -noprompt

keytool -keystore kafka.server.keystore.jks -import -file cert-signed -storepass $SRVPASS -keypass $SRVPASS -noprompt 

Change server.properties file

listeners=PLAINTEXT://0.0.0.0:9092,SSL://0.0.0.0:9093
advertised.listeners=PLAINTEXT://kafka1.mydomain.com,SSL://kafka1.mydomain.com:9093

ssl.keystore.location=/app/ssl/kafka.server.keystore.jks
ssl.keystore.password=aaaabbbbcccc
ssl.key.password=aaaabbbbcccc
ssl.truststore.location=/app/ssl/kafka.server.truststore.jks
ssl.truststore.password=aaaabbbbcccc

restart kafka

kafka broker를

systemctl restart kafka
systemctl status kafka
grep "EndPoint" /app/kafka/logs/server.log
# check SSL