Kafka Configuration 1– Install and configure Kafka for Windows
Kafka Configuration 2– Configure SASl-plain authentication for Kafka under Windows
Kafka configuration 3– Configure the Kafka cluster under Windows
Kafka Configuration 4– Configure the SSL certificate for Kafka on Windows
Kafka configuration 5– Configure Kafka cluster +SASL+SSL on Windows
Kafka Configuration 6– Set and add SASL users or user permissions in Windows
Modify hosts and configure the host name
The Windows directory is C:\Windows\System32\drivers\etc. Add the following configuration to the hosts file:
# Kafka configuration
192.168.2.200 kafka – main
Generate kafka1.keystore. JKS. Run CMD as the administrator to go to the bin folder in the Java installation directory, for example, D:\Net_Program\Net_Java\bin, and enter the following command:
keytool -keystore D:\Net_Program\Net_KafkaSsl\kafka1.keystore.jks -alias kafka1 -validity 3650 -genkey -keyalg RSA
Copy the code
This is followed by entering the password twice, such as qubernet
What is your first and last name? Enter the IP address of the host or the domain name bound to the host, for example, kafka-main
What is the name of your organization? What is the two-letter country/area code for the unit? All input cn
Finally, enter y to confirm that there is no problem
Enter the password qubernet again
1.2 generate CA Run CMD as administrator and enter the following command:
openssl req -new -x509 -keyout D:\Net_Program\Net_KafkaSsl\ca-key -out D:\Net_Program\Net_KafkaSsl\ca-cert -days 3650
Copy the code
This is followed by entering the password twice, such as qubernet
Country Name (2 letter code) [AU] ~ Organizational Unit Name (eg, section) [
Common Name (e.g. server FQDN or YOUR Name) [] enter the IP address of the host or the domain Name bound to the host, for example, kafka-main
Email Address [] Enter an Email Address, for [email protected]
JKS run CMD as the administrator to navigate to the bin folder in the Java installation directory, for example, D:\Net_Program\Net_Java\bin, and enter the following command: trustStore. JKS
keytool -keystore D:\Net_Program\Net_KafkaSsl\ca.truststore.jks -alias CARoot -import -file D:\Net_Program\Net_KafkaSsl\ca-cert
Copy the code
This is followed by entering the password twice, such as qubernet
And then type y ok
Export the unsigned certificate from the keystore. Run CMD as the administrator to go to the bin folder in the Java installation directory, for example, D:\Net_Program\Net_Java\bin, and enter the following command:
keytool -keystore D:\Net_Program\Net_KafkaSsl\kafka1.keystore.jks -alias kafka1 -certreq -file D:\Net_Program\Net_KafkaSsl\cert-kafka1
Copy the code
Then enter the password qubernet
1.4.2 Use CA to sign the cert-kafka1 exported in the previous step. Run CMD as the administrator and enter the following command:
openssl x509 -req -CA D:\Net_Program\Net_KafkaSsl\ca-cert -CAkey D:\Net_Program\Net_KafkaSsl\ca-key -in D:\Net_Program\Net_KafkaSsl\cert-kafka1 -out D:\Net_Program\Net_KafkaSsl\cert-signed-kafka1 -days 3650 -CAcreateserial -passin pass:qubernet
Copy the code
1.4.3 Import the CA certificate and signed certificate to keystore. Run CMD as the administrator to go to the bin folder in the Java installation directory, for example, D:\Net_Program\Net_Java\bin. Then run the following command:
keytool -keystore D:\Net_Program\Net_KafkaSsl\kafka1.keystore.jks -alias CARoot -import -file D:\Net_Program\Net_KafkaSsl\ca-cert
Copy the code
This is followed by a single password, such as qubernet
And then type y ok
keytool -keystore D:\Net_Program\Net_KafkaSsl\kafka1.keystore.jks -alias kafka1 -import -file D:\Net_Program\Net_KafkaSsl\cert-signed-kafka1
Copy the code
This is followed by a single password, such as qubernet
And then type y ok
You can use the following command to test whether the SSL certificate is correct (the condition is that the SSL certificate has been configured in Kafka service).
openssl s_client -debug -connect kafka-main:9092 -tls1
Copy the code
2. Issuing an SSL certificate on the client The generation of an SSL certificate on the client is similar to that on the server
2.1. Run CMD as the administrator, go to the bin folder in the Java installation directory, for example, D:\Net_Program\Net_Java\bin, and enter the following command:
keytool -keystore D:\Net_Program\Net_KafkaSsl\client.keystore.jks -alias client -validity 3650 -genkey -keyalg RSA
Copy the code
This is followed by entering the password twice, such as qubernet
What is your first and last name? Enter the IP address of the host or the domain name bound to the host, for example, kafka-main
What is the name of your organization? What is the two-letter country/area code for the unit? All input cn
Finally, enter y to confirm that there is no problem
Enter the password qubernet again
2.2. Run CMD as the administrator to go to the bin folder in the Java installation directory, for example, D:\Net_Program\Net_Java\bin, and enter the following command:
keytool -keystore D:\Net_Program\Net_KafkaSsl\client.keystore.jks -alias client -certreq -file D:\Net_Program\Net_KafkaSsl\cert-client
Copy the code
This is followed by a single password, such as qubernet
2.3. Run CMD as the administrator and enter the following command:
openssl x509 -req -CA D:\Net_Program\Net_KafkaSsl\ca-cert -CAkey D:\Net_Program\Net_KafkaSsl\ca-key -in D:\Net_Program\Net_KafkaSsl\cert-client -out D:\Net_Program\Net_KafkaSsl\cert-signed-client -days 3650 -CAcreateserial -passin pass:qubernet
Copy the code
2.4. Run CMD as administrator, go to the bin folder in the Java installation directory, for example, D:\Net_Program\Net_Java\bin, and enter the following command:
keytool -keystore D:\Net_Program\Net_KafkaSsl\client.keystore.jks -alias CARoot -import -file D:\Net_Program\Net_KafkaSsl\ca-cert
Copy the code
This is followed by a single password, such as qubernet
And then type y ok
2.5. Run CMD as the administrator to go to the bin folder in the Java installation directory, for example, D:\Net_Program\Net_Java\bin, and enter the following command:
keytool -keystore D:\Net_Program\Net_KafkaSsl\client.keystore.jks -alias client -import -file D:\Net_Program\Net_KafkaSsl\cert-signed-client
Copy the code
This is followed by a single password, such as qubernet
Kafka with Confluent.Kafka library, you need to generate client.keystore. JKS certificate in p12 format, enter the following command: Run CMD as the administrator to navigate to the bin folder in the Java installation directory, for example, D:\Net_Program\Net_Java\bin, and then enter the following command:
keytool -importkeystore -srckeystore D:\Net_Program\Net_KafkaSsl\client.keystore.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore D:\Net_Program\Net_KafkaSsl\client.keystore.p12
Copy the code
At this point, the SSL certificate of the client is generated, and the complete certificate directory file is as follows: