krzysztofantczak · February 2, 2024 07:22
diff --git a/002.Kafka.PKCS12.SSL b/002.Kafka.PKCS12.SSL
 #
diff --git a/conf_ca.cnf b/conf_ca.cnf
 [req]
 prompt = no
 distinguished_name = req_distinguished_name
 x509_extensions = v3_ca

 [req_distinguished_name]
 C = EU
 ST = PL
 L = YourCity
 O = YourOrganization
 CN = CACommonName

 [v3_ca]
 basicConstraints = CA:TRUE
 subjectKeyIdentifier = hash
diff --git a/conf_cert.cnf b/conf_cert.cnf
 [req]
 prompt = no
 distinguished_name = req_distinguished_name
 x509_extensions = v3_req

 [req_distinguished_name]
 C = EU
 ST = PL
 L = YourCity
 O = YourOrganization
 CN = KafkaCommonName

 [v3_req]
 keyUsage = keyEncipherment, dataEncipherment
 extendedKeyUsage = serverAuth
 subjectAltName = @alt_names

 [alt_names]
 DNS.1 = localhost
 IP.1 = 127.0.0.1
diff --git a/conf_client.cnf b/conf_client.cnf
 [req]
 prompt = no
 distinguished_name = req_distinguished_name
 x509_extensions = v3_req

 [req_distinguished_name]
 C = EU
 ST = PL
 L = YourCity
 O = YourOrganization
 CN = ClientCommonName

 [v3_req]
 keyUsage = keyEncipherment, dataEncipherment
 extendedKeyUsage = clientAuth
diff --git a/scripts_generate_certs.sh b/scripts_generate_certs.sh
 #!/bin/sh

 # Step 1: Generate a CA Key and Certificate (Truststore)
 openssl genpkey -algorithm RSA -out certs/ca-key.pem
 openssl req -new -x509 -key certs/ca-key.pem -out certs/ca-cert.pem -days 365 -config conf/ca.cnf

 # Step 2: Generate a Keypair and Keystore for broker-broker communication
 for i in {1..3}
 do
  openssl genpkey -algorithm RSA -out key$i.pem
  openssl req -new -key key$i.pem -out csr$i.pem -config conf/cert.cnf
  openssl x509 -req -in csr$i.pem -CA certs/ca-cert.pem -CAkey certs/ca-key.pem -out cert$i.pem -CAcreateserial
  openssl pkcs12 -export -in cert$i.pem -inkey key$i.pem -out certs/keystore$i.p12 -name kafka-keystore -passout pass:your_keystore_password
 done

 # Step 3: Convert the CA Key and Certificate to PKCS12 format (Truststore)
 openssl pkcs12 -export -in certs/ca-cert.pem -inkey certs/ca-key.pem -out certs/truststore.p12 -name kafka-truststore -passout pass:your_truststore_password

 # Cleanup intermediate files
 rm -f csr*.pem cert*.pem ca-cert.srl

 echo "Certificates and keystores generated successfully."
diff --git a/scripts_generate_client_cert.sh b/scripts_generate_client_cert.sh
 #!/bin/sh

 # Step 1: Generate a client key and certificate
 openssl genpkey -algorithm RSA -out client-key.pem
 openssl req -new -key client-key.pem -out client-csr.pem -config conf/client.cnf
 openssl x509 -req -in client-csr.pem -CA certs/ca-cert.pem -CAkey certs/ca-key.pem -out certs/client-cert.pem -CAcreateserial

 # Step 2: Convert the client key and certificate to PKCS12 format (Client Keystore)
 openssl pkcs12 -export -in certs/client-cert.pem -inkey client-key.pem -out certs/client-keystore.p12 -name kafka-client -passout pass:your_client_keystore_password

 # Cleanup intermediate files
 rm -f client-csr.pem certs/client-cert.srl

 echo "Client certificate and keystore generated successfully."
diff --git a/server.properties b/server.properties
 process.roles=broker,controller
 node.id=1
 controller.quorum.voters=1@kafka01:29190,2@kafka02:29290,3@kafka03:29390
 listeners=CONTROLLER://0.0.0.0:29190,SSL://0.0.0.0:29193
 inter.broker.listener.name=SSL
 advertised.listeners=SSL://10.5.50.77:29193
 delete.topic.enable=true
 controller.listener.names=CONTROLLER
 listener.security.protocol.map=CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL,JINPC_PLAINTEXT:PLAINTEXT
 num.network.threads=3
 num.io.threads=8
 socket.send.buffer.bytes=102400
 socket.receive.buffer.bytes=102400
 socket.request.max.bytes=104857600
 log.dirs=/var/lib/kafka/data
 num.partitions=8
 default.replication.factor=3
 min.insync.replicas=2
 num.recovery.threads.per.data.dir=1
 offsets.topic.replication.factor=3
 transaction.state.log.replication.factor=3
 transaction.state.log.min.isr=2
 log.retention.hours=168
 log.segment.bytes=1073741824

 auto.create.topics.enable=true

 log.retention.check.interval.ms=300000
 controlled.shutdown.enable=true
 offsets.retention.minutes=10080
 replica.lag.time.max.ms=30000

 ssl.keystore.type=PKCS12
 ssl.keystore.location=/etc/kafka/secrets/keystore1.p12
 ssl.keystore.password=your_keystore_password

 ssl.truststore.location=/etc/kafka/secrets/truststore.p12
 ssl.truststore.password=your_truststore_password

 ssl.client.auth=required
 #ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
 ssl.enabled.protocols=TLSv1.3
 ssl.endpoint.identification.algorithm=
	[req]
	prompt = no
	distinguished_name = req_distinguished_name
	x509_extensions = v3_ca

	[req_distinguished_name]
	C = EU
	ST = PL
	L = YourCity
	O = YourOrganization
	CN = CACommonName

	[v3_ca]
	basicConstraints = CA:TRUE
	subjectKeyIdentifier = hash
	#!/bin/sh

	# Step 1: Generate a CA Key and Certificate (Truststore)
	openssl genpkey -algorithm RSA -out certs/ca-key.pem
	openssl req -new -x509 -key certs/ca-key.pem -out certs/ca-cert.pem -days 365 -config conf/ca.cnf

	# Step 2: Generate a Keypair and Keystore for broker-broker communication
	for i in {1..3}
	do
	openssl genpkey -algorithm RSA -out key$i.pem
	openssl req -new -key key$i.pem -out csr$i.pem -config conf/cert.cnf
	openssl x509 -req -in csr$i.pem -CA certs/ca-cert.pem -CAkey certs/ca-key.pem -out cert$i.pem -CAcreateserial
	openssl pkcs12 -export -in cert$i.pem -inkey key$i.pem -out certs/keystore$i.p12 -name kafka-keystore -passout pass:your_keystore_password
	done

	# Step 3: Convert the CA Key and Certificate to PKCS12 format (Truststore)
	openssl pkcs12 -export -in certs/ca-cert.pem -inkey certs/ca-key.pem -out certs/truststore.p12 -name kafka-truststore -passout pass:your_truststore_password

	# Cleanup intermediate files
	rm -f csr.pem cert.pem ca-cert.srl

	echo "Certificates and keystores generated successfully."
	#!/bin/sh

	# Step 1: Generate a client key and certificate
	openssl genpkey -algorithm RSA -out client-key.pem
	openssl req -new -key client-key.pem -out client-csr.pem -config conf/client.cnf
	openssl x509 -req -in client-csr.pem -CA certs/ca-cert.pem -CAkey certs/ca-key.pem -out certs/client-cert.pem -CAcreateserial

	# Step 2: Convert the client key and certificate to PKCS12 format (Client Keystore)
	openssl pkcs12 -export -in certs/client-cert.pem -inkey client-key.pem -out certs/client-keystore.p12 -name kafka-client -passout pass:your_client_keystore_password

	# Cleanup intermediate files
	rm -f client-csr.pem certs/client-cert.srl

	echo "Client certificate and keystore generated successfully."
	process.roles=broker,controller
	node.id=1
	controller.quorum.voters=1@kafka01:29190,2@kafka02:29290,3@kafka03:29390
	listeners=CONTROLLER://0.0.0.0:29190,SSL://0.0.0.0:29193
	inter.broker.listener.name=SSL
	advertised.listeners=SSL://10.5.50.77:29193
	delete.topic.enable=true
	controller.listener.names=CONTROLLER
	listener.security.protocol.map=CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL,JINPC_PLAINTEXT:PLAINTEXT
	num.network.threads=3
	num.io.threads=8
	socket.send.buffer.bytes=102400
	socket.receive.buffer.bytes=102400
	socket.request.max.bytes=104857600
	log.dirs=/var/lib/kafka/data
	num.partitions=8
	default.replication.factor=3
	min.insync.replicas=2
	num.recovery.threads.per.data.dir=1
	offsets.topic.replication.factor=3
	transaction.state.log.replication.factor=3
	transaction.state.log.min.isr=2
	log.retention.hours=168
	log.segment.bytes=1073741824

	auto.create.topics.enable=true

	log.retention.check.interval.ms=300000
	controlled.shutdown.enable=true
	offsets.retention.minutes=10080
	replica.lag.time.max.ms=30000

	ssl.keystore.type=PKCS12
	ssl.keystore.location=/etc/kafka/secrets/keystore1.p12
	ssl.keystore.password=your_keystore_password

	ssl.truststore.location=/etc/kafka/secrets/truststore.p12
	ssl.truststore.password=your_truststore_password

	ssl.client.auth=required
	#ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
	ssl.enabled.protocols=TLSv1.3
	ssl.endpoint.identification.algorithm=