Skip to content
This repository has been archived by the owner on May 2, 2023. It is now read-only.

SSL Test Cases

Sam Hecht edited this page Jul 14, 2016 · 3 revisions

Introduction

You can find an overview of the key steps for setting up SSL below along with the test cases we're currently testing for.

###Notes

  • Keystore is where the component (broker, client) keeps their own private key and certificate.

  • Truststore contains the certificate for the trusted parties (i.e it will talk only to parties whose certs are in the truststore)

  • SSL authentication can be based on

    • CA certificates: which means that anyone with certs signed by the CA (which has a cert in the truststore) is trusted.
    • Certificates: which means anyone who has certs in the truststore is trusted.
  • To prevent MITM attacks, use CA certificates even if SSL authentication is not desired

Generating the certs and keys

The steps are summarized below, but please refer to the Kafka SSL keystore and trust store generator script for a more in-depth overview: https://github.com/confluentinc/confluent-platform-security-tools/blob/master/kafka-generate-ssl.sh

  1. Generate CA certs

     openssl req -new -x509 -keyout snakeoil-ca-1.key -out snakeoil-ca-1.crt -days 365 -subj '/CN=ca1.test.confluent.io/OU=TEST/O=CONFLUENT/L=PaloAlto/S=Ca/C=US' -passin pass:confluent -passout pass:confluent
     openssl req -new -x509 -keyout snakeoil-ca-2.key -out snakeoil-ca-2.crt -days 365 -subj '/CN=ca1.test.confluent.io/OU=TEST/O=CONFLUENT/L=PaloAlto/S=Ca/C=US' -passin pass:confluent -passout pass:confluent
    
  2. Generate Broker keys and certs

    a. Generate keystore

     openssl req -new -x509 -keyout snakeoil-ca-1.key -out snakeoil-ca-1.crt -days 365 -subj '/CN=ca1.test.confluent.io/OU=TEST/O=CONFLUENT/L=PaloAlto/S=Ca/C=US' -passin pass:confluent -passout pass:confluent
    

    b. Export the broker cert from the keystore

     keytool -keystore kafka.broker1.keystore.jks -alias broker1 -certreq -file broker1.crt
    

    c. Make a certificate signing request to the keystore

     keytool -keystore keystore/kafka.keystore.jks -alias localhost -certreq -file ca-cert.srl
    

    d. Sign the cert with CA cert

     openssl x509 -req -CA snakeoil-ca-1.crt -CAkey snakeoil-ca-1.key -in broker1.crt -out broker1-ca1-signed.crt -days 9999 -CAcreateserial -passin pass:confluent
    
  3. Add back to broker keystore

     keytool -keystore kafka.broker1.keystore.jks -alias CARoot -import -file snakeoil-ca-1.cr
     keytool -keystore kafka.broker1.keystore.jks -alias broker1 -import -file broker1-ca1-signed.crt
    
  4. Add CA cert to broker truststore

     keytool -keystore kafka.broker1.truststore.jks -alias CARoot -import -file snakeoil-ca-1.crt
    

1. Broker and client share the same CA

###Given

CA

  • CA1 : CA1-cert

Brokers

  • B1: B1-private-key, B1-cert(signed by CA1)
  • B2: B2-private-key, B2-cert(signed by CA1)

Clients

  • C1: C1-private-key, C1-cert(signed by CA1)
  • C2: C2-private-key, C2-cert(signed by CA1)

###Case 1: CA-Based Authentication

Broker 1

  • Keystore : B1-private-key, B1-cert
  • Truststore : CA1-cert

Broker 2

  • Keystore : B2-private-key, B2-cert
  • Truststore : CA1-cert

Client 1

  • Keystore : C1-private-key, C1-cert
  • Truststore: CA1-cert

###Case 2: Cert-Based Authentication

Broker 1

  • Keystore : B1-private-key, B1-cert
  • Truststore : B2-cert, C1-cert, C2-cert

Broker 2

  • Keystore : B2-private-key, B2-cert
  • Truststore : B1-cert, C1-cert, C2-cert

Client 1

  • Keystore : C1-private-key, C1-cert
  • Truststore: B1-cert, B2-cert

2. Broker and Client Have Different CAs

###Given

CA

  • CA1 : CA1-cert
  • CA2 : CA2-cert

Brokers

  • B1: B1-private-key, B1-cert(signed by CA1)
  • B2: B2-private-key, B2-cert(signed by CA1)

Clients

  • C1: C1-private-key, C1-cert(signed by CA2)
  • C2: C2-private-key, C2-cert(signed by CA2)

Case 1: CA-Based Authentication

Broker 1

  • Keystore : B1-private-key, B1-cert
  • Truststore : CA1-cert, CA2-cert

Broker 2

  • Keystore : B2-private-key, B2-cert
  • Truststore : CA1-cert, CA2-cert

Client 1

  • Keystore : C1-private-key, C1-cert
  • Truststore: CA1-cert

###Case 2: Cert-Based Authentication #1

Broker 1

  • Keystore : B1-private-key, B1-cert
  • Truststore : CA1-cert, C1-cert, C2-cert

Broker 2

  • Keystore : B2-private-key, B2-cert
  • Truststore : CA1-cert, C1-cert, C2-cert

Client 1

  • Keystore : C1-private-key, C1-cert
  • Truststore: CA1-cert

Client 2

  • Keystore : C1-private-key, C2-cert
  • Truststore: CA1-cert

###Case 3: Cert-Based Authentication #2

Broker 1

  • Keystore : B1-private-key, B1-cert
  • Truststore : CA1-cert, B2-cert

Broker 2

  • Keystore : B2-private-key, B2-cert
  • Truststore : CA1-cert, B1-cert

Client 1

  • Keystore : C1-private-key, C1-cert
  • Truststore: CA1-cert, B1-cert, B2-cert

Client 2

  • Keystore : C1-private-key, C2-cert
  • Truststore: CA1-cert, B1-cert, B2-cert

Table of Contents

Clone this wiki locally