-
Notifications
You must be signed in to change notification settings - Fork 703
SSL Test Cases
You can find an overview of the key steps for setting up SSL below along with the test cases we're currently testing for.
###Notes
-
Keystore is where the component (broker, client) keeps their own private key and certificate.
-
Truststore contains the certificate for the trusted parties (i.e it will talk only to parties whose certs are in the truststore)
-
SSL authentication can be based on
- CA certificates: which means that anyone with certs signed by the CA (which has a cert in the truststore) is trusted.
- Certificates: which means anyone who has certs in the truststore is trusted.
-
To prevent MITM attacks, use CA certificates even if SSL authentication is not desired
The steps are summarized below, but please refer to the Kafka SSL keystore and trust store generator script for a more in-depth overview: https://github.com/confluentinc/confluent-platform-security-tools/blob/master/kafka-generate-ssl.sh
-
Generate CA certs
openssl req -new -x509 -keyout snakeoil-ca-1.key -out snakeoil-ca-1.crt -days 365 -subj '/CN=ca1.test.confluent.io/OU=TEST/O=CONFLUENT/L=PaloAlto/S=Ca/C=US' -passin pass:confluent -passout pass:confluent openssl req -new -x509 -keyout snakeoil-ca-2.key -out snakeoil-ca-2.crt -days 365 -subj '/CN=ca1.test.confluent.io/OU=TEST/O=CONFLUENT/L=PaloAlto/S=Ca/C=US' -passin pass:confluent -passout pass:confluent
-
Generate Broker keys and certs
a. Generate keystore
openssl req -new -x509 -keyout snakeoil-ca-1.key -out snakeoil-ca-1.crt -days 365 -subj '/CN=ca1.test.confluent.io/OU=TEST/O=CONFLUENT/L=PaloAlto/S=Ca/C=US' -passin pass:confluent -passout pass:confluent
b. Export the broker cert from the keystore
keytool -keystore kafka.broker1.keystore.jks -alias broker1 -certreq -file broker1.crt
c. Make a certificate signing request to the keystore
keytool -keystore keystore/kafka.keystore.jks -alias localhost -certreq -file ca-cert.srl
d. Sign the cert with CA cert
openssl x509 -req -CA snakeoil-ca-1.crt -CAkey snakeoil-ca-1.key -in broker1.crt -out broker1-ca1-signed.crt -days 9999 -CAcreateserial -passin pass:confluent
-
Add back to broker keystore
keytool -keystore kafka.broker1.keystore.jks -alias CARoot -import -file snakeoil-ca-1.cr keytool -keystore kafka.broker1.keystore.jks -alias broker1 -import -file broker1-ca1-signed.crt
-
Add CA cert to broker truststore
keytool -keystore kafka.broker1.truststore.jks -alias CARoot -import -file snakeoil-ca-1.crt
###Given
CA
- CA1 : CA1-cert
Brokers
- B1: B1-private-key, B1-cert(signed by CA1)
- B2: B2-private-key, B2-cert(signed by CA1)
Clients
- C1: C1-private-key, C1-cert(signed by CA1)
- C2: C2-private-key, C2-cert(signed by CA1)
###Case 1: CA-Based Authentication
Broker 1
- Keystore : B1-private-key, B1-cert
- Truststore : CA1-cert
Broker 2
- Keystore : B2-private-key, B2-cert
- Truststore : CA1-cert
Client 1
- Keystore : C1-private-key, C1-cert
- Truststore: CA1-cert
###Case 2: Cert-Based Authentication
Broker 1
- Keystore : B1-private-key, B1-cert
- Truststore : B2-cert, C1-cert, C2-cert
Broker 2
- Keystore : B2-private-key, B2-cert
- Truststore : B1-cert, C1-cert, C2-cert
Client 1
- Keystore : C1-private-key, C1-cert
- Truststore: B1-cert, B2-cert
###Given
CA
- CA1 : CA1-cert
- CA2 : CA2-cert
Brokers
- B1: B1-private-key, B1-cert(signed by CA1)
- B2: B2-private-key, B2-cert(signed by CA1)
Clients
- C1: C1-private-key, C1-cert(signed by CA2)
- C2: C2-private-key, C2-cert(signed by CA2)
Broker 1
- Keystore : B1-private-key, B1-cert
- Truststore : CA1-cert, CA2-cert
Broker 2
- Keystore : B2-private-key, B2-cert
- Truststore : CA1-cert, CA2-cert
Client 1
- Keystore : C1-private-key, C1-cert
- Truststore: CA1-cert
###Case 2: Cert-Based Authentication #1
Broker 1
- Keystore : B1-private-key, B1-cert
- Truststore : CA1-cert, C1-cert, C2-cert
Broker 2
- Keystore : B2-private-key, B2-cert
- Truststore : CA1-cert, C1-cert, C2-cert
Client 1
- Keystore : C1-private-key, C1-cert
- Truststore: CA1-cert
Client 2
- Keystore : C1-private-key, C2-cert
- Truststore: CA1-cert
###Case 3: Cert-Based Authentication #2
Broker 1
- Keystore : B1-private-key, B1-cert
- Truststore : CA1-cert, B2-cert
Broker 2
- Keystore : B2-private-key, B2-cert
- Truststore : CA1-cert, B1-cert
Client 1
- Keystore : C1-private-key, C1-cert
- Truststore: CA1-cert, B1-cert, B2-cert
Client 2
- Keystore : C1-private-key, C2-cert
- Truststore: CA1-cert, B1-cert, B2-cert
- Introduction
-
Getting Started
- Tutorial: Running in Standalone Mode
- Tutorial: Running on Multiple Remote Hosts and Clustering
-
Security
- Overview (TODO)
- Tutorial: Enabling SSL/TLS on a Cluster
- Securing Other Components (TODO)
- Overview of image structure
- Utility Scripts
- W/ Different kinds of docker networks
- Bridged (including caveats
- host networking (including caveats)
- Enabling JMX
- Development
- Important Caveats
- How to Contribute