Giter VIP home page Giter VIP logo

kafka-mtls-example's Introduction

Kafka mTLS with ACL Example

References

See this example and this example

Confluent Example

Running the Code

  • ./run-example

Creating the Keys

#!/bin/bash

# generate root key & root CA
echo "create root"
openssl genrsa -out root.key
openssl req -new -x509 -key root.key -out root.crt -subj "/C=GB/L=London/O=Essexboy Ltd/OU=devops/CN=EssexboyRoot"
chmod 600 root.key
chmod 644 root.crt

# import root CA into truststore
echo "create server truststore and add root cert"
keytool -import -trustcacerts -keystore kafka.server.truststore.jks -storepass changeit -noprompt -alias root -file root.crt

# import root CA into truststore
echo "create client truststore and add root cert"
keytool -import -trustcacerts -keystore kafka.client.truststore.jks -storepass changeit -noprompt -alias root -file root.crt

# create server keystore, export the cert, sign it, import root CA
echo "create server keystore and sign"
keytool -keystore kafka.server.keystore.jks -storepass changeit -alias essexboy-server-1 -validity 365 -genkey -keyalg RSA -ext SAN=DNS:kafka.essexboy.com -dname "CN=Essexboy1"
keytool -keystore kafka.server.keystore.jks -storepass changeit -alias essexboy-server-1 -certreq -file kafka.unsigned.crt
openssl x509 -req -CA root.crt -CAkey root.key -in kafka.unsigned.crt -out kafka.signed.crt -days 365 -CAcreateserial
keytool -keystore kafka.server.keystore.jks -storepass changeit -alias root -import -file root.crt -noprompt
keytool -keystore kafka.server.keystore.jks -storepass changeit -alias essexboy-server-1 -import -file kafka.signed.crt -noprompt

# create client 1 keystore, export the cert, sign it, import root CA
echo "create client 1 keystore and sign"
keytool -keystore kafka.client1.keystore.jks -storepass changeit -alias essexboy-client-1 -validity 365 -genkey -keyalg RSA -ext SAN=DNS:kafka.essexboy.com -dname "CN=Essexboy1"
keytool -keystore kafka.client1.keystore.jks -storepass changeit -alias essexboy-client-1 -certreq -file kafka.unsigned.crt
openssl x509 -req -CA root.crt -CAkey root.key -in kafka.unsigned.crt -out kafka.signed.crt -days 365 -CAcreateserial
keytool -keystore kafka.client1.keystore.jks -storepass changeit -alias root -import -file root.crt -noprompt
keytool -keystore kafka.client1.keystore.jks -storepass changeit -alias essexboy-client-1 -import -file kafka.signed.crt -noprompt

# create client 2 keystore, export the cert, sign it, import root
echo "create client 2 keystore and sign"
keytool -keystore kafka.client2.keystore.jks -storepass changeit -alias essexboy-client-2 -validity 365 -genkey -keyalg RSA -ext SAN=DNS:kafka.essexboy.com -dname "CN=Essexboy2"
keytool -keystore kafka.client2.keystore.jks -storepass changeit -alias essexboy-client-2 -certreq -file kafka.unsigned.crt
openssl x509 -req -CA root.crt -CAkey root.key -in kafka.unsigned.crt -out kafka.signed.crt -days 365 -CAcreateserial
keytool -keystore kafka.client2.keystore.jks -storepass changeit -alias root -import -file root.crt -noprompt
keytool -keystore kafka.client2.keystore.jks -storepass changeit -alias essexboy-client-2 -import -file kafka.signed.crt -noprompt

# create client 3 keystore, export the cert, sign it, import root CA WILL NOT CN is not listed in super.users
echo "create client 3 keystore and sign"
keytool -keystore kafka.client3.keystore.jks -storepass changeit -alias essexboy-client-3 -validity 365 -genkey -keyalg RSA -ext SAN=DNS:kafka.essexboy.com -dname "CN=Essexboy3"
keytool -keystore kafka.client3.keystore.jks -storepass changeit -alias essexboy-client-3 -certreq -file kafka.unsigned.crt
openssl x509 -req -CA root.crt -CAkey root.key -in kafka.unsigned.crt -out kafka.signed.crt -days 365 -CAcreateserial
keytool -keystore kafka.client3.keystore.jks -storepass changeit -alias root -import -file root.crt -noprompt
keytool -keystore kafka.client3.keystore.jks -storepass changeit -alias essexboy-client-3 -import -file kafka.signed.crt -noprompt

echo ""
echo "server keystore"
keytool -list -keystore kafka.server.keystore.jks -storepass changeit

echo ""
echo "client 1 keystore"
keytool -list -keystore kafka.client1.keystore.jks -storepass changeit

echo ""
echo "client 2 keystore"
keytool -list -keystore kafka.client2.keystore.jks -storepass changeit

echo ""
echo "client 3 keystore"
keytool -list -keystore kafka.client3.keystore.jks -storepass changeit

rm kafka.unsigned.crt kafka.signed.crt root.srl root.crt root.key
mv *.jks secrets

kafka-mtls-example's People

Contributors

gregclinker avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.