zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andor Molnar <an...@apache.org>
Subject Re: Clarification: SSL Client: Need of keystore?
Date Wed, 14 Aug 2019 15:03:17 GMT
Hi Jorn,

I cannot test this unfortunately, because I don’t have a working Kerberos environment at
the moment. If you comment out keystore.location, ZooKeeper won’t start, because it’s
unable to build the TrustManager.

Would you please try to create a fake (possibly empty) truststore and see how it goes?

Andor



> On 2019. Jul 30., at 20:49, Jörn Franke <jornfranke@gmail.com> wrote:
> 
> Hi,
> 
> I have a kerberized Zookeeper cluster and would like to add SSL on the
> client side and to the quorum.
> 
> So far the server configuration is clear. However, according to
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide
> 
> I need to specify on the client side
> zookeeper.ssl.keyStore.location="/path/to/your/keystore"
> zookeeper.ssl.keyStore.password="keystore_password"
> zookeeper.ssl.trustStore.location="/path/to/your/truststore"
> zookeeper.ssl.trustStore.password="truststore_password"
> 
> I do understand the need to provide a truststore, but why does the client
> need a keystore. As far as I understood the keystore is only needed for
> X509 authentication, but I use the Kerberos authentication.
> 
> Does it mean the SSL client connection requires X509 authentication and
> Kerberos is not possible?
> Can you please clarify?
> 
> thank you.
> 
> best regards


Mime
View raw message