Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-8191

Add pluggability of KeyManager to generate the broker Private Keys and Certificates

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 1.1.0, 1.1.1
    • None
    • security

    Description

       

      Context: Currently, in SslFactory.java, if the keystore is created null (caused by passing an empty config value to ssl.keystore.location), the default Sun KeyManager is used ignoring the 'ssl.keymanager.algorithm' provided.

      We need changes to fetch KeyManager from the KeyManagerFactory based on the provided keymanager algorithm, populated by 'ssl.keymanager.algorithm' if the keystore is found empty

       

      Background and Use Case: Kafka allows users to configure truststore and keystore to enable TLS connections from clients to brokers. Often this means during deployment, one needs to pre-provision keystores to enable clients to communicate with brokers on TLS port. Most of the time users end up configuring a long-lived certificate which is not good for security. Although KAFKA-4701 introduced the reload of keystores it still a cumbersome to distribute these files onto compute system for clients. 
      There are several projects that allows one to distribute the certificates through a local agent, example [Spiffe|https://spiffe.io/]. To take advantage of such systems we need changes to consider 'ssl.keymanager.algorithm' for KeyManagerFactory creation

       

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            mprsai Sai Sandeep
            mprsai Sai Sandeep
            sriharsha chintalapani sriharsha chintalapani
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 24h
                24h
                Remaining:
                Remaining Estimate - 24h
                24h
                Logged:
                Time Spent - Not Specified
                Not Specified

                Slack

                  Issue deployment