Uploaded image for project: 'Apache Storm'
  1. Apache Storm
  2. STORM-3123

Storm Kafka Monitor does not work with Kafka over two-way SSL

    XMLWordPrintableJSON

    Details

      Description

      Storm Kafka Monitor has no option to read / parse SSL truststore/keystore properties which are required to connect to Kafka running over two-way SSL. As a fix, it needs to understand the following additional Kafka properties:

      ssl.truststore.location=<truststore-file>
      ssl.truststore.password=<password>
      ssl.keystore.location=<keystore-file>
      ssl.keystore.password=<password>
      ssl.key.password=<password>
      

      Since, JVM has a fallback mechanism for loading SSL truststore, Storm Kafka Monitor would always endup using some truststore and would eventually work with one-way SSL (which is also a default for Kafka setup).

      Since there is no such fallback for SSL keystore, Storm Kafka Monitor would start without a keystore and would eventually throw this error (in SSL debug mode):

      Warning: no suitable certificate found - continuing without client authentication
      *** Certificate chain
      <Empty>
      ***
      

      At this time, Kafka broker would complain about above like this:

      kafka-network-thread-1002-SSL-7, READ: TLSv1.2 Handshake, length = 141
      *** Certificate chain
      <Empty>
      ***
      kafka-network-thread-1002-SSL-7, fatal error: 42: null cert chain
      javax.net.ssl.SSLHandshakeException: null cert chain
      

      Therefore, in the absence of this fix, the only available workaround is to stick to one-way SSL in Kafka (i.e. keep ssl.client.auth=none in Kafka).

        Attachments

          Activity

            People

            • Assignee:
              vrathor-hw Vipin Rathor
              Reporter:
              vrathor-hw Vipin Rathor
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 4h
                4h