Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.2.2
Description
Storm Kafka Monitor has no option to read / parse SSL truststore/keystore properties which are required to connect to Kafka running over two-way SSL. As a fix, it needs to understand the following additional Kafka properties:
ssl.truststore.location=<truststore-file> ssl.truststore.password=<password> ssl.keystore.location=<keystore-file> ssl.keystore.password=<password> ssl.key.password=<password>
Since, JVM has a fallback mechanism for loading SSL truststore, Storm Kafka Monitor would always endup using some truststore and would eventually work with one-way SSL (which is also a default for Kafka setup).
Since there is no such fallback for SSL keystore, Storm Kafka Monitor would start without a keystore and would eventually throw this error (in SSL debug mode):
Warning: no suitable certificate found - continuing without client authentication *** Certificate chain <Empty> ***
At this time, Kafka broker would complain about above like this:
kafka-network-thread-1002-SSL-7, READ: TLSv1.2 Handshake, length = 141 *** Certificate chain <Empty> *** kafka-network-thread-1002-SSL-7, fatal error: 42: null cert chain javax.net.ssl.SSLHandshakeException: null cert chain
Therefore, in the absence of this fix, the only available workaround is to stick to one-way SSL in Kafka (i.e. keep ssl.client.auth=none in Kafka).
