Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.5.1, 3.6.0
    • Component/s: None
    • Labels:
      None

      Description

      Supporting SSL on Netty client-server communication.
      1. It supports keystore and trustore usage.
      2. It adds an additional ZK server port which supports SSL. This would be useful for rolling upgrade.

      RB: https://reviews.apache.org/r/31277/

      The patch includes three files:

      • testing purpose keystore and truststore under "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/".
      • latest ZOOKEEPER-2125.patch

      How to use it

      You need to set some parameters on both ZK server and client.

      Server

      You need to specify a listening SSL port in "zoo.cfg":

      secureClientPort=2281
      

      Just like what you did with "clientPort". And then set some jvm flags:

      export SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks -Dzookeeper.ssl.keyStore.password=testpass -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks -Dzookeeper.ssl.trustStore.password=testpass"
      

      Please change keystore and truststore parameters accordingly.

      Client

      You need to set jvm flags:

      export CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks -Dzookeeper.ssl.keyStore.password=testpass -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks -Dzookeeper.ssl.trustStore.password=testpass"
      

      change keystore and truststore parameters accordingly.
      And then connect to the server's SSL port, in this case:

      bin/zkCli.sh -server 127.0.0.1:2281
      

      If you have any feedback, you are more than welcome to discuss it here!

        Attachments

        1. ZOOKEEPER-2125-build.patch
          1 kB
          Hongchao Deng
        2. ZOOKEEPER-2125.patch
          45 kB
          Hongchao Deng
        3. ZOOKEEPER-2125.patch
          45 kB
          Hongchao Deng
        4. ZOOKEEPER-2125.patch
          56 kB
          Hongchao Deng
        5. ZOOKEEPER-2125.patch
          55 kB
          Hongchao Deng
        6. ZOOKEEPER-2125.patch
          58 kB
          Hongchao Deng
        7. ZOOKEEPER-2125.patch
          58 kB
          Hongchao Deng
        8. ZOOKEEPER-2125.patch
          66 kB
          Hongchao Deng
        9. ZOOKEEPER-2125.patch
          65 kB
          Hongchao Deng
        10. ZOOKEEPER-2125.patch
          65 kB
          Hongchao Deng
        11. ZOOKEEPER-2125.patch
          65 kB
          Hongchao Deng
        12. ZOOKEEPER-2125.patch
          65 kB
          Hongchao Deng
        13. ZOOKEEPER-2125.patch
          67 kB
          Hongchao Deng
        14. ZOOKEEPER-2125.patch
          67 kB
          Hongchao Deng
        15. ZOOKEEPER-2125.patch
          67 kB
          Hongchao Deng
        16. ZOOKEEPER-2125.patch
          68 kB
          Hongchao Deng
        17. ZOOKEEPER-2125.patch
          69 kB
          Hongchao Deng
        18. ZOOKEEPER-2125.patch
          69 kB
          Hongchao Deng
        19. ZOOKEEPER-2125.patch
          69 kB
          Hongchao Deng
        20. testTrustStore.jks
          0.9 kB
          Hongchao Deng
        21. testKeyStore.jks
          2 kB
          Hongchao Deng

          Issue Links

            Activity

              People

              • Assignee:
                hdeng Hongchao Deng
                Reporter:
                hdeng Hongchao Deng
              • Votes:
                0 Vote for this issue
                Watchers:
                18 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: