Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-2120 SSL feature on Netty
  3. ZOOKEEPER-2125

SSL on Netty client-server communication

Log workAgile BoardRank to TopRank to BottomAttach filesAttach ScreenshotBulk Copy AttachmentsBulk Move AttachmentsVotersWatch issueWatchersConvert to IssueMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 3.5.1, 3.6.0
    • None

    Description

      Supporting SSL on Netty client-server communication.
      1. It supports keystore and trustore usage.
      2. It adds an additional ZK server port which supports SSL. This would be useful for rolling upgrade.

      RB: https://reviews.apache.org/r/31277/

      The patch includes three files:

      • testing purpose keystore and truststore under "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/".
      • latest ZOOKEEPER-2125.patch

      How to use it

      You need to set some parameters on both ZK server and client.

      Server

      You need to specify a listening SSL port in "zoo.cfg":

      secureClientPort=2281
      

      Just like what you did with "clientPort". And then set some jvm flags:

      export SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks -Dzookeeper.ssl.keyStore.password=testpass -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks -Dzookeeper.ssl.trustStore.password=testpass"
      

      Please change keystore and truststore parameters accordingly.

      Client

      You need to set jvm flags:

      export CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks -Dzookeeper.ssl.keyStore.password=testpass -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks -Dzookeeper.ssl.trustStore.password=testpass"
      

      change keystore and truststore parameters accordingly.
      And then connect to the server's SSL port, in this case:

      bin/zkCli.sh -server 127.0.0.1:2281
      

      If you have any feedback, you are more than welcome to discuss it here!

      Attachments

        1. ZOOKEEPER-2125.patch
          69 kB
          Hongchao Deng
        2. ZOOKEEPER-2125.patch
          69 kB
          Hongchao Deng
        3. ZOOKEEPER-2125.patch
          69 kB
          Hongchao Deng
        4. ZOOKEEPER-2125.patch
          68 kB
          Hongchao Deng
        5. ZOOKEEPER-2125.patch
          67 kB
          Hongchao Deng
        6. ZOOKEEPER-2125.patch
          67 kB
          Hongchao Deng
        7. ZOOKEEPER-2125.patch
          67 kB
          Hongchao Deng
        8. ZOOKEEPER-2125.patch
          65 kB
          Hongchao Deng
        9. ZOOKEEPER-2125-build.patch
          1 kB
          Hongchao Deng
        10. testTrustStore.jks
          0.9 kB
          Hongchao Deng
        11. testKeyStore.jks
          2 kB
          Hongchao Deng
        12. ZOOKEEPER-2125.patch
          65 kB
          Hongchao Deng
        13. ZOOKEEPER-2125.patch
          65 kB
          Hongchao Deng
        14. ZOOKEEPER-2125.patch
          65 kB
          Hongchao Deng
        15. ZOOKEEPER-2125.patch
          66 kB
          Hongchao Deng
        16. ZOOKEEPER-2125.patch
          58 kB
          Hongchao Deng
        17. ZOOKEEPER-2125.patch
          58 kB
          Hongchao Deng
        18. ZOOKEEPER-2125.patch
          55 kB
          Hongchao Deng
        19. ZOOKEEPER-2125.patch
          56 kB
          Hongchao Deng
        20. ZOOKEEPER-2125.patch
          45 kB
          Hongchao Deng
        21. ZOOKEEPER-2125.patch
          45 kB
          Hongchao Deng

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            hdeng Hongchao Deng Assign to me
            hdeng Hongchao Deng
            Votes:
            0 Vote for this issue
            Watchers:
            18 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment