IBM Websphere Application 服务器上的应用程序的 Kafka SSL 连接问题

Question

我正在努力将我的应用程序与 Apache Kafka 集成。虽然在连接到测试代理时一切都按预期工作。
我在 preprod 环境中遇到了 2-way SSL 的拦截器。我的应用程序部署在 Websphere 应用程序服务器中，证书/密钥保存在 Websphere 密钥环中。问题是 Kafka 生产者配置无法与密钥环交互以找到受信任的证书或密钥，因此连接失败。
我不能使用 JKS 文件，因为这会破坏密钥环的用途并且违背应用程序设计。整个问题似乎是在应用程序启动期间 Kafka 客户端代码与密钥环的交互。对此的任何建议表示赞赏。

org.apache.kafka.common.network.Selector) - [Producer clientId= xxxxxxx] Connection with disconnected due to authentication exception
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
        at com.ibm.jsse2.bb.B(bb.java:525)
        at com.ibm.jsse2.oc.b(oc.java:394)
        at com.ibm.jsse2.oc.c(oc.java:146)
        at com.ibm.jsse2.oc.wrap(oc.java:316)
        at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:39)
        at org.apache.kafka.common.network.SslTransportLayer.handshakeWrap(SslTransportLayer.java:434)
        at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:299)
        at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:253)
        at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:79)
        at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:486)
        at org.apache.kafka.common.network.Selector.poll(Selector.java:424)
        at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:460)
        at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:239)
        at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:163)
        at java.lang.Thread.run(Thread.java:798)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
        at com.ibm.jsse2.k.a(k.java:5)
        at com.ibm.jsse2.oc.a(oc.java:170)
        at com.ibm.jsse2.bb.a(bb.java:560)
        at com.ibm.jsse2.bb.a(bb.java:432)
        at com.ibm.jsse2.cb.a(cb.java:30)
        at com.ibm.jsse2.cb.a(cb.java:394)
        at com.ibm.jsse2.bb.t(bb.java:170)
        at com.ibm.jsse2.bb$1.a(bb$1.java:4)
        at com.ibm.jsse2.bb$1.run(bb$1.java:2)
        at java.security.AccessController.doPrivileged(AccessController.java:492)
        at com.ibm.jsse2.bb$c_.run(bb$c_.java:11)
        at org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:388)
        at org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:468)
        at org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:326)
        ... 8 more
Caused by: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
        java.security.cert.CertPathValidatorException: The certificate issued by xxxxxxxxxx is not trusted; internal cause is: 
        java.security.cert.CertPathValidatorException: Certificate chaining error
        at com.ibm.jsse2.util.f.a(f.java:70)
        at com.ibm.jsse2.util.f.b(f.java:95)
        at com.ibm.jsse2.util.e.a(e.java:20)
        at com.ibm.jsse2.zc.a(zc.java:35)
        at com.ibm.jsse2.zc.a(zc.java:156)
        at com.ibm.jsse2.zc.checkServerTrusted(zc.java:125)
        at com.ibm.jsse2.cb.a(cb.java:302)
        ... 17 more
Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
        java.security.cert.CertPathValidatorException: The certificate issued by xxxxxxxxxxx is not trusted; internal cause is: 
        java.security.cert.CertPathValidatorException: Certificate chaining error
        at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:410)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:256)
        at com.ibm.jsse2.util.f.a(f.java:144)
        ... 23 more
Caused by: java.security.cert.CertPathValidatorException: The certificate issued by xxxxxxxxxxxxxxx is not trusted; internal cause is: 
        java.security.cert.CertPathValidatorException: Certificate chaining error
        at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)
        at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:176)
        at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:737)
        at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:649)
        at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:595)
        at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:595)
        at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:356)
        ... 25 more
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error
        at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:316)
        at com.ibm.security.cert.BasicChecker.<init>(BasicChecker

Answer 1

我不确定这是否可行，但你可以试试这个：

1. 在启动生产者之前从 Keyring 中提取证书和密钥；
2. 将它们保存在您机器某处的 *.jks 文件中；
3. 将新创建的 Keystore 和 Truststore 的路径传递给您的 卡夫卡制作人

不幸的是，Java Kafka 客户端只能与 *.jks 文件交互，因此需要在启动前进行适当的转换。另一种选择是在预部署阶段做同样的事情（在启动应用程序之前，您准备 Keystore 和 Truststore ）。

Answer 2

我知道我参加聚会有点晚了，但我也在寻找解决这个问题的方法，并找到了一种方法来为 Kafka Producer 提供 WAS SSL 配置数据。这个想法来自以下 IBM 文档，该文档解释了如何使用 com.ibm.websphere.ssl.JSSEHelper 来获取 WAS 管理的 SSL 配置中指定的信息：https://www.ibm.com/docs/en/was/8.5.5?topic=ascdoprse-programmatically-specifying-outbound-ssl-configuration-using-jssehelper-api

以下内容可以为您的 Kafka Producer/Consumer 属性提供 SSL 配置数据：

 com.ibm.websphere.ssl.JSSEHelper jsseHelper = JSSEHelper.getInstance();
 Properties sslProperties = jsseHelper.getProperties("<your_ssl_conf_alias>")
 consumerProperties.put(org.apache.kafka.common.config.SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG,sslProperties.getProperty("com.ibm.ssl.trustStore"));

您可以使用现有别名或在 WAS 控制台中创建一个新别名：

SSL 证书和密钥管理 > SSL 配置