有一种方法可以完成它,但它并不那么简单。
这个想法是实现将忽略证书验证的接口 org.apache.kafka.common.security.auth.SslEngineFactory。当您将其用作客户端时,只需以类似于以下方式实现 createClientSslEngine 方法就足够了:
import org.apache.kafka.common.security.auth.SslEngineFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import java.io.IOException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.util.Map;
import java.util.Set;
public static class MySslEngineFactory implements SslEngineFactory {
@Override
public SSLEngine createClientSslEngine(String peerHost, int peerPort, String endpointIdentification) {
try {
TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() { return null; }
public void checkClientTrusted(X509Certificate[] certs, String authType) { }
public void checkServerTrusted(X509Certificate[] certs, String authType) { }
}};
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
SSLEngine sslEngine = sc.createSSLEngine(peerHost, peerPort);
sslEngine.setUseClientMode(true);
return sslEngine;
} catch (NoSuchAlgorithmException | KeyManagementException e) {
throw new RuntimeException(e);
}
}
@Override
public SSLEngine createServerSslEngine(String peerHost, int peerPort) {
return null;
}
@Override
public boolean shouldBeRebuilt(Map<String, Object> nextConfigs) {
return false;
}
@Override
public Set<String> reconfigurableConfigs() {
return null;
}
@Override
public KeyStore keystore() {
return null;
}
@Override
public KeyStore truststore() {
return null;
}
@Override
public void close() throws IOException {
}
@Override
public void configure(Map<String, ?> configs) {
}
}
完成此类后,您只需在 kafka(生产者或消费者)属性中将其配置为 SSL_ENGINE_FACTORY_CLASS:
props.put(SslConfigs.SSL_ENGINE_FACTORY_CLASS, MySslEngineFactory.class);
或者如果您不想使用该常量:
props.put("ssl.engine.factory.class", MySslEngineFactory.class);
确保不要在生产中使用此设置!