【发布时间】:2020-07-17 15:08:46
【问题描述】:
我正在努力在 Kafka 服务器和 Spring(引导)Kafka 客户端之间设置 Kafka SSL。
我有一个使用 SSL 的工作 Kafka 服务器,如下所述:http://kafka.apache.org/documentation/#security_ssl
listeners=SSL://test.test.de:9093
# ssl
security.inter.broker.protocol=SSL
ssl.keystore.location=/home/kafka/ssl/server.keystore.jks
ssl.keystore.password=secret
ssl.key.password=secret
ssl.truststore.location=/home/kafka/ssl/server.truststore.jks
ssl.truststore.password=secret
ssl.client.auth=required
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
ssl.keystore.type=JKS
ssl.truststore.type=JKS
ssl.secure.random.implementation=SHA1PRNG
我用 Spring Kafka 搭建了一个 Spring Boot Library APP。这些是生产者配置:
Map<String, Object> props = new HashMap<>();
props.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, "test.test.de:9093");
props.put(ProducerConfig.RETRIES_CONFIG, 0);
props.put(ProducerConfig.BATCH_SIZE_CONFIG, 16384);
props.put(ProducerConfig.LINGER_MS_CONFIG, 1);
props.put(ProducerConfig.BUFFER_MEMORY_CONFIG, 33554432);
props.put(ProducerConfig.KEY_SERIALIZER_CLASS_CONFIG, StringSerializer.class);
props.put(ProducerConfig.VALUE_SERIALIZER_CLASS_CONFIG, JsonSerializer.class);
props.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SSL");
props.put("ssl.keystore.location", "C:\\dev\\tmp\\ssl\\client.keystore.jks");
props.put("ssl.truststore.location", "C:\\dev\\tmp\\ssl\\client.truststore.jks");
props.put("ssl.keystore.password", "secret");
props.put("ssl.truststore.password", "secret");
props.put("ssl.key.password", "secret");
props.put("ssl.enabled.protocols", "TLSv1.2,TLSv1.1,TLSv1");
props.put("ssl.keystore.type", "JKS");
props.put("ssl.truststore.type", "JKS");
当我通过kafkaTemplate.sendDefault 发送消息时,我得到了这个异常:
java.net.ConnectException: Connection refused: no further information
at java.base/sun.nio.ch.Net.pollConnect(Native Method) ~[na:na]
at java.base/sun.nio.ch.Net.pollConnectNow(Net.java:589) ~[na:na]
at java.base/sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:839) ~[na:na]
at org.apache.kafka.common.network.SslTransportLayer.finishConnect(SslTransportLayer.java:137) ~[kafka-clients-2.5.0.jar:na]
at org.apache.kafka.common.network.KafkaChannel.finishConnect(KafkaChannel.java:220) ~[kafka-clients-2.5.0.jar:na]
at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:530) ~[kafka-clients-2.5.0.jar:na]
at org.apache.kafka.common.network.Selector.poll(Selector.java:485) ~[kafka-clients-2.5.0.jar:na]
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:549) ~[kafka-clients-2.5.0.jar:na]
at org.apache.kafka.clients.producer.internals.Sender.runOnce(Sender.java:324) ~[kafka-clients-2.5.0.jar:na]
at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:239) ~[kafka-clients-2.5.0.jar:na]
at java.base/java.lang.Thread.run(Thread.java:832) ~[na:na]
编辑:
一些进一步的调试日志:
2020-07-16 13:28:06.204 DEBUG 12516 --- [ad | producer-1]
org.apache.kafka.clients.NetworkClient : [Producer clientId=producer-1] Node -1 disconnected.
2020-07-16 13:28:06.204 WARN 12516 --- [ad | producer-1]
org.apache.kafka.clients.NetworkClient : [Producer clientId=producer-1] Connection to node -1 (test.test.de/192.192.192.192:9093) could not be established. Broker may not be available.
2020-07-16 13:28:06.204 WARN 12516 --- [ad | producer-1]
org.apache.kafka.clients.NetworkClient : [Producer clientId=producer-1] Bootstrap broker test.test.de:9093 (id: -1 rack: null) disconnected
2020-07-16 13:28:06.305 DEBUG 12516 --- [ad | producer-1]
org.apache.kafka.clients.NetworkClient : [Producer clientId=producer-1] Initialize connection to node test.test.de:9093 (id: -1 rack: null) for sending metadata request
2020-07-16 13:28:06.305 DEBUG 12516 --- [ad | producer-1]
org.apache.kafka.clients.NetworkClient : [Producer clientId=producer-1] Initiating connection to node test.test.de:9093 (id: -1 rack: null) using address test.test.de/192.192.192.192
2020-07-16 13:28:08.331 DEBUG 12516 --- [ad | producer-1]
o.apache.kafka.common.network.Selector : [Producer clientId=producer-1] Connection with test.test.de/192.192.192.192 disconnected
我不知道这是怎么回事。
我在服务器端和客户端都找不到错误详细信息。
我无法评估错误是无效的 SSL 握手还是其他原因。
【问题讨论】:
-
可能客户的密钥应该放在kafka的密钥库中,反之亦然
-
您能详细说明一下吗?哪个键?放在哪里?
-
所以你已经在 Kafka 服务器上设置了一个密钥库,对吧?您是否尝试过禁用客户端身份验证? (关闭“ssl.client.auth”)。根据我的 Java 经验,Java 客户端在连接到它之前需要在其信任库中拥有服务器的证书。对于 Kafka 客户端,似乎不需要,至少从我在文档中读到的内容来看。您可以尝试从服务器的密钥库中导出证书(.pem)并将其导入客户端的信任库,然后重新检查连接(并暂时禁用客户端身份验证)
-
Connection refused在 TCP 级别下降;它与 SSL 无关 - 它只是意味着在test.test.de上的端口 9093 上没有任何监听。