,Apache Pulsar Apache Pulsar 。 TLS , TLS 。
Pulsar TLS 。(Pulsar 2.4.2 )
CA
/data
$ mkdir my-ca
$ cd my-ca
$ wget --no-check-certificate https://raw.githubusercontent.com/apache/pulsar/master/site2/website/static/examples/openssl.cnf
$ export CA_HOME=$(pwd)
$ mkdir certs crl newcerts private
$ chmod 700 private/
$ touch index.txt
$ echo 1000 > serial
, ,
$ openssl genrsa -aes256 -out private/ca.key.pem 4096
CA
$openssl req -config openssl.cnf -key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca \
-out certs/ca.cert.pem
1)
2) ,
Country Name (2 letter code):CN //
State or Province Name:beijing //
Locality Name:beijing //
Organization Name:test //
Organizational Unit Name:test //
Common Name: ip
Email Address:
$ chmod 444 certs/ca.cert.pem
$ openssl genrsa -out broker.key.pem 2048
$ openssl pkcs8 -topk8 -inform PEM -outform PEM \
-in broker.key.pem -out broker.key-pk8.pem -nocrypt
, CA 。
Common Name ( Broker IP)
$ openssl req -config openssl.cnf \
-key broker.key.pem -new -sha256 -out broker.csr.pem
$ openssl ca -config openssl.cnf -extensions server_cert \
-days 1000 -notext -md sha256 \
-in broker.csr.pem -out broker.cert.pem
Broker
broker.conf
brokerServicePortTls webServicePortTls , TLS TL ,
brokerServicePort webServicePort 。
brokerServicePort=6650
brokerServicePortTls=6651
webServicePort=8080
webServicePortTls=8443
tlsCertificateFilePath=/data/my-ca/broker.cert.pem
tlsKeyFilePath=/data/my-ca/broker.key-pk8.pem
tlsTrustCertsFilePath=/data/my-ca/certs/ca.cert.pem
: tlsProtocols tlsCiphers 。 。
broker.conf Broker TLS
Started PulsarServerConnector@6a2eea2a{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
JAVA
1) /data/my-ca/certs/ca.cert.pem
2)java ,
PulsarClient client =PulsarClient.builder()
.serviceUrl(url)
.tlsTrustCertsFilePath("D:/jar/ca.cert.pem")//
.enableTlsHostnameVerification(false)
.allowTlsInsecureConnection(false)