...
ZooKeeper was initially designed and implemented using the Java NIO package. Later on, we add added Netty feature to optionally take place of replace NIO, since Netty has better support for supports SSL. Thus, SSL is only supported on top of Netty communication, which means if you want to use SSL you have to enable the Netty feature. We will discuss how to do it in the following section.
SSL
It's been added in ZOOKEEPER-2125.
Client-Server Communication
The communication between a ZooKeeper client and a server has Netty and SSL support. Note that Netty needs to be enabled to use SSL.
...
ZooKeeper client can use Netty by setting property:
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
zookeeper.clientCnxnSocket="org.apache.zookeeper.ClientCnxnSocketNetty" |
In order to do secure communication on client, set this property:
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
zookeeper.client.secure=true |
...
Then set up keystore and truststore environment by setting the following properties:
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
zookeeper.ssl.keyStore.location="/path/to/your/keystore" zookeeper.ssl.keyStore.password="keystore_password" zookeeper.ssl.trustStore.location="/path/to/your/truststore" zookeeper.ssl.trustStore.password="truststore_password" |
...
ZooKeeper server can use Netty by setting this property:
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
zookeeper.serverCnxnFactory="org.apache.zookeeper.server.NettyServerCnxnFactory" |
ZooKeeper server also needs to provide a listening port to accept secure client connections. This port is different from and running in parallel with the known “clientPort”. It should be added in “zoo.cfg”:
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
... secureClientPort=2281 |
...
An example setup for running bin/zkServer.sh:
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
export SERVER_JVMFLAGS=" -Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks -Dzookeeper.ssl.keyStore.password=testpass -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks -Dzookeeper.ssl.trustStore.password=testpass" |
and set additionally in “zoo.cfg”:
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
… secureClientPort=2281 |
For bin/zkCli.sh:
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
export CLIENT_JVMFLAGS=" -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks -Dzookeeper.ssl.keyStore.password=testpass -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks -Dzookeeper.ssl.trustStore.password=testpass" |
Start the ZK server, and then connect client to server’s port 2281 should work like normal.
Quorum
Not supported yet!There is currently no support for SSL for the communication between ZooKeeper servers.
Authentication
It's been added in ZOOKEEPER-2123.
When connecting to ZooKeeper via the secure port, the client is automatically authenticated with credentials associated with the client certificate. Specifically, the connection adds auth info with the scheme “x509” and the ACL ID set to the client certificate principal name.
...
By default, authentication is performed by the X509AuthenticationProvider, corresponding to the auth scheme “x509.” This is initialized with server certificates and trusted client certificates specified according to the following properties:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
zookeeper.ssl.keyStore.location zookeeper.ssl.keyStore.password zookeeper.ssl.trustStore.location zookeeper.ssl.trustStore.password |
...