[使用PEM文件的Zookeeper TLS设置

问题描述 投票:0回答:1

我看到zookeeper 3.5.5可以选择传入.PEM文件来设置TLS加密。我有使用openssl生成的服务器certificate.pem和privatekey.pem,并按如下所示设置zookeper配置

tickTime=2000
dataDir=/var/lib/zookeeper
clientPort=2181
initLimit=5
syncLimit=2
server.1=10.247.246.3:2888:3888
server.2=10.247.246.4:2888:3888
server.3=10.247.246.5:2888:3888

sslQuorum=true
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
ssl.quorum.keyStore.location=/tmp/zoo/apache-zookeeper-3.5.7-bin/bin/certs/test/certWithPrivateKey.pem
ssl.quorum.keyStore.password=********
ssl.quorum.trustStore.location=/path/to/ca/ca-cert.pem
ssl.quorum.trustStore.password=******
ssl.hostnameVerification=false
ssl.quorum.hostnameVerification=false
ssl.keyStore.type=PEM
ssl.quorum.keyStore.type=PEM
ssl.trustStore.type=PEM
ssl.quorum.trustStore.type=PEM

但是启动Zookeeper时出现此错误。

org.apache.zookeeper.common.X509Exception$SSLContextException: Failed to create KeyManager
        at org.apache.zookeeper.common.X509Util.createSSLContextAndOptionsFromConfig(X509Util.java:350)
        at org.apache.zookeeper.common.X509Util.createSSLContextAndOptions(X509Util.java:328)
        at org.apache.zookeeper.common.X509Util.createSSLContextAndOptions(X509Util.java:282)
        at org.apache.zookeeper.common.X509Util.getDefaultSSLContextAndOptions(X509Util.java:262)
        at org.apache.zookeeper.common.X509Util.createSSLSocket(X509Util.java:517)
        at org.apache.zookeeper.server.quorum.QuorumCnxManager.connectOne(QuorumCnxManager.java:672)
        at org.apache.zookeeper.server.quorum.QuorumCnxManager.connectOne(QuorumCnxManager.java:748)
        at org.apache.zookeeper.server.quorum.QuorumCnxManager.connectAll(QuorumCnxManager.java:776)
        at org.apache.zookeeper.server.quorum.FastLeaderElection.lookForLeader(FastLeaderElection.java:958)
        at org.apache.zookeeper.server.quorum.QuorumPeer.run(QuorumPeer.java:1425)
Caused by: org.apache.zookeeper.common.X509Exception$KeyManagerException: java.io.IOException: overrun, bytes = 111
        at org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:447)
        at org.apache.zookeeper.common.X509Util.createSSLContextAndOptionsFromConfig(X509Util.java:348)
        ... 9 more
Caused by: java.io.IOException: overrun, bytes = 111
        at java.base/javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95)
        at org.apache.zookeeper.util.PemReader.loadPrivateKey(PemReader.java:154)
        at org.apache.zookeeper.util.PemReader.loadPrivateKey(PemReader.java:142)
        at org.apache.zookeeper.util.PemReader.loadKeyStore(PemReader.java:103)
        at org.apache.zookeeper.common.PEMFileLoader.loadKeyStore(PEMFileLoader.java:50)
        at org.apache.zookeeper.common.X509Util.loadKeyStore(X509Util.java:400)
        at org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:436)

注意:我检查了Zookeeper源代码PEMReader.java,因为该代码期望密钥和证书位于PEM文件中。我通过连接certificate.pem和privatekey.pem(cat certificate.pem privatekey.pem> certWithPrivate.pem)创建了certWithPrivate.pem。

任何想法?

我看到zookeeper 3.5.5可以选择传入.PEM文件来设置TLS加密。我有使用openssl生成的服务器certificate.pem和privatekey.pem,并按如下所示设置zookeper配置tickTime = ...

ssl openssl apache-zookeeper pem
1个回答
0
投票

私有密钥未加密,删除了密码(ssl.quorum.keyStore.password和ssl.quorum.trustStore.password)起作用。

© www.soinside.com 2019 - 2024. All rights reserved.