Hello team,
Just wanted to reach out with a small issue observed using SslBundle (in favor of the "old" way)
BEFORE:
Before (the very cool by he way) SslBundle, I would use this with my Kafka configuration:
final Map<String, Object> properties = new HashMap<>();
properties.put("security.protocol", "SSL");
properties.put(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, "/path/to/keystore.p12");
properties.put(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, "abc");
properties.put(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, "/path/to/truststore.p12");
properties.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, "xyz");
And I would see a "correct" kafka output:
sasl.oauthbearer.sub.claim.name = sub
sasl.oauthbearer.token.endpoint.url = null
security.protocol = SSL
security.providers = null
send.buffer.bytes = 131072
session.timeout.ms = 45000
socket.connection.setup.timeout.max.ms = 30000
socket.connection.setup.timeout.ms = 10000
ssl.cipher.suites = null
ssl.enabled.protocols = [TLSv1.2, TLSv1.3]
ssl.endpoint.identification.algorithm = https
ssl.engine.factory.class = null
ssl.key.password = null
ssl.keymanager.algorithm = SunX509
ssl.keystore.certificate.chain = null
ssl.keystore.key = null
ssl.keystore.location = /path/to/keystore.p12
ssl.keystore.password = [hidden]
ssl.keystore.type = JKS
ssl.protocol = TLSv1.3
ssl.provider = null
ssl.secure.random.implementation = null
ssl.trustmanager.algorithm = PKIX
ssl.truststore.certificates = null
ssl.truststore.location = /path/to/truststore.p12
ssl.truststore.password = [hidden]
ssl.truststore.type = JKS
value.deserializer = class org.apache.kafka.common.serialization.StringDeserializer
Note we can clearly see:
ssl.engine.factory.class = null
ssl.keystore.location = /path/to/keystore.p12
ssl.keystore.password = [hidden]
ssl.truststore.location = /path/to/truststore.p12
ssl.truststore.password = [hidden]
AFTER
Now using the SslBundle:
final Map<String, Object> properties = new HashMap<>();
properties.put("security.protocol", "SSL");
properties.put(SslConfigs.SSL_ENGINE_FACTORY_CLASS_CONFIG, SslBundleSslEngineFactory.class.getName());
properties.put(SslBundle.class.getName(), sslBundles.getBundle("mycoolclient"));
I omit the application properties configuration for the keystore ans trustore, because it is just the same.
However, the result is:
sasl.oauthbearer.sub.claim.name = sub
sasl.oauthbearer.token.endpoint.url = null
security.protocol = SSL
security.providers = null
send.buffer.bytes = 131072
session.timeout.ms = 45000
socket.connection.setup.timeout.max.ms = 30000
socket.connection.setup.timeout.ms = 10000
ssl.cipher.suites = null
ssl.enabled.protocols = [TLSv1.2, TLSv1.3]
ssl.endpoint.identification.algorithm = https
ssl.engine.factory.class = class org.springframework.boot.autoconfigure.kafka.SslBundleSslEngineFactory
ssl.key.password = null
ssl.keymanager.algorithm = SunX509
ssl.keystore.certificate.chain = null
ssl.keystore.key = null
ssl.keystore.location = null
ssl.keystore.password = null
ssl.keystore.type = JKS
ssl.protocol = TLSv1.3
ssl.provider = null
ssl.secure.random.implementation = null
ssl.trustmanager.algorithm = PKIX
ssl.truststore.certificates = null
ssl.truststore.location = null
ssl.truststore.password = null
ssl.truststore.type = JKS
value.deserializer = class org.apache.kafka.common.serialization.StringDeserializer
Please note:
ssl.engine.factory.class = class org.springframework.boot.autoconfigure.kafka.SslBundleSslEngineFactory
ssl.keystore.key = null
ssl.keystore.location = null
ssl.keystore.password = null
ssl.truststore.certificates = null
ssl.truststore.location = null
ssl.truststore.password = null
To avoid misunderstanding, both solutions are working. I tried adding a bad certificate, but I would get the SSL error. Both approaches are working; I am able to consume the messages.
Issue:
It seems with the new SslBundle construct, values are null, while not.
Thank you for your time reading me.
Wishing you a good day!