...
ZooKeeper was initially designed and implemented using Java NIO package. Later on, we add Netty feature to optionally take place of NIO since Netty has better support for SSL. Thus, SSL is only supported on top of Netty communication, which means if you want to use SSL you have to enable the Netty feature. We will discuss how to do it in the following section.
SSL
It's added in ZOOKEEPER-2125.
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
zookeeper.clientCnxnSocket="org.apache.zookeeper.ClientCnxnSocketNetty" |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
zookeeper.client.secure=true |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
zookeeper.ssl.keyStore.location="/path/to/your/keystore" zookeeper.ssl.keyStore.password="keystore_password" zookeeper.ssl.trustStore.location="/path/to/your/truststore" zookeeper.ssl.trustStore.password="truststore_password" |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
zookeeper.serverCnxnFactory="org.apache.zookeeper.server.NettyServerCnxnFactory" |
...
Then set up keystore and truststore environment like what client does.
Example
An example setup for running bin/zkServer.sh:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
export SERVER_JVMFLAGS="
-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
-Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks -Dzookeeper.ssl.keyStore.password=testpass -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks -Dzookeeper.ssl.trustStore.password=testpass" |
and set additionally in “zoo.cfg”:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
…
secureClientPort=2281 |
For bin/zkCli.sh:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
export CLIENT_JVMFLAGS="
-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks -Dzookeeper.ssl.keyStore.password=testpass -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks -Dzookeeper.ssl.trustStore.password=testpass" |
Start the ZK server, and then connect client to server’s port 2281 should work like normal.
Quorum
Not supported yet!
Authentication
...