You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »


Introduction

 

This document describes how to use SSL feature of ZooKeeper.

By default network communication of ZooKeeper isn’t encrypted. However, each user and service can leverage the SSL feature and/or custom authentication implementation in order to use ZooKeeper in secure mode.

Netty communication

ZooKeeper was initially designed and implemented using Java NIO package. Later on, we add Netty feature to optionally take place of NIO since Netty has better support for SSL. Thus, SSL is only supported on top of Netty communication, which means if you want to use SSL you have to enable the Netty feature. We will discuss how to do it in the following section.

 

SSL

It's added in ZOOKEEPER-2125.

 

Client-Server Communication

The communication between ZooKeeper client and server has Netty and SSL support. Note that Netty needs to be enabled to use SSL.

Client

 

ZooKeeper client can use Netty by setting property: 

zookeeper.clientCnxnSocket="org.apache.zookeeper.ClientCnxnSocketNetty"


In order to do secure communication on client, set property: 

zookeeper.client.secure=true

Note that with this property set the client could and should only connect to server’s “secureClientPort” which will be described shortly.


Then set up keystore and truststore environment by setting the following properties:

zookeeper.ssl.keyStore.location
zookeeper.ssl.keyStore.password
zookeeper.ssl.trustStore.location
zookeeper.ssl.trustStore.password

Quorum

Not supported yet!

Authentication

It's added in ZOOKEEPER-2123.


  • No labels