1

I use ssl keystores for Jetty 9 and Kafka. I need to provide keystore and key passwords to access the keystore and private key. However, I don't want to provide these passwords in clear text in the configuration files. What other options are there to securely provide/encrypt the passwords? what is the pros and cons of each approach?

Joakim Erdfelt
  • 46,896
  • 7
  • 86
  • 136
Mulugeta Ayalew Tamiru
  • 61
  • 1
  • 5

2 Answers2

1

Since Kafka 2.0.0, all password configs can be preloaded in zookeeper before you start brokers. The kafka-configs.sh tool can be used to store passwords in an encrypted format in Zookeeper avoiding the need to specify them in plaintext in the properties file.

See the Updating Broker Configs section in the Kafka docs, especially the "Updating Password Configs in ZooKeeper Before Starting Brokers" paragraph.

Mickael Maison
  • 25,067
  • 7
  • 71
  • 68
  • Thanks Michael. Could you may be direct me to an example of how to do this? Thanks – Mulugeta Ayalew Tamiru Aug 09 '18 at 12:27
  • Have you read the documentation I linked in my answer? If so what is not clear? – Mickael Maison Aug 11 '18 at 15:54
  • How to I know the `listener.name.{listenerName}` or how do I set it? – Mulugeta Ayalew Tamiru Aug 13 '18 at 10:02
  • It's the name of the listeners you have set in `listeners`. For example, if you have `listeners=PLAINTEXT://:9092` then `PLAINTEXT` is a listener name – Mickael Maison Aug 13 '18 at 10:32
  • Thanks. I ran the config command, however I am getting an error `ERROR Dynamic password config listener.name.SSL.ssl.truststore.password could not be decoded, ignoring. (kafka.server.DynamicBrokerConfig) Aug 13 11:31:50 available-kafka-03 kafka[31050]: org.apache.kafka.common.config.ConfigException: Password encoder secret not configured` even though I have specified `password.encoder.secret` in the command. Any thougths on this? – Mulugeta Ayalew Tamiru Aug 13 '18 at 11:38
  • This is the command `bin/kafka-configs.sh --zookeeper zk1:2181,zk2:2181,zk3:2181 --entity-type brokers --entity-name 1 --alter --add-config 'listener.name.ssl.ssl.key.password=123456,listener.name.ssl.ssl.truststore.location=/home/deploy/keystore/server.truststore.jks,listener.name.ssl.ssl.truststore.password=123456,listener.name.ssl.ssl.keystore.location=/home/deploy/keystore/kafka1.server.keystore.jks,listener.name.ssl.ssl.keystore.password=123456,password.encoder.secret=NeBL4Gs8B3ex5K7p'`. Is it mandatory to specify `password.encoder.secret` in `server.properties`? – Mulugeta Ayalew Tamiru Aug 13 '18 at 12:34
  • @MickaelMaison Can you please help me with - https://stackoverflow.com/questions/54900529/kafka-update-jaas-config-dynamically – Tushar H Feb 27 '19 at 10:12
  • Although this question is a bit old, but I found out that putting the `password.encoder.secret` in the beginning of all props works. – Bitswazsky Oct 16 '20 at 05:15
0

Yes. It is mandatory to add password encoder in server.properties, otherwise server can not decode password.

It works for me when I add password.encoder.secret to server.properties.

Ivan Aracki
  • 4,861
  • 11
  • 59
  • 73
Jaaouane Aymen
  • 1