0

I want to run schema registry for my AWS MSK cluster on EC2 within the same VPC as my MSK cluster using confluentinc/cp-schema-registry.

But the container is exiting without any proper error message.

Here is my docker command:

docker run \
  --net=host \
  --name=schema-registry \
  -e SCHEMA_REGISTRY_KAFKASTORE_CONNECTION_URL=<PLAINTEXT-ZOOKEEPER-CONNECTION-URL> \
  -e SCHEMA_REGISTRY_HOST_NAME=localhost \
  -e SCHEMA_REGISTRY_LISTENERS=http://localhost:8081 \
  -p 8081:8081 \
  confluentinc/cp-schema-registry

===== UPDATE ======

I have also tried by running confluent schema-registry as follows:

bin/schema-registry-start etc/schema-registry/schema-registry.properties

But getting the error:

java.lang.RuntimeException: Error initializing the ssl context for RestService
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect

I have generated the signed certificate, added to keystore by following: https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html

This keystore is working fine with console-producer and consumers but not working with schema-registry.

and here is my content of schema-registry.properties

listeners=http://0.0.0.0:8081
kafkastore.bootstrap.servers=<MY-MSK-BOOTSTRAP-SERVER>
kafkastore.topic=_schemas
debug=true

security.protocol=SSL
ssl.truststore.location=/tmp/kafka/kafka.client.truststore.jks
ssl.keystore.location=/tmp/kafka/kafka.client.keystore.jks
ssl.keystore.password=xxxx
ssl.key.password=xxxx
Venkat Papana
  • 4,757
  • 13
  • 52
  • 74
  • What logs **do** you get? And why do you "need" Docker? Note: The listeners nor the hostname settings should not be localhost, rather the external address of the EC2 instance – OneCricketeer Jul 26 '21 at 13:51
  • hello @OneCricketeer, I have tried with confluent's schema-registry command by providing the keystore, it is giving ssl error. I have updated my original question, can you please have a look. Thanks! – Venkat Papana Jul 27 '21 at 14:02
  • I dont have experience with SSL on the registry, but the docs on that are here https://docs.confluent.io/platform/current/schema-registry/security/index.html Unltimately, I would not put your JKS files or any important data in `/tmp` and make sure they have at least `640` permissions – OneCricketeer Jul 27 '21 at 14:23
  • sure, this is for proof of concept only, I will take care of it on the real project. – Venkat Papana Jul 27 '21 at 14:43

0 Answers0