DEVHIDE
Login Or Sign up

Schema Registry security configuration

1.5k Views Asked by At

Tried to configure Schema registry with SSL. When attempted to use HTTPS schema registry with AVRO Producer, it failed with error 

No SAN Name found

I had configured to ignore the host name checking. but still didnt work. Similar configuration had worked on KAFKA REST, CONNECT and KSQL.

ALso tried to run query from KSQL which uses schema registry. Failed with same error that No SAN Name found.

Below were configuration on Schema Registry for HTTPS;

listeners=https://0.0.0.0:8081
ssl.keystore.location=/confluent-5.5.0/cert/kafka.server.keystore.jks
ssl.keystore.password=password
ssl.key.password=password

On avro producer and KSQL i had configured truststore and specified 

ssl.endpoint.identification.algorithm=

Can you please help configure Schema registry with HTTPS and have it work with avro producer and KSQL?

apache-kafka confluent-schema-registry apache-kafka-security
Original Q&A
1

There are 1 best solutions below

3
On

It seems that Subject Alternative Name (SAN) is missing from your certificates.

To do so, append the argument -ext SAN=DNS:{FQDN} to the keytool command:

keytool \
    -keystore kafka.server.keystore.jks \
    -alias localhost \
    -validity {validity} \
    -genkey \
    -keyalg RSA \
    -ext SAN=DNS:{FQDN}

Make sure to inclued SAN when creating servers' keystores. This is also mentioned in the Confluent's Security Tutorial:

If host name verification is enabled, clients will verify the server’s fully qualified domain name (FQDN) against one of the following two fields:

  1. Common Name (CN)
  2. Subject Alternative Name (SAN)

Both fields are valid, however RFC-2818 recommends the use of SAN. SAN is also more flexible, allowing for multiple DNS entries to be declared. Another advantage is that the CN can be set to a more meaningful value for authorization purposes.

Alternatively, you can choose to disable server host verification:

Disable server host name verification by setting ssl.endpoint.identification.algorithm to an empty string.

Therefore, you just need to set in server.properties the following configuration and finally restart your Kafka Cluster:

ssl.endpoint.identification.algorithm=

Related Questions in APACHE-KAFKA

Related Questions in CONFLUENT-SCHEMA-REGISTRY

Related Questions in APACHE-KAFKA-SECURITY

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.