| <!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Using TLS with KeyStore configure · Apache Pulsar</title><meta name="viewport" content="width=device-width, initial-scale=1.0"/><meta name="generator" content="Docusaurus"/><meta name="description" content="## Overview"/><meta name="docsearch:version" content="2.6.1"/><meta name="docsearch:language" content="en"/><meta property="og:title" content="Using TLS with KeyStore configure · Apache Pulsar"/><meta property="og:type" content="website"/><meta property="og:url" content="https://pulsar.apache.org/"/><meta property="og:description" content="## Overview"/><meta name="twitter:card" content="summary"/><meta name="twitter:image" content="https://pulsar.apache.org/img/pulsar.svg"/><link rel="shortcut icon" href="/img/pulsar.ico"/><link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/atom-one-dark.min.css"/><link rel="alternate" type="application/atom+xml" href="https://pulsar.apache.org/blog/atom.xml" title="Apache Pulsar Blog ATOM Feed"/><link rel="alternate" type="application/rss+xml" href="https://pulsar.apache.org/blog/feed.xml" title="Apache Pulsar Blog RSS Feed"/><link rel="stylesheet" href="/css/code-blocks-buttons.css"/><script type="text/javascript" src="https://buttons.github.io/buttons.js"></script><script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.0/clipboard.min.js"></script><script type="text/javascript" src="/js/custom.js"></script><script src="/js/scrollSpy.js"></script><link rel="stylesheet" href="/css/main.css"/><script src="/js/codetabs.js"></script></head><body class="sideNavVisible separateOnPageNav"><div class="fixedHeaderContainer"><div class="headerWrapper wrapper"><header><a href="/en"><img class="logo" src="/img/pulsar.svg" alt="Apache Pulsar"/></a><a href="/en/versions"><h3>2.6.1</h3></a><div class="navigationWrapper navigationSlider"><nav class="slidingNav"><ul class="nav-site nav-site-internal"><li class="siteNavGroupActive"><a href="/docs/en/2.6.1/getting-started-standalone" target="_self">Docs</a></li><li class=""><a href="/en/download" target="_self">Download</a></li><li class="siteNavGroupActive"><a href="/docs/en/2.6.1/client-libraries" target="_self">Clients</a></li><li class=""><a href="#restapis" target="_self">REST APIs</a></li><li class=""><a href="#cli" target="_self">Cli</a></li><li class=""><a href="/blog/" target="_self">Blog</a></li><li class=""><a href="#community" target="_self">Community</a></li><li class=""><a href="#apache" target="_self">Apache</a></li><li class=""><a href="https://pulsar-next.staged.apache.org/" target="_self">New Website (Beta)</a></li><span><li><a id="languages-menu" href="#"><img class="languages-icon" src="/img/language.svg" alt="Languages icon"/>English</a><div id="languages-dropdown" class="hide"><ul id="languages-dropdown-items"><li><a href="/docs/ja/2.6.1/security-tls-keystore">日本語</a></li><li><a href="/docs/fr/2.6.1/security-tls-keystore">Français</a></li><li><a href="/docs/ko/2.6.1/security-tls-keystore">한국어</a></li><li><a href="/docs/zh-CN/2.6.1/security-tls-keystore">中文</a></li><li><a href="/docs/zh-TW/2.6.1/security-tls-keystore">繁體中文</a></li><li><a href="https://crowdin.com/project/apache-pulsar" target="_blank" rel="noreferrer noopener">Help Translate</a></li></ul></div></li><script> |
| const languagesMenuItem = document.getElementById("languages-menu"); |
| const languagesDropDown = document.getElementById("languages-dropdown"); |
| languagesMenuItem.addEventListener("click", function(event) { |
| event.preventDefault(); |
| |
| if (languagesDropDown.className == "hide") { |
| languagesDropDown.className = "visible"; |
| } else { |
| languagesDropDown.className = "hide"; |
| } |
| }); |
| </script></span></ul></nav></div></header></div></div><div class="navPusher"><div class="docMainWrapper wrapper"><div class="docsNavContainer" id="docsNav"><nav class="toc"><div class="toggleNav"><section class="navWrapper wrapper"><div class="navBreadcrumb wrapper"><div class="navToggle" id="navToggler"><div class="hamburger-menu"><div class="line1"></div><div class="line2"></div><div class="line3"></div></div></div><h2><i>›</i><span>Security</span></h2><div class="tocToggler" id="tocToggler"><i class="icon-toc"></i></div></div><div class="navGroups"><div class="navGroup"><h3 class="navGroupCategoryTitle">Get Started</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/pulsar-2.0">Pulsar 2.0</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/getting-started-standalone">Run Pulsar locally</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/getting-started-docker">Run Pulsar in Docker</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/getting-started-helm">Run Pulsar in Kubernetes</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/client-libraries">Use Pulsar with client libraries</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Concepts and Architecture</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/concepts-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/concepts-messaging">Messaging</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/concepts-architecture-overview">Architecture</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/concepts-clients">Clients</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/concepts-replication">Geo Replication</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/concepts-multi-tenancy">Multi Tenancy</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/concepts-authentication">Authentication and Authorization</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/concepts-topic-compaction">Topic Compaction</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/concepts-tiered-storage">Tiered Storage</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/concepts-proxy-sni-routing">Proxy support with SNI routing</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/concepts-multiple-advertised-listeners">Multiple advertised listeners</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Pulsar Schema</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/schema-get-started">Get started</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/schema-understand">Understand schema</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/schema-evolution-compatibility">Schema evolution and compatibility</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/schema-manage">Manage schema</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Pulsar Functions</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/functions-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/functions-worker">Setup: Pulsar Functions Worker</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/functions-runtime">Setup: Configure Functions runtime</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/functions-develop">How-to: Develop</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/functions-debug">How-to: Debug</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/functions-deploy">How-to: Deploy</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/functions-cli">Reference: CLI</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/window-functions-context">Window Functions: Context</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Pulsar IO</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/io-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/io-quickstart">Get started</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/io-use">Use</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/io-debug">Debug</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/io-connectors">Built-in connector</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/io-cdc">CDC connector</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/io-develop">Develop</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/io-cli">CLI</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Pulsar SQL</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/sql-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/sql-getting-started">Query data</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/sql-deployment-configurations">Configuration and deployment</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/sql-rest-api">REST APIs</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Kubernetes (Helm)</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/helm-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/helm-prepare">Prepare</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/helm-install">Install</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/helm-deploy">Deployment</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/helm-upgrade">Upgrade</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/helm-tools">Required Tools</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Deployment</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/deploy-aws">Amazon Web Services</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/deploy-kubernetes">Kubernetes</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/deploy-bare-metal">Bare metal</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/deploy-bare-metal-multi-cluster">Bare metal multi-cluster</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/deploy-monitoring">Monitoring</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Administration</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/administration-zk-bk">ZooKeeper and BookKeeper</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/administration-geo">Geo-replication</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/administration-pulsar-manager">Pulsar Manager</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/administration-stats">Pulsar statistics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/administration-load-balance">Load balance</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/administration-proxy">Pulsar proxy</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/administration-upgrade">Upgrade</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Security</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/security-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/security-tls-transport">Transport Encryption using TLS</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/security-tls-authentication">Authentication using TLS</a></li><li class="navListItem navListItemActive"><a class="navItem" href="/docs/en/2.6.1/security-tls-keystore">Using TLS with KeyStore configure</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/security-jwt">Authentication using JWT</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/security-athenz">Authentication using Athenz</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/security-kerberos">Authentication using Kerberos</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/security-oauth2">Authentication using OAuth 2.0 access tokens</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/security-authorization">Authorization and ACLs</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/security-encryption">End-to-End Encryption</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/security-extending">Extending</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/security-bouncy-castle">Bouncy Castle Providers</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Performance</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/performance-pulsar-perf">Pulsar Perf</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Client Libraries</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/client-libraries-java">Java</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/client-libraries-go">Go</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/client-libraries-python">Python</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/client-libraries-cpp">C++</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/client-libraries-node">Node.js</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/client-libraries-websocket">WebSocket</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/client-libraries-dotnet">C#</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Admin API</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/admin-api-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/admin-api-clusters">Clusters</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/admin-api-tenants">Tenants</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/admin-api-brokers">Brokers</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/admin-api-namespaces">Namespaces</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/admin-api-permissions">Permissions</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/admin-api-persistent-topics">Persistent topics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/admin-api-non-persistent-topics">Non-Persistent topics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/admin-api-partitioned-topics">Partitioned topics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/admin-api-non-partitioned-topics">Non-Partitioned topics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/admin-api-functions">Functions</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Adaptors</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/adaptors-kafka">Kafka client wrapper</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/adaptors-spark">Apache Spark</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/adaptors-storm">Apache Storm</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Cookbooks</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/cookbooks-tiered-storage">Tiered Storage</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/cookbooks-compaction">Topic compaction</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/cookbooks-deduplication">Message deduplication</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/cookbooks-non-persistent">Non-persistent messaging</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/cookbooks-partitioned">Partitioned Topics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/cookbooks-retention-expiry">Message retention and expiry</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/cookbooks-encryption">Encryption</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/cookbooks-message-queue">Message queue</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/cookbooks-bookkeepermetadata">BookKeeper Ledger Metadata</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Development</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/develop-tools">Simulation tools</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/developing-binary-protocol">Binary protocol</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/develop-schema">Custom schema storage</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/develop-load-manager">Modular load manager</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/develop-cpp">Building Pulsar C++ client</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Reference</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/reference-terminology">Terminology</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/reference-cli-tools">Pulsar CLI tools</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/reference-configuration">Pulsar configuration</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.6.1/reference-metrics">Pulsar Metrics</a></li></ul></div></div></section></div><script> |
| var coll = document.getElementsByClassName('collapsible'); |
| var checkActiveCategory = true; |
| for (var i = 0; i < coll.length; i++) { |
| var links = coll[i].nextElementSibling.getElementsByTagName('*'); |
| if (checkActiveCategory){ |
| for (var j = 0; j < links.length; j++) { |
| if (links[j].classList.contains('navListItemActive')){ |
| coll[i].nextElementSibling.classList.toggle('hide'); |
| coll[i].childNodes[1].classList.toggle('rotate'); |
| checkActiveCategory = false; |
| break; |
| } |
| } |
| } |
| |
| coll[i].addEventListener('click', function() { |
| var arrow = this.childNodes[1]; |
| arrow.classList.toggle('rotate'); |
| var content = this.nextElementSibling; |
| content.classList.toggle('hide'); |
| }); |
| } |
| |
| document.addEventListener('DOMContentLoaded', function() { |
| createToggler('#navToggler', '#docsNav', 'docsSliderActive'); |
| createToggler('#tocToggler', 'body', 'tocActive'); |
| |
| var headings = document.querySelector('.toc-headings'); |
| headings && headings.addEventListener('click', function(event) { |
| var el = event.target; |
| while(el !== headings){ |
| if (el.tagName === 'A') { |
| document.body.classList.remove('tocActive'); |
| break; |
| } else{ |
| el = el.parentNode; |
| } |
| } |
| }, false); |
| |
| function createToggler(togglerSelector, targetSelector, className) { |
| var toggler = document.querySelector(togglerSelector); |
| var target = document.querySelector(targetSelector); |
| |
| if (!toggler) { |
| return; |
| } |
| |
| toggler.onclick = function(event) { |
| event.preventDefault(); |
| |
| target.classList.toggle(className); |
| }; |
| } |
| }); |
| </script></nav></div><div class="container mainContainer docsContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://github.com/apache/pulsar/edit/master/site2/docs/security-tls-keystore.md" target="_blank" rel="noreferrer noopener">Edit</a><h1 id="__docusaurus" class="postHeaderTitle">Using TLS with KeyStore configure</h1></header><article><div><span><h2><a class="anchor" aria-hidden="true" id="overview"></a><a href="#overview" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Overview</h2> |
| <p>Apache Pulsar supports <a href="/docs/en/2.6.1/security-tls-transport">TLS encryption</a> and <a href="/docs/en/2.6.1/security-tls-authentication">TLS authentication</a> between clients and Apache Pulsar service. |
| By default it uses PEM format file configuration. This page tries to describe use <a href="https://en.wikipedia.org/wiki/Java_KeyStore">KeyStore</a> type configure for TLS.</p> |
| <h2><a class="anchor" aria-hidden="true" id="tls-encryption-with-keystore-configure"></a><a href="#tls-encryption-with-keystore-configure" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>TLS encryption with KeyStore configure</h2> |
| <h3><a class="anchor" aria-hidden="true" id="generate-tls-key-and-certificate"></a><a href="#generate-tls-key-and-certificate" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Generate TLS key and certificate</h3> |
| <p>The first step of deploying TLS is to generate the key and the certificate for each machine in the cluster. |
| You can use Java’s <code>keytool</code> utility to accomplish this task. We will generate the key into a temporary keystore |
| initially for broker, so that we can export and sign it later with CA.</p> |
| <pre><code class="hljs css language-shell">keytool -keystore broker.keystore.jks -alias localhost -validity {validity} -genkeypair -keyalg RSA |
| </code></pre> |
| <p>You need to specify two parameters in the above command:</p> |
| <ol> |
| <li><code>keystore</code>: the keystore file that stores the certificate. The <em>keystore</em> file contains the private key of |
| the certificate; hence, it needs to be kept safely.</li> |
| <li><code>validity</code>: the valid time of the certificate in days.</li> |
| </ol> |
| <blockquote> |
| <p>Ensure that common name (CN) matches exactly with the fully qualified domain name (FQDN) of the server. |
| The client compares the CN with the DNS domain name to ensure that it is indeed connecting to the desired server, not a malicious one.</p> |
| </blockquote> |
| <h3><a class="anchor" aria-hidden="true" id="creating-your-own-ca"></a><a href="#creating-your-own-ca" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Creating your own CA</h3> |
| <p>After the first step, each broker in the cluster has a public-private key pair, and a certificate to identify the machine. |
| The certificate, however, is unsigned, which means that an attacker can create such a certificate to pretend to be any machine.</p> |
| <p>Therefore, it is important to prevent forged certificates by signing them for each machine in the cluster. |
| A <code>certificate authority (CA)</code> is responsible for signing certificates. CA works likes a government that issues passports — |
| the government stamps (signs) each passport so that the passport becomes difficult to forge. Other governments verify the stamps |
| to ensure the passport is authentic. Similarly, the CA signs the certificates, and the cryptography guarantees that a signed |
| certificate is computationally difficult to forge. Thus, as long as the CA is a genuine and trusted authority, the clients have |
| high assurance that they are connecting to the authentic machines.</p> |
| <pre><code class="hljs css language-shell">openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 |
| </code></pre> |
| <p>The generated CA is simply a <em>public-private</em> key pair and certificate, and it is intended to sign other certificates.</p> |
| <p>The next step is to add the generated CA to the clients' truststore so that the clients can trust this CA:</p> |
| <pre><code class="hljs css language-shell">keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert |
| </code></pre> |
| <p>NOTE: If you configure the brokers to require client authentication by setting <code>tlsRequireTrustedClientCertOnConnect</code> to <code>true</code> on the |
| broker configuration, then you must also provide a truststore for the brokers and it should have all the CA certificates that clients keys were signed by.</p> |
| <pre><code class="hljs css language-shell">keytool -keystore broker.truststore.jks -alias CARoot -import -file ca-cert |
| </code></pre> |
| <p>In contrast to the keystore, which stores each machine’s own identity, the truststore of a client stores all the certificates |
| that the client should trust. Importing a certificate into one’s truststore also means trusting all certificates that are signed |
| by that certificate. As the analogy above, trusting the government (CA) also means trusting all passports (certificates) that |
| it has issued. This attribute is called the chain of trust, and it is particularly useful when deploying TLS on a large BookKeeper cluster. |
| You can sign all certificates in the cluster with a single CA, and have all machines share the same truststore that trusts the CA. |
| That way all machines can authenticate all other machines.</p> |
| <h3><a class="anchor" aria-hidden="true" id="signing-the-certificate"></a><a href="#signing-the-certificate" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Signing the certificate</h3> |
| <p>The next step is to sign all certificates in the keystore with the CA we generated. First, you need to export the certificate from the keystore:</p> |
| <pre><code class="hljs css language-shell">keytool -keystore broker.keystore.jks -alias localhost -certreq -file cert-file |
| </code></pre> |
| <p>Then sign it with the CA:</p> |
| <pre><code class="hljs css language-shell">openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days {validity} -CAcreateserial -passin pass:{ca-password} |
| </code></pre> |
| <p>Finally, you need to import both the certificate of the CA and the signed certificate into the keystore:</p> |
| <pre><code class="hljs css language-shell">keytool -keystore broker.keystore.jks -alias CARoot -import -file ca-cert |
| keytool -keystore broker.keystore.jks -alias localhost -import -file cert-signed |
| </code></pre> |
| <p>The definitions of the parameters are the following:</p> |
| <ol> |
| <li><code>keystore</code>: the location of the keystore</li> |
| <li><code>ca-cert</code>: the certificate of the CA</li> |
| <li><code>ca-key</code>: the private key of the CA</li> |
| <li><code>ca-password</code>: the passphrase of the CA</li> |
| <li><code>cert-file</code>: the exported, unsigned certificate of the broker</li> |
| <li><code>cert-signed</code>: the signed certificate of the broker</li> |
| </ol> |
| <h3><a class="anchor" aria-hidden="true" id="configuring-brokers"></a><a href="#configuring-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Configuring brokers</h3> |
| <p>Brokers enable TLS by provide valid <code>brokerServicePortTls</code> and <code>webServicePortTls</code>, and also need set <code>tlsEnabledWithKeyStore</code> to <code>true</code> for using KeyStore type configuration. |
| Besides this, KeyStore path, KeyStore password, TrustStore path, and TrustStore password need to provided. |
| And since broker will create internal client/admin client to communicate with other brokers, user also need to provide config for them, this is similar to how user config the outside client/admin-client. |
| If <code>tlsRequireTrustedClientCertOnConnect</code> is <code>true</code>, broker will reject the Connection if the Client Certificate is not trusted.</p> |
| <p>The following TLS configs are needed on the broker side:</p> |
| <pre><code class="hljs css language-properties"><span class="hljs-attr">tlsEnabledWithKeyStore</span>=<span class="hljs-string">true</span> |
| <span class="hljs-comment"># key store</span> |
| <span class="hljs-attr">tlsKeyStoreType</span>=<span class="hljs-string">JKS</span> |
| <span class="hljs-attr">tlsKeyStore</span>=<span class="hljs-string">/var/private/tls/broker.keystore.jks</span> |
| <span class="hljs-attr">tlsKeyStorePassword</span>=<span class="hljs-string">brokerpw</span> |
| <span class="hljs-comment"> |
| # trust store</span> |
| <span class="hljs-attr">tlsTrustStoreType</span>=<span class="hljs-string">JKS</span> |
| <span class="hljs-attr">tlsTrustStore</span>=<span class="hljs-string">/var/private/tls/broker.truststore.jks</span> |
| <span class="hljs-attr">tlsTrustStorePassword</span>=<span class="hljs-string">brokerpw</span> |
| <span class="hljs-comment"> |
| # internal client/admin-client config</span> |
| <span class="hljs-attr">brokerClientTlsEnabled</span>=<span class="hljs-string">true</span> |
| <span class="hljs-attr">brokerClientTlsEnabledWithKeyStore</span>=<span class="hljs-string">true</span> |
| <span class="hljs-attr">brokerClientTlsTrustStoreType</span>=<span class="hljs-string">JKS</span> |
| <span class="hljs-attr">brokerClientTlsTrustStore</span>=<span class="hljs-string">/var/private/tls/client.truststore.jks</span> |
| <span class="hljs-attr">brokerClientTlsTrustStorePassword</span>=<span class="hljs-string">clientpw</span> |
| </code></pre> |
| <p>NOTE: it is important to restrict access to the store files via filesystem permissions.</p> |
| <p>Optional settings that may worth consider:</p> |
| <ol> |
| <li>tlsClientAuthentication=false: Enable/Disable using TLS for authentication. This config when enabled will authenticate the other end |
| of the communication channel. It should be enabled on both brokers and clients for mutual TLS.</li> |
| <li>tlsCiphers=[TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256], A cipher suite is a named combination of authentication, encryption, MAC and key exchange |
| algorithm used to negotiate the security settings for a network connection using TLS network protocol. By default, |
| it is null. <a href="https://www.openssl.org/docs/man1.0.2/apps/ciphers.html">OpenSSL Ciphers</a> |
| <a href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites">JDK Ciphers</a></li> |
| <li>tlsProtocols=[TLSv1.2,TLSv1.1,TLSv1] (list out the TLS protocols that you are going to accept from clients). |
| By default, it is not set.</li> |
| </ol> |
| <h3><a class="anchor" aria-hidden="true" id="configuring-clients"></a><a href="#configuring-clients" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Configuring Clients</h3> |
| <p>This is similar to [TLS encryption configuing for client with PEM type](/docs/en/2.6.1/security-tls-transport#Client configuration). |
| For a a minimal configuration, user need to provide the TrustStore information.</p> |
| <p>e.g.</p> |
| <ol> |
| <li><p>for <a href="/docs/en/2.6.1/reference-cli-tools">Command-line tools</a> like <a href="reference-cli-tools#pulsar-admin"><code>pulsar-admin</code></a>, <a href="reference-cli-tools#pulsar-perf"><code>pulsar-perf</code></a>, and <a href="reference-cli-tools#pulsar-client"><code>pulsar-client</code></a> use the <code>conf/client.conf</code> config file in a Pulsar installation.</p> |
| <pre><code class="hljs css language-properties"><span class="hljs-attr">webServiceUrl</span>=<span class="hljs-string">https://broker.example.com:8443/</span> |
| <span class="hljs-attr">brokerServiceUrl</span>=<span class="hljs-string">pulsar+ssl://broker.example.com:6651/</span> |
| <span class="hljs-attr">useKeyStoreTls</span>=<span class="hljs-string">true</span> |
| <span class="hljs-attr">tlsTrustStoreType</span>=<span class="hljs-string">JKS</span> |
| <span class="hljs-attr">tlsTrustStorePath</span>=<span class="hljs-string">/var/private/tls/client.truststore.jks</span> |
| <span class="hljs-attr">tlsTrustStorePassword</span>=<span class="hljs-string">clientpw</span> |
| </code></pre></li> |
| <li><p>for java client</p> |
| <pre><code class="hljs css language-java"><span class="hljs-keyword">import</span> org.apache.pulsar.client.api.PulsarClient; |
| |
| PulsarClient client = PulsarClient.builder() |
| .serviceUrl(<span class="hljs-string">"pulsar+ssl://broker.example.com:6651/"</span>) |
| .enableTls(<span class="hljs-keyword">true</span>) |
| .useKeyStoreTls(<span class="hljs-keyword">true</span>) |
| .tlsTrustStorePath(<span class="hljs-string">"/var/private/tls/client.truststore.jks"</span>) |
| .tlsTrustStorePassword(<span class="hljs-string">"clientpw"</span>) |
| .allowTlsInsecureConnection(<span class="hljs-keyword">false</span>) |
| .build(); |
| </code></pre></li> |
| <li><p>for java admin client</p></li> |
| </ol> |
| <pre><code class="hljs css language-java"> PulsarAdmin amdin = PulsarAdmin.builder().serviceHttpUrl(<span class="hljs-string">"https://broker.example.com:8443"</span>) |
| .useKeyStoreTls(<span class="hljs-keyword">true</span>) |
| .tlsTrustStorePath(<span class="hljs-string">"/var/private/tls/client.truststore.jks"</span>) |
| .tlsTrustStorePassword(<span class="hljs-string">"clientpw"</span>) |
| .allowTlsInsecureConnection(<span class="hljs-keyword">false</span>) |
| .build(); |
| </code></pre> |
| <h2><a class="anchor" aria-hidden="true" id="tls-authentication-with-keystore-configure"></a><a href="#tls-authentication-with-keystore-configure" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>TLS authentication with KeyStore configure</h2> |
| <p>This similar to <a href="/docs/en/2.6.1/security-tls-authentication">TLS authentication with PEM type</a></p> |
| <h3><a class="anchor" aria-hidden="true" id="broker-authentication-config"></a><a href="#broker-authentication-config" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>broker authentication config</h3> |
| <p><code>broker.conf</code></p> |
| <pre><code class="hljs css language-properties"><span class="hljs-comment"># Configuration to enable authentication</span> |
| <span class="hljs-attr">authenticationEnabled</span>=<span class="hljs-string">true</span> |
| <span class="hljs-attr">authenticationProviders</span>=<span class="hljs-string">org.apache.pulsar.broker.authentication.AuthenticationProviderTls</span> |
| <span class="hljs-comment"> |
| # this should be the CN for one of client keystore.</span> |
| <span class="hljs-attr">superUserRoles</span>=<span class="hljs-string">admin</span> |
| <span class="hljs-comment"> |
| # Enable KeyStore type</span> |
| <span class="hljs-attr">tlsEnabledWithKeyStore</span>=<span class="hljs-string">true</span> |
| <span class="hljs-attr">requireTrustedClientCertOnConnect</span>=<span class="hljs-string">true</span> |
| <span class="hljs-comment"> |
| # key store</span> |
| <span class="hljs-attr">tlsKeyStoreType</span>=<span class="hljs-string">JKS</span> |
| <span class="hljs-attr">tlsKeyStore</span>=<span class="hljs-string">/var/private/tls/broker.keystore.jks</span> |
| <span class="hljs-attr">tlsKeyStorePassword</span>=<span class="hljs-string">brokerpw</span> |
| <span class="hljs-comment"> |
| # trust store</span> |
| <span class="hljs-attr">tlsTrustStoreType</span>=<span class="hljs-string">JKS</span> |
| <span class="hljs-attr">tlsTrustStore</span>=<span class="hljs-string">/var/private/tls/broker.truststore.jks</span> |
| <span class="hljs-attr">tlsTrustStorePassword</span>=<span class="hljs-string">brokerpw</span> |
| <span class="hljs-comment"> |
| # internal client/admin-client config</span> |
| <span class="hljs-attr">brokerClientTlsEnabled</span>=<span class="hljs-string">true</span> |
| <span class="hljs-attr">brokerClientTlsEnabledWithKeyStore</span>=<span class="hljs-string">true</span> |
| <span class="hljs-attr">brokerClientTlsTrustStoreType</span>=<span class="hljs-string">JKS</span> |
| <span class="hljs-attr">brokerClientTlsTrustStore</span>=<span class="hljs-string">/var/private/tls/client.truststore.jks</span> |
| <span class="hljs-attr">brokerClientTlsTrustStorePassword</span>=<span class="hljs-string">clientpw</span> |
| <span class="hljs-comment"># internal auth config</span> |
| <span class="hljs-attr">brokerClientAuthenticationPlugin</span>=<span class="hljs-string">org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls</span> |
| <span class="hljs-attr">brokerClientAuthenticationParameters</span>=<span class="hljs-string">keyStoreType:JKS,keyStorePath:/var/private/tls/client.keystore.jks,keyStorePassword:clientpw</span> |
| <span class="hljs-comment"># currently websocket not support keystore type</span> |
| <span class="hljs-attr">webSocketServiceEnabled</span>=<span class="hljs-string">false</span> |
| </code></pre> |
| <h3><a class="anchor" aria-hidden="true" id="client-authentication-configuring"></a><a href="#client-authentication-configuring" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>client authentication configuring</h3> |
| <p>Besides the TLS encryption configuring. The main work is configuring the KeyStore, which contains a valid CN as client role, for client.</p> |
| <p>e.g.</p> |
| <ol> |
| <li><p>for <a href="/docs/en/2.6.1/reference-cli-tools">Command-line tools</a> like <a href="reference-cli-tools#pulsar-admin"><code>pulsar-admin</code></a>, <a href="reference-cli-tools#pulsar-perf"><code>pulsar-perf</code></a>, and <a href="reference-cli-tools#pulsar-client"><code>pulsar-client</code></a> use the <code>conf/client.conf</code> config file in a Pulsar installation.</p> |
| <pre><code class="hljs css language-properties"><span class="hljs-attr">webServiceUrl</span>=<span class="hljs-string">https://broker.example.com:8443/</span> |
| <span class="hljs-attr">brokerServiceUrl</span>=<span class="hljs-string">pulsar+ssl://broker.example.com:6651/</span> |
| <span class="hljs-attr">useKeyStoreTls</span>=<span class="hljs-string">true</span> |
| <span class="hljs-attr">tlsTrustStoreType</span>=<span class="hljs-string">JKS</span> |
| <span class="hljs-attr">tlsTrustStorePath</span>=<span class="hljs-string">/var/private/tls/client.truststore.jks</span> |
| <span class="hljs-attr">tlsTrustStorePassword</span>=<span class="hljs-string">clientpw</span> |
| <span class="hljs-attr">authPlugin</span>=<span class="hljs-string">org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls</span> |
| <span class="hljs-attr">authParams</span>=<span class="hljs-string">{"keyStoreType":"JKS","keyStorePath":"/path/to/keystorefile","keyStorePassword":"keystorepw"}</span> |
| </code></pre></li> |
| <li><p>for java client</p> |
| <pre><code class="hljs css language-java"><span class="hljs-keyword">import</span> org.apache.pulsar.client.api.PulsarClient; |
| |
| PulsarClient client = PulsarClient.builder() |
| .serviceUrl(<span class="hljs-string">"pulsar+ssl://broker.example.com:6651/"</span>) |
| .enableTls(<span class="hljs-keyword">true</span>) |
| .useKeyStoreTls(<span class="hljs-keyword">true</span>) |
| .tlsTrustStorePath(<span class="hljs-string">"/var/private/tls/client.truststore.jks"</span>) |
| .tlsTrustStorePassword(<span class="hljs-string">"clientpw"</span>) |
| .allowTlsInsecureConnection(<span class="hljs-keyword">false</span>) |
| .authentication( |
| <span class="hljs-string">"org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls"</span>, |
| <span class="hljs-string">"keyStoreType:JKS,keyStorePath:/var/private/tls/client.keystore.jks,keyStorePassword:clientpw"</span>) |
| .build(); |
| </code></pre></li> |
| <li><p>for java admin client</p> |
| <pre><code class="hljs css language-java"> PulsarAdmin amdin = PulsarAdmin.builder().serviceHttpUrl(<span class="hljs-string">"https://broker.example.com:8443"</span>) |
| .useKeyStoreTls(<span class="hljs-keyword">true</span>) |
| .tlsTrustStorePath(<span class="hljs-string">"/var/private/tls/client.truststore.jks"</span>) |
| .tlsTrustStorePassword(<span class="hljs-string">"clientpw"</span>) |
| .allowTlsInsecureConnection(<span class="hljs-keyword">false</span>) |
| .authentication( |
| <span class="hljs-string">"org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls"</span>, |
| <span class="hljs-string">"keyStoreType:JKS,keyStorePath:/var/private/tls/client.keystore.jks,keyStorePassword:clientpw"</span>) |
| .build(); |
| </code></pre></li> |
| </ol> |
| <h2><a class="anchor" aria-hidden="true" id="enabling-tls-logging"></a><a href="#enabling-tls-logging" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Enabling TLS Logging</h2> |
| <p>You can enable TLS debug logging at the JVM level by starting the brokers and/or clients with <code>javax.net.debug</code> system property. For example:</p> |
| <pre><code class="hljs css language-shell">-Djavax.net.debug=all |
| </code></pre> |
| <p>You can find more details on this in <a href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html">Oracle documentation</a> on |
| <a href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html">debugging SSL/TLS connections</a>.</p> |
| </span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/en/2.6.1/security-tls-authentication"><span class="arrow-prev">← </span><span>Authentication using TLS</span></a><a class="docs-next button" href="/docs/en/2.6.1/security-jwt"><span>Authentication using JWT</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#overview">Overview</a></li><li><a href="#tls-encryption-with-keystore-configure">TLS encryption with KeyStore configure</a><ul class="toc-headings"><li><a href="#generate-tls-key-and-certificate">Generate TLS key and certificate</a></li><li><a href="#creating-your-own-ca">Creating your own CA</a></li><li><a href="#signing-the-certificate">Signing the certificate</a></li><li><a href="#configuring-brokers">Configuring brokers</a></li><li><a href="#configuring-clients">Configuring Clients</a></li></ul></li><li><a href="#tls-authentication-with-keystore-configure">TLS authentication with KeyStore configure</a><ul class="toc-headings"><li><a href="#broker-authentication-config">broker authentication config</a></li><li><a href="#client-authentication-configuring">client authentication configuring</a></li></ul></li><li><a href="#enabling-tls-logging">Enabling TLS Logging</a></li></ul></nav></div><footer class="nav-footer" id="footer"><section class="copyright">Copyright © 2022 The Apache Software Foundation. All Rights Reserved. Apache, Apache Pulsar and the Apache feather logo are trademarks of The Apache Software Foundation.</section><span><script> |
| const community = document.querySelector("a[href='#community']").parentNode; |
| const communityMenu = |
| '<li>' + |
| '<a id="community-menu" href="#">Community <span style="font-size: 0.75em"> ▼</span></a>' + |
| '<div id="community-dropdown" class="hide">' + |
| '<ul id="community-dropdown-items">' + |
| '<li><a href="/en/contact">Contact</a></li>' + |
| '<li><a href="/en/contributing">Contributing</a></li>' + |
| '<li><a href="/en/coding-guide">Coding guide</a></li>' + |
| '<li><a href="/en/events">Events</a></li>' + |
| '<li><a href="https://twitter.com/Apache_Pulsar" target="_blank">Twitter ❐</a></li>' + |
| '<li><a href="https://github.com/apache/pulsar/wiki" target="_blank">Wiki ❐</a></li>' + |
| '<li><a href="https://github.com/apache/pulsar/issues" target="_blank">Issue tracking ❐</a></li>' + |
| '<li><a href="https://pulsar-summit.org/" target="_blank">Pulsar Summit ❐</a></li>' + |
| '<li> </li>' + |
| '<li><a href="/en/resources">Resources</a></li>' + |
| '<li><a href="/en/team">Team</a></li>' + |
| '<li><a href="/en/powered-by">Powered By</a></li>' + |
| '</ul>' + |
| '</div>' + |
| '</li>'; |
| |
| community.innerHTML = communityMenu; |
| |
| const communityMenuItem = document.getElementById("community-menu"); |
| const communityDropDown = document.getElementById("community-dropdown"); |
| communityMenuItem.addEventListener("click", function(event) { |
| event.preventDefault(); |
| |
| if (communityDropDown.className == 'hide') { |
| communityDropDown.className = 'visible'; |
| } else { |
| communityDropDown.className = 'hide'; |
| } |
| }); |
| </script></span></footer></div><script>window.twttr=(function(d,s, id){var js,fjs=d.getElementsByTagName(s)[0],t=window.twttr||{};if(d.getElementById(id))return t;js=d.createElement(s);js.id=id;js.src='https://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js, fjs);t._e = [];t.ready = function(f) {t._e.push(f);};return t;}(document, 'script', 'twitter-wjs'));</script></body></html> |
