i have a keystore.jks and truststore.jks - how do i connect using kafkacat - which is doesnt support .jks certificates

[psanapal]

i have converted each of these certs to a .pem certificates. can you provide what variables to be used for assigning these certificates and passwords in configuration properties file. basically, how my configuration properties should look.

[edenhill]

First convert your keystores to PEM format: https://stackoverflow.com/questions/652916/converting-a-java-keystore-into-pem-format

Then pass them (as needed) to kafkacat: -X ssl.key.location=private_key.pem -X ssl.certificate.location=public_key.pem -X ssl.ca.location=ca.pem -X ssl.key.password=..

[whatsupbros]

You can also convert your Java keystore to PKCS#12 format (i.e. with KeyStore Explorer), which is supported by kafkacat, and then pass them as needed:

...
-X security.protocol=SASL_SSL \
-X sasl.mechanisms=PLAIN \
-X sasl.username="$KAFKA_API_KEY" -X sasl.password="$KAFKA_API_SECRET" \
-X ssl.keystore.location=$KAFKA_KEYSTORE_LOCATION \
-X ssl.keystore.password=$KAFKA_KEYSTORE_PASSPHRASE \
-X ssl.key.password=$KAFKA_KEY_PASSPHRASE \
...

[psanapal]

First convert your keystores to PEM format: https://stackoverflow.com/questions/652916/converting-a-java-keystore-into-pem-format

Then pass them (as needed) to kafkacat: -X ssl.key.location=private_key.pem -X ssl.certificate.location=public_key.pem -X ssl.ca.location=ca.pem -X ssl.key.password=..

@edenhill i have already converted keystore and truststore to .pem but what is the variable to be assigned for truststore.pem and keystore.pem

I also generated ca.pem

[psanapal]

You can also convert your Java keystore to PKCS#12 format (i.e. with KeyStore Explorer), which is supported by kafkacat, and then pass them as needed:

...
-X security.protocol=SASL_SSL \
-X sasl.mechanisms=PLAIN \
-X sasl.username="$KAFKA_API_KEY" -X sasl.password="$KAFKA_API_SECRET" \
-X ssl.keystore.location=$KAFKA_KEYSTORE_LOCATION \
-X ssl.keystore.password=$KAFKA_KEYSTORE_PASSPHRASE \
-X ssl.key.password=$KAFKA_KEY_PASSPHRASE \
...

@ZZa how about the truststore , what variable to assign it to. And anything to do with ca.pem here ?

[whatsupbros]

@psanapal truststore is not supported by kafkacat, as far as I know. @edenhill, please correct me if I'm wrong.

[edenhill]

keystores (PKCS#12) are supported. You can convert your JKS to a keystore.

[psanapal]

@edenhill i have converted to PKCS#12 and place like below

bootstrap.servers=xyzz:443 security.protocol=SSL enable.ssl.certificate.verification=false ssl.keystore.location=/Users/psanapal/Documents/PROJECTS/kafkacat/eaip_financial_keystore.p12 ssl.keystore.password=** ssl.key.password=** ssl.ca.location=/Users/psanapal/Documents/PROJECTS/kafkacat/CA-cert.pem

ssl.certificate.location=/Users/psanapal/Documents/PROJECTS/kafkacat/kaas-client_truststore.p12

ssl.endpoint.identification.algorithm=

ssl.truststore.location=/Users/psanapal/Documents/PROJECTS/kafkacat/kaas-client_truststore.p12

ssl.truststore.password=**

command used : kafkacat -b xyzz:443 -t LFClaims -F /Users/psanapal/Documents/PROJECTS/kafkacat/kafkacatConfig.properties

error : %3|1616085529.851|FAIL|rdkafka#consumer-1| [thrd:ssl://xyzz:443/bootstrap]: ssl://xyzz:443/bootstrap: Failed to resolve 'xyzz:443': nodename nor servname provided, or not known (after 1ms in state CONNECT, 1 identical error(s) suppressed) % ERROR: Failed to query metadata for topic LFClaims: Local: Broker transport failure

[edenhill]

1. It can't (DNS) resolve the broker hostname, this is unrelated to SSL certs.
2. Port 443 is typically HTTPS, your Kafka broker most likely (and hopefully) runs on another port (typically 9092:ish).

[psanapal]

Hi @edenhill - the issue is resolved -- i only used ca cert and keystore(converted to p12) to access the topic of broker

can you provide a command to search the message by providing a key in command?

[ranjeet-floyd]

@psanapal Hey, I am facing similar issue. Can you paste here exact config you have used. Thanks

[psanapal]

@ranjeet-floyd convert jks to p12 using below

keytool -importkeystore -srckeystore /Users/xyz/xyu/xyz.keystore.jks -destkeystore /Users/xyz/xyu/xyz.keystore.p12 -deststoretype PKCS12

and dont use truststore and put enable.ssl.certificate.verification=false as below in properties and try.

bootstrap.servers=***:443 security.protocol=SSL enable.ssl.certificate.verification=false ssl.keystore.location=/Users/psanapal/kafkacat/xyz.keystore.p12 ssl.keystore.password=xyz ssl.key.password=xyz

ssl.ca.location=/Users/psanapal/kafkacat/CA-cert.pem

[ranjeet-floyd]

Thank .. working for me now. Seems we need to use chain of certificate.

[dsanan0714]

I have received truststore.jks & keystore.jks file from a team who manages kafka. We are required to build a producer application in .NET using these .jks files. I have used below commands to convert .jks files to required format as .jks is not compatible with .net applications.

keytool -importkeystore -srckeystore truststore.jks -destkeystore truststore.p12 -deststoretype PKCS12 openssl pkcs12 -in truststore.p12 -nokeys -out truststore.cer.pem

keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype jks -deststoretype pkcs12 openssl pkcs12 -in keystore.p12 -out keystore.pem openssl rsa -in keystore.pem -out newrsakeystore.pem

Output of above commands are assinged to producer config properties as below:

After running getting error: "SSL Handshake failed. client SSL Authentication might be required (see ssl.key.location and ssl.certificate.location)"

Could anyone please help what wrong i am doing here?