Bookkeeper 配置TLS安全认证

Java系的TLS一般都会要这么几个参数

• client.keystore
• client.truststore
• client.password
• server.keystore
• server.truststore
• server.password

生成证书

client_pass=bk_client_pwd
server_pass=bk_server_pwd
server_dname="C=CN,ST=GD,L=SZ,O=sh,OU=sh,CN=shoothzj"
client_dname="C=CN,ST=GD,L=SZ,O=sh,OU=sh,CN=shoothzj"
echo "generate client keystore"
keytool -genkeypair -keypass $client_pass -storepass $client_pass -dname $client_dname -keyalg RSA -keysize 2048 -validity 3650 -keystore bk_client_key.jks
echo "generate server keystore"
keytool -genkeypair -keypass $server_pass -storepass $server_pass -dname $server_dname -keyalg RSA -keysize 2048 -validity 3650 -keystore bk_server_key.jks
echo "export server certificate"
keytool -exportcert -keystore bk_server_key.jks -file server.cer -storepass $server_pass
echo "export client certificate"
keytool -exportcert -keystore bk_client_key.jks -file client.cer -storepass $client_pass
echo "add server cert to client trust keystore"
keytool -importcert -keystore bk_client_trust.jks -file server.cer -storepass $client_pass -noprompt
echo "add client cert to server trust keystore"
keytool -importcert -keystore bk_server_trust.jks -file client.cer -storepass $server_pass -noprompt
rm -f server.cer
rm -f client.cer

修改配置文件–client

clientKeyStorePasswordPath=bk_client_key.passwd
clientKeyStore=bk_client_key.jks
clientTrustStore=bk_client_trust.jks
clientTrustStorePasswordPath=bk_client_trust.passwd
tlsClientAuthentication=true

修改配置文件–server

tlsTrustStoreType=JKS
tlsProviderFactoryClass=org.apache.bookkeeper.tls.TLSContextFactory
tlsKeyStore=bk_server_key.jks
tlsTrustStorePasswordPath=bk_server_trust.passwd
tlsTrustStore=bk_server_trust.jks
tlsKeyStoreType=JKS
tlsProvider=OpenSSL
tlsKeyStorePasswordPath=bk_server_key.passwd
tlsClientAuthentication=true

测试OK

bin/bookkeeper shell simpletest -ensemble 1 -writeQuorum 1 -ackQuorum 1