Latest feedback

docs/operate-and-deploy/installation/server-config/security.md

@@ -446,12 +446,12 @@ below examples, depending on the source of the keys.
 
 ```bash
 # Generated key pairs with aliases 'client' and 'internal_node1'
-keytool -genkey -alias client -keyalg RSA -keypass password -storepass password -keystore ksql.server.keystore.jks -storetype PKCS12
-keytool -genkey -alias internal_node1 -keyalg RSA -keypass password -storepass password -keystore ksql.server.keystore.jks -storetype PKCS12
+keytool -genkey -alias client -keyalg RSA -keypass password -storepass password -keystore ksql.server.keystore.p12 -storetype PKCS12
+keytool -genkey -alias internal_node1 -keyalg RSA -keypass password -storepass password -keystore ksql.server.keystore.p12 -storetype PKCS12
 
 # Imported key pairs, with aliases 'client' and 'internal_node1'
-keytool -importkeystore -deststorepass password -destkeystore ksql.server.keystore.jks -deststoretype PKCS12 -destalias client -srckeystore client_api.p12 -srcstoretype PKCS12 -srcalias client
-keytool -importkeystore -deststorepass password -destkeystore ksql.server.keystore.jks -deststoretype PKCS12 -destalias internal_node1 -srckeystore internal_node1.p12 -srcstoretype PKCS12 -srcalias internal_node1
+keytool -importkeystore -deststorepass password -destkeystore ksql.server.keystore.p12 -deststoretype PKCS12 -destalias client -srckeystore client_api.p12 -srcstoretype PKCS12 -srcalias client
+keytool -importkeystore -deststorepass password -destkeystore ksql.server.keystore.p12 -deststoretype PKCS12 -destalias internal_node1 -srckeystore internal_node1.p12 -srcstoretype PKCS12 -srcalias internal_node1
 ```
 
 Also, extracting certificates to add to a trust store can be done with the following

ksqldb-rest-app/src/main/java/io/confluent/ksql/api/server/Server.java

@@ -313,18 +313,23 @@ private static void setTlsOptions(
     final Password keyStorePassword = ksqlRestConfig
         .getPassword(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG);
     if (keyStorePath != null && !keyStorePath.isEmpty()) {
-      final JksOptions keyStoreOptions = new JksOptions()
-          .setPassword(keyStorePassword.value());
+      final String keyStoreType =
+          ksqlRestConfig.getString(KsqlRestConfig.SSL_KEYSTORE_TYPE_CONFIG);
       if (keyStoreAlias != null && !keyStoreAlias.isEmpty()) {
-        keyStoreOptions.setValue(KeystoreUtil.getKeyStore(
+        options.setKeyStoreOptions(new JksOptions().setValue(KeystoreUtil.getKeyStore(
+            keyStoreType,
             keyStorePath,
             Optional.ofNullable(Strings.emptyToNull(keyStorePassword.value())),
             Optional.ofNullable(Strings.emptyToNull(keyStorePassword.value())),
-            keyStoreAlias));
-      } else {
-        keyStoreOptions.setPath(keyStorePath);
+            keyStoreAlias))
+            .setPassword(keyStorePassword.value()));
+      } else if (keyStoreType.equals(KsqlRestConfig.SSL_STORE_TYPE_JKS)) {
+        options.setKeyStoreOptions(
+            new JksOptions().setPath(keyStorePath).setPassword(keyStorePassword.value()));
+      } else if (keyStoreType.equals(KsqlRestConfig.SSL_STORE_TYPE_PKCS12)) {
+        options.setPfxKeyCertOptions(
+            new PfxOptions().setPath(keyStorePath).setPassword(keyStorePassword.value()));
       }
-      options.setKeyStoreOptions(keyStoreOptions);
     }
 
     final String trustStorePath = ksqlRestConfig

ksqldb-rest-app/src/main/java/io/confluent/ksql/rest/server/services/DefaultKsqlClient.java

@@ -202,6 +202,7 @@ private static Function<Boolean, HttpClientOptions> httpOptionsFactory(
               .setPassword(Strings.nullToEmpty(suppliedKeyStorePassword));
           if (!Strings.isNullOrEmpty(internalAlias)) {
             keyStoreOptions.setValue(KeystoreUtil.getKeyStore(
+                KsqlRestConfig.SSL_STORE_TYPE_JKS,
                 keyStoreLocation,
                 Optional.ofNullable(Strings.emptyToNull(suppliedKeyStorePassword)),
                 Optional.ofNullable(Strings.emptyToNull(suppliedKeyStorePassword)),

ksqldb-rest-app/src/main/java/io/confluent/ksql/rest/util/KeystoreUtil.java

@@ -42,14 +42,15 @@ private KeystoreUtil() {}
    * @return The Buffer containing the keystore
    */
   public static Buffer getKeyStore(
+      final String keyStoreType,
       final String keyStorePath,
       final Optional<String> keyStorePassword,
       final Optional<String> keyPassword,
       final String alias
   ) {
     final char[] pw = keyStorePassword.map(String::toCharArray).orElse(null);
     final char[] keyPw = keyPassword.map(String::toCharArray).orElse(null);
-    final KeyStore keyStore = loadExistingKeyStore(keyStorePath, pw);
+    final KeyStore keyStore = loadExistingKeyStore(keyStoreType, keyStorePath, pw);
 
     final PrivateKey key;
     final Certificate[] chain;
@@ -68,9 +69,12 @@ public static Buffer getKeyStore(
     return Buffer.buffer(singleValueKeyStore);
   }
 
-  private static KeyStore loadExistingKeyStore(final String keyStorePath, final char[] pw) {
+  private static KeyStore loadExistingKeyStore(
+      final String keyStoreType,
+      final String keyStorePath,
+      final char[] pw) {
     try (FileInputStream input = new FileInputStream(keyStorePath)) {
-      final KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
+      final KeyStore keyStore = KeyStore.getInstance(keyStoreType);
       keyStore.load(input, pw);
       return keyStore;
     } catch (Exception e) {

ksqldb-rest-app/src/test/java/io/confluent/ksql/rest/integration/SystemAuthenticationFunctionalTest.java

@@ -118,9 +118,7 @@ public class SystemAuthenticationFunctionalTest {
       .build();
 
   private static Map<String, String> internalKeyStoreProps(boolean node1) {
-    Map<String, String> keyStoreProps = node1
-        ? MultiNodeKeyStore.keyStoreNode1Props()
-        : MultiNodeKeyStore.keyStoreNode2Props();
+    Map<String, String> keyStoreProps = MultiNodeKeyStore.keyStoreProps();
     Map<String, String> trustStoreProps = MultiNodeTrustStore.trustStoreNode1Node2Props();
     return ImmutableMap.of(
         SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG,