diff --git a/docs/operate-and-deploy/installation/server-config/security.md b/docs/operate-and-deploy/installation/server-config/security.md index 3075fdbe31a4..60c57445d212 100644 --- a/docs/operate-and-deploy/installation/server-config/security.md +++ b/docs/operate-and-deploy/installation/server-config/security.md @@ -446,12 +446,12 @@ below examples, depending on the source of the keys. ```bash # Generated key pairs with aliases 'client' and 'internal_node1' -keytool -genkey -alias client -keyalg RSA -keypass password -storepass password -keystore ksql.server.keystore.jks -storetype PKCS12 -keytool -genkey -alias internal_node1 -keyalg RSA -keypass password -storepass password -keystore ksql.server.keystore.jks -storetype PKCS12 +keytool -genkey -alias client -keyalg RSA -keypass password -storepass password -keystore ksql.server.keystore.p12 -storetype PKCS12 +keytool -genkey -alias internal_node1 -keyalg RSA -keypass password -storepass password -keystore ksql.server.keystore.p12 -storetype PKCS12 # Imported key pairs, with aliases 'client' and 'internal_node1' -keytool -importkeystore -deststorepass password -destkeystore ksql.server.keystore.jks -deststoretype PKCS12 -destalias client -srckeystore client_api.p12 -srcstoretype PKCS12 -srcalias client -keytool -importkeystore -deststorepass password -destkeystore ksql.server.keystore.jks -deststoretype PKCS12 -destalias internal_node1 -srckeystore internal_node1.p12 -srcstoretype PKCS12 -srcalias internal_node1 +keytool -importkeystore -deststorepass password -destkeystore ksql.server.keystore.p12 -deststoretype PKCS12 -destalias client -srckeystore client_api.p12 -srcstoretype PKCS12 -srcalias client +keytool -importkeystore -deststorepass password -destkeystore ksql.server.keystore.p12 -deststoretype PKCS12 -destalias internal_node1 -srckeystore internal_node1.p12 -srcstoretype PKCS12 -srcalias internal_node1 ``` Also, extracting certificates to add to a trust store can be done with the following diff --git a/ksqldb-rest-app/src/main/java/io/confluent/ksql/api/server/Server.java b/ksqldb-rest-app/src/main/java/io/confluent/ksql/api/server/Server.java index 78232826313b..ec4ba69f3474 100644 --- a/ksqldb-rest-app/src/main/java/io/confluent/ksql/api/server/Server.java +++ b/ksqldb-rest-app/src/main/java/io/confluent/ksql/api/server/Server.java @@ -313,18 +313,23 @@ private static void setTlsOptions( final Password keyStorePassword = ksqlRestConfig .getPassword(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG); if (keyStorePath != null && !keyStorePath.isEmpty()) { - final JksOptions keyStoreOptions = new JksOptions() - .setPassword(keyStorePassword.value()); + final String keyStoreType = + ksqlRestConfig.getString(KsqlRestConfig.SSL_KEYSTORE_TYPE_CONFIG); if (keyStoreAlias != null && !keyStoreAlias.isEmpty()) { - keyStoreOptions.setValue(KeystoreUtil.getKeyStore( + options.setKeyStoreOptions(new JksOptions().setValue(KeystoreUtil.getKeyStore( + keyStoreType, keyStorePath, Optional.ofNullable(Strings.emptyToNull(keyStorePassword.value())), Optional.ofNullable(Strings.emptyToNull(keyStorePassword.value())), - keyStoreAlias)); - } else { - keyStoreOptions.setPath(keyStorePath); + keyStoreAlias)) + .setPassword(keyStorePassword.value())); + } else if (keyStoreType.equals(KsqlRestConfig.SSL_STORE_TYPE_JKS)) { + options.setKeyStoreOptions( + new JksOptions().setPath(keyStorePath).setPassword(keyStorePassword.value())); + } else if (keyStoreType.equals(KsqlRestConfig.SSL_STORE_TYPE_PKCS12)) { + options.setPfxKeyCertOptions( + new PfxOptions().setPath(keyStorePath).setPassword(keyStorePassword.value())); } - options.setKeyStoreOptions(keyStoreOptions); } final String trustStorePath = ksqlRestConfig diff --git a/ksqldb-rest-app/src/main/java/io/confluent/ksql/rest/server/services/DefaultKsqlClient.java b/ksqldb-rest-app/src/main/java/io/confluent/ksql/rest/server/services/DefaultKsqlClient.java index 76873604216f..59ad8a90b8bf 100644 --- a/ksqldb-rest-app/src/main/java/io/confluent/ksql/rest/server/services/DefaultKsqlClient.java +++ b/ksqldb-rest-app/src/main/java/io/confluent/ksql/rest/server/services/DefaultKsqlClient.java @@ -202,6 +202,7 @@ private static Function httpOptionsFactory( .setPassword(Strings.nullToEmpty(suppliedKeyStorePassword)); if (!Strings.isNullOrEmpty(internalAlias)) { keyStoreOptions.setValue(KeystoreUtil.getKeyStore( + KsqlRestConfig.SSL_STORE_TYPE_JKS, keyStoreLocation, Optional.ofNullable(Strings.emptyToNull(suppliedKeyStorePassword)), Optional.ofNullable(Strings.emptyToNull(suppliedKeyStorePassword)), diff --git a/ksqldb-rest-app/src/main/java/io/confluent/ksql/rest/util/KeystoreUtil.java b/ksqldb-rest-app/src/main/java/io/confluent/ksql/rest/util/KeystoreUtil.java index 31c37a76aafd..2017a85b6818 100644 --- a/ksqldb-rest-app/src/main/java/io/confluent/ksql/rest/util/KeystoreUtil.java +++ b/ksqldb-rest-app/src/main/java/io/confluent/ksql/rest/util/KeystoreUtil.java @@ -42,6 +42,7 @@ private KeystoreUtil() {} * @return The Buffer containing the keystore */ public static Buffer getKeyStore( + final String keyStoreType, final String keyStorePath, final Optional keyStorePassword, final Optional keyPassword, @@ -49,7 +50,7 @@ public static Buffer getKeyStore( ) { final char[] pw = keyStorePassword.map(String::toCharArray).orElse(null); final char[] keyPw = keyPassword.map(String::toCharArray).orElse(null); - final KeyStore keyStore = loadExistingKeyStore(keyStorePath, pw); + final KeyStore keyStore = loadExistingKeyStore(keyStoreType, keyStorePath, pw); final PrivateKey key; final Certificate[] chain; @@ -68,9 +69,12 @@ public static Buffer getKeyStore( return Buffer.buffer(singleValueKeyStore); } - private static KeyStore loadExistingKeyStore(final String keyStorePath, final char[] pw) { + private static KeyStore loadExistingKeyStore( + final String keyStoreType, + final String keyStorePath, + final char[] pw) { try (FileInputStream input = new FileInputStream(keyStorePath)) { - final KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE); + final KeyStore keyStore = KeyStore.getInstance(keyStoreType); keyStore.load(input, pw); return keyStore; } catch (Exception e) { diff --git a/ksqldb-rest-app/src/test/java/io/confluent/ksql/rest/integration/SystemAuthenticationFunctionalTest.java b/ksqldb-rest-app/src/test/java/io/confluent/ksql/rest/integration/SystemAuthenticationFunctionalTest.java index 3b5c78758c7c..9cad0e49070a 100644 --- a/ksqldb-rest-app/src/test/java/io/confluent/ksql/rest/integration/SystemAuthenticationFunctionalTest.java +++ b/ksqldb-rest-app/src/test/java/io/confluent/ksql/rest/integration/SystemAuthenticationFunctionalTest.java @@ -118,9 +118,7 @@ public class SystemAuthenticationFunctionalTest { .build(); private static Map internalKeyStoreProps(boolean node1) { - Map keyStoreProps = node1 - ? MultiNodeKeyStore.keyStoreNode1Props() - : MultiNodeKeyStore.keyStoreNode2Props(); + Map keyStoreProps = MultiNodeKeyStore.keyStoreProps(); Map trustStoreProps = MultiNodeTrustStore.trustStoreNode1Node2Props(); return ImmutableMap.of( SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, diff --git a/ksqldb-test-util/src/main/java/io/confluent/ksql/test/util/secure/MultiNodeKeyStore.java b/ksqldb-test-util/src/main/java/io/confluent/ksql/test/util/secure/MultiNodeKeyStore.java index dc5d10a9de33..419eb4ca5d97 100644 --- a/ksqldb-test-util/src/main/java/io/confluent/ksql/test/util/secure/MultiNodeKeyStore.java +++ b/ksqldb-test-util/src/main/java/io/confluent/ksql/test/util/secure/MultiNodeKeyStore.java @@ -22,108 +22,101 @@ import org.apache.kafka.common.config.SslConfigs; public final class MultiNodeKeyStore { - // Keystore containing cert/key for node-1.example.com - private static final String BASE64_ENCODED_STORE_NODE1 = - "MIIKawIBAzCCCiQGCSqGSIb3DQEHAaCCChUEggoRMIIKDTCCBYEGCSqGSIb3DQEHAaCCBXIEggVuMIIF" - + "ajCCBWYGCyqGSIb3DQEMCgECoIIE+zCCBPcwKQYKKoZIhvcNAQwBAzAbBBR3KbJjvRsDY35RZFo84oCT" - + "9f8VGwIDAMNQBIIEyOrof8DyO04RvzBnjnvOdcYa7O1bIvZ02oE6Sh9VoF3w4MxMonfg6eWfnORc+z8c" - + "KVCDD7RCs2UfoySfF3S2UAFlcZkIonkXVHjL1n2wFgXCx9d6ZltRHEnecfaUwhmm5CLwVmJRYZ2nsQHr" - + "r8zW7b/VNHxPVcgWB+8Xvmev8YCofoQ5KlqipQipnf1xjdz4bSk6LBKPmOQU/VSNl6h+DpdlgeUz2Fk2" - + "g/Sy2O3HHK+A+4w6RZLEiVnUxDzI5cpkhRB7iaXgw6/ooNRv2/a5a3dsTgk7nFLwBuYYdwlYEHB/OkT1" - + "xhK858j1qRvKzMV2JAnenr10APJ/NJE1C+G0VKuHSgyNOrQIMfwkj3bLH0IKpYfUayvMWzxmiMtuDuMw" - + "KBsvprz0gK11gwQEI5Tto38+pa3vDOf30F67G6RxotH6yEIGv2QqQBoe7V0awpAARpY7ecmh/dmjey2/" - + "bT6OHdEKZ5LpZrIqw6VHGkH4dt/wdknBGAuQWGH6ol7OA/PTnCVZNOQ4ZyAdOQS9Mq5UF1pd2ZVqKrr0" - + "97QeTpUXo0uqH3d7z/laKws6Ai59LeYbnJyHf7pUd/OSm31Hg9+m3dN2uEn6ZG1oIBAAuULUDOB2XmUi" - + "Pk/QxCDDLWCMiztIK18r9sFWzK2qSB16Oxn8BEC8/r1zSqX673RQPXRUEd5ZK4665ZgOX7tFXm/FUcCx" - + "5XxKz0aUwfr8VwEWrpOXzUpkU1wykoqxWzAUyVqsVPtg1JlN88Hj+QH/ZSDI2+a3XVxQuJ4oZtHzPn3K" - + "eHseW543kXEYbCeOD4UIl34B5lzpuXFAF7keEmV0GH53i0CpKSNWyISvQzCQOIwl6IzD13aVkrbpQN7C" - + "loKn8VN6IQUjjLV62ZBODWDfWJk5QunKlO1bYxz3FlXEI2cpsrxAyblIa2wFjRQCKcSWMu0vxUcaMcZD" - + "ndTkV17jWwQv7/NuzDAyJ5jft1cBvJHkq30vUIr+SAqjAk2IHISX5zIJLKjDVhLuNcTEMhm/bGZxbzn9" - + "qs4ZnsdwPFlcFwpfGZp0jucmIPWBENgblzkbreYyqdbS7qJJ5G1tVNhmchOQNWlFQ/izjTsoXjusUCfw" - + "bwFKju5kTH80AqjEpFTMZZnEiExXA3fzizUTsYE1VFmsRF/FOheE7TVhJFnQyrAb4DflVBzOnAuKaQFb" - + "+DOEZPZnDNuuxZkw5/HGJWSQlctyoxo+Pt605KvGyY3vo+iJ4VhujE50t+AwDRipGk4UfFgNj9UVU1bo" - + "Z6OSCWhRTs+nhEE/bBrIr8hiLDQIp61BptOaTlVqazJGQKpoBxh0d0E8Qcbjq5iFKVBq7nc/lvlWaBGJ" - + "ccwoazpgH1AciOQibA64ScFi2+AH6kcHPzWGb9R5YUVeQz+HgvmOpWUyCJD9yiJFvsioK40wQkJsbJPG" - + "PKGlTbZO2rz8RhacaN7ZWm3GjBlTjzbgYhuqQO6Tik4e/xnT5aGztytC24flgdTUqOlR9A9jEA2+bcqq" - + "vr7VxE2o0caNTnrNCIm+ozUNgIZyrVqFfSvyIaI6992SmJO/OpBSNDnD+mix65mWM1/tFO7GB6J3uq23" - + "0dFVpReSLBiWRsSSLxRpR7CBhz0GWzzHUDZqiTiMLi++dFEinTFYMDMGCSqGSIb3DQEJFDEmHiQAbgBv" - + "AGQAZQAtADEALgBlAHgAYQBtAHAAbABlAC4AYwBvAG0wIQYJKoZIhvcNAQkVMRQEElRpbWUgMTU5MDYy" - + "MTA4NTQzMTCCBIQGCSqGSIb3DQEHBqCCBHUwggRxAgEAMIIEagYJKoZIhvcNAQcBMCkGCiqGSIb3DQEM" - + "AQYwGwQUZeZAop7hAbM16IlenfEOOxRVKEECAwDDUICCBDCXWcJdoHI+tkI175WqO3nizvnhK63yiOXT" - + "5btKTFp4guytTuwOkwnc4iNwe6bilYWOp+wAG3Q2rO3L9mEVr3DDO+EohzWF2aY+AcP6aclcNS9AgqhB" - + "Sg035j+tZvkLfmeUK0HaHVRHTQxtQm0BF50eZ21UjMOajrHxkPbxdJ8dEKKlHOdR7bEqzSozK8gXOcHT" - + "bzGZe3TMtdv2uS+uKZzZNaS42GEb0Vcc5VWB2mIO59u8M12oVzKi231y8XtTROF4vLnTH3eE2Jr5xe0z" - + "zsYAfsNtZdLIldH1h0j+VoLd/V3hJndIRoc/SsiOJ9aPNagAnQD6jhSzjySZxCnLoWTeWac9cbW0FbAW" - + "zZGr7rlilwPMgzFv+jHSVc8M21kBxAywbwhufzg28KhLflWyap92HC67oYZIPeEmaVP/yHN/A9QkIREK" - + "A1JxBI/J6gOYInSRkByHF/ffCjA2O0SSGEFs3gKyMMmC3zSbI4MMTMZ7V/xvqIs29dVYMYZaYAhlKgxf" - + "bpfaeb8l5JomhZ7dNkm68yhK3aVA/iO411quL7YXTmCka2gYCQU/67Wlwl/aLAjuqXeT2lXG10Dd1osU" - + "EyXb4llvciNr5jFbPz9zcqeS3bFbudQx5+/xT3R3ENZnYW2JzEp40ZUJ4HOSKSayKCAV7WGbWJsRrnk/" - + "w/bPtNBy1B+KSRiXY/bINde4l0iHWdP0D3fk+oYPluxteMmyIpvbQWhOt/KhBNM1tVkOvUusd4ByPQd4" - + "L372sLiEjGkifkMnfXzV3XAlCRHntIJ22jPISU8bNSl0o+Hsjk3AQ2nbR5sZaEVTSHvTXzyWWFGu2yr6" - + "+5baf4GsuGzu9OrOfTmEUlmRbFigaw17XVI/yWDW6QN7yr/VqtpkaFgxoupPIlDoXz+017csZaFpOmMy" - + "jEmBWP/5QlgZyV6f4PHthkTsvw7NFT6xKfVUIscezaECpoMoSO5AADo+Mr9L2QGWJjTPH4HKJVeIDTaq" - + "tVhO1H/gmGaCfwD4J7mDCz/CQ3Yw+n7iXwIV/HIkLpoFaij83J/n5wP5igzTF5Z9PumP5f1UdavruJb4" - + "RuBVQu8ka/jDoAKETwaexzUxVSfRnYjreLZs+UTwnSHKDz/iblTG6wYRuGhxSj1P+5dLtHJhWuKmAIyf" - + "gyPC2BgIewVtmpb+BYlwR0Lu9FTQVLc/zWaCzcdhe6gAfc/2qcPqlDYoK67qlea8ddWaIZEkSh3qUS4Q" - + "OA4nDqCZf5OAlsyQkhM7qEGvtBbOivBbA80vp53cG2KloJ1gEhohub0SzoZgDJCvjO/6/bolFI2naawe" - + "2++dqRyqMCMF5bEkRTtgfg+Ha2SVmmmMkOS3UkZHNzXvcguBkrMcvOv01luf3nWBFrOAqNIj4mAvDEYj" - + "W7tf4ck+kTOigKko2ZS1kQsCyYkITCmTFZvlMD4wITAJBgUrDgMCGgUABBS4HiJ/SYKTksWMwN2L0pSa" - + "jHJPMgQUm6m9R17pSeM4Bh9vVY0NoONzi1kCAwGGoA=="; - - // Keystore containing cert/key for node-2.example.com - private static final String BASE64_ENCODED_STORE_NODE2 = - "MIIKawIBAzCCCiQGCSqGSIb3DQEHAaCCChUEggoRMIIKDTCCBYEGCSqGSIb3DQEHAaCCBXIEggVuMIIF" - + "ajCCBWYGCyqGSIb3DQEMCgECoIIE+zCCBPcwKQYKKoZIhvcNAQwBAzAbBBQJTlOl6Udn4FPQjST6hV17" - + "tAOcKQIDAMNQBIIEyLZ5KkIWUUG66k5W0afBcEls8l6yQw05efxIg5NP1LPDwCILgO5k2ApbXwmulzMu" - + "a8briiAReO9nxgI1dmdZ7xevyXoSQRp9/F+YAmXNPG2i0a/nSkttvYF/+MBL6KZ1UhChdedvbwiqrbMv" - + "U32TomCGcltYLyhMODyt7ZF+iTT8UT+Zc/rnMVRcuKfbp/GhVUJB1PooSZRvG9YSqYL7f7NH1Ka3sWg6" - + "EtkMD+iyvZx7G8W+VYt0QJUg9TnfK2/+hTq7Wobh8g0Hyw3VaLpNZgkeyDjYfh7hR5Fclaa3pplX4JZC" - + "w5GZkt2HIY1YQfPXGWq+tkpRBTR06ZUWAidxsiKaCI48BXYLgM9QOTCWcuZCVQWAthax3KKhTbR5d1qV" - + "4ryXDZXZvTIv2OJPvpp6En+MRxbK+khXo1XHwv5tCPB57H0r9gsMSm6t/7y10PQtxocAo4XDf2xMgR2F" - + "wJ675LpOzbFPOgD/SYLDdRgIAZhwewpWR2Kfm+6IYmsEQ/VhbkmDVFViuJlMS985SnpNn/2HuKPvYWKs" - + "O2zqTC+VHkp/qA2r3s+tFLTcYHIJwTwrDv3cxsY/Fia5WAwpjW1ZoBMTP+p3fOB+DVrtBwfZKkLcZfOu" - + "7RLnkowYZ9epssTxxeqaYR4HSPQd3WrdnB8ZD5Y/slmC5VmyvQGRY94Z5060Pf/SDOQo1Gaisqv9AuXG" - + "FLRdSjYMN7o4rsHBaH0o/KPyH4dolmAAOotFqpihEb4qrELuPApnvUtk5axkkMEiAOXRd+SUEfPgwtx3" - + "O9Cg3A61wKZ/HMZs+swSDWVxyVXC7kW0djOGi370Xgb2DF4biUfby5itKqvZLB92n4qZ6NB59ljnKDZo" - + "OZRwSprO9hbRJnVf+fu4IGyb5RXaxDsvxTuNDd8Ahk9WjViOD1owW9UNkVbQZ6uTVZj+h7QZnQ22I+uz" - + "pWBddnMEeFmJM2lmxAtW3uzq5SikfGByKXzPEdGVXlvuX8tHFkme8KDQV6w8IskoW2t14CpwIj+PCpA0" - + "CV3wOPXH69WL76pdVXyejVVn3XR3rD8VSc7UCB6qKWucge7F/u/6VOAlw+y0+N+VEUP58o6kGeT6w8/b" - + "g7kM3wx+1OQ2kDwyZBHNdcVc6Tgorod7Kasbb03cYEynZUKRE4TiL3ktfra6X1a+P30lk3MoksV3xZlx" - + "cFB4sA2oL36LviU9LnKiqtLlOavWcCBPuqp6Pfnq2fwMyS4+6YPQUCuGglfC+ZPpWmJFnEdJuK8xnmQ6" - + "uyItvDWFwpKmawYLwnB7raJwIz/oPh2Tj10JtyYWu8gMpyNxnEK6Yi/0Ej/jTsXFbHija7eoR8hoZJuN" - + "kj6vXaDBlIsn58ps4QqvINrVJ0BNXF7zkB7w+nbK1GgJ43t7l9Vsp19C9mDk4kHN6mjwoNzP4YPAgKOO" - + "+32CJzFL6vjff/XHKhwuCAAQbGoSDOXEfHN4T/5XB2IgZmtXmjco0c4EzGwXDgRkos+iC8AAbJSXclQL" - + "3GMrXxu307hX7jV4L1thL8Lp/9ti7RQYBda4EtVyJQ420LjjnblxcOJzk6y9C53niCBNJu5dIQwSaA99" - + "kvSziJBx6NAkQZ8SXLEmZFYwwlmKSO6cuWoQHSokqqdgkjCshTFYMDMGCSqGSIb3DQEJFDEmHiQAbgBv" - + "AGQAZQAtADIALgBlAHgAYQBtAHAAbABlAC4AYwBvAG0wIQYJKoZIhvcNAQkVMRQEElRpbWUgMTU5MDYy" - + "MTM1MTA1NjCCBIQGCSqGSIb3DQEHBqCCBHUwggRxAgEAMIIEagYJKoZIhvcNAQcBMCkGCiqGSIb3DQEM" - + "AQYwGwQUtc89vOfes93cDoQgMC/PqLfI1r0CAwDDUICCBDBkW0Rs1LzG3L2aK2qBhDICbVWCkrXjtRnF" - + "TPk9pcLI1vGrXwVp7FRLPxPk1Rfs3haG8jxux2J0mrW0UKbcfjGEdMSX0KcB7vid1kCVL/4jiIrI9DDs" - + "KGOpxQN5Z+8AoYE4CgVNN0m/2Mo8tJ7jIxuIuiM21VBNLobzUSxKMTdGixzVfMe+Eky4F3mtcgVr7um5" - + "sim+KeOIfmaQ+Qp1AevIUPca771ozLdxdEH9k5gzOfZG84kcRKxFILxddPJjIXrxdIZayywAOG90tIea" - + "fhVwPSA7C7FKuV9YlM5cRB1Qr986YCl5qnQyH09sltRWRgf2EctKOwPWvEwWF/ZUuTH/IWQlzJSPd/mG" - + "WiSsEAWQTG6u4pnbZ3v2vgnikumELbJgvivESn/p/J49UYbfQ/atDQdjEUxx6YC2zhmFJseCkwUzFDd8" - + "KOxL3cvqLu3ubjFn9a3NBZa42cqQpwvAxTg8rKnc9YzxgF1JZ1PGn7FSRxXVfoqaq5paVZped5cbEMrr" - + "klj2HcswyRIVYDfsg0mY31myjalf6WPwbQpYScGl2kdgqE2Xm6TrwrpYWG2HZBhaIm2RbD7fUlY5ZSUJ" - + "D0S3sxjsfCyMQ42kDejtYrOSDR+aRUvWPj1RhaZ1YGnZV4kI/Tyndqb1/X7v1afCvzAHz9EtJpVtecX3" - + "GylTGPhdZgH4qTc6j2I9X6dT2JHb7do+Wti+FtjzFzcZ00RRf71HZjpxGsV+P8wxBjnOTiY0o8T0TUAi" - + "/VxCYtbpaP0AvnwzccqaUlH3PQiiX4XJ9NLemW4AzGv2P3lJLcSCACRsK2sRKjVGxPfgsFLEi6QlA0m6" - + "DejePWfMWi1/dFHk/86rlmd0pF2/QN9GdzKNlWsHuybgEXt9bCrnSA6bDkjzlS0ayn5UFemuJ6zgxdpy" - + "3DMnEtdSkxPvmB55hiFxErfZAWyzQP2TlyGlTGh/DEiycq3/iy/x2r0svQmW2mPAF6mz7KP5n+Cg1DjJ" - + "4VteZ2cTBgzOMPQqTDLf7fcLcA7S7lcRS6MJ6q6HcUlIdBfXJu9oNwD4dAK1K1nqx3yxIAYgK7TyuKDx" - + "0V6yWysB6OdKB5TEdHtK+50ZKEIKvtP+PwDjf9dtbAvH7fFz5lETECoNEx5hJUcdUPaqizf69l2EBUpU" - + "uzFm906BxozfUMcGc+A3grASXo5KJSfR1dxldeKV4lITFL809z1nxMokwv6f6c4k7/zw9+iUEwFYxARr" - + "xTgXsLRgzAwHuY1XvWvYZKh/5cgAu8AsSUfT3HjOgOjM/DyXiPKH3IG5gbxZUx5NhlbWA5GO0Sdmy2VG" - + "wCMLllfHG7FBrYOI5/UnDC6vKZz0GVWqP5Af68UFgj4rILA5btOk1TWo3rWUYGx34pUsONlTkoSDqtnt" - + "64ybuaOz6BjAhBWmooNhZ5CvdPCqAJczlt7qMD4wITAJBgUrDgMCGgUABBT7RD99hC1dIBi5SyjpcIRK" - + "uvsHRQQUKmpPPBoczW9SZfPofKeMAp7EAscCAwGGoA=="; + // Keystore containing cert/key for node-1.example.com and node-2.example.com under aliases of + // the same name. + private static final String BASE64_ENCODED_STORE = + "MIIT/QIBAzCCE7YGCSqGSIb3DQEHAaCCE6cEghOjMIITnzCCCusGCSqGSIb3DQEHAaCCCtwEggrYMIIK" + + "1DCCBWYGCyqGSIb3DQEMCgECoIIE+zCCBPcwKQYKKoZIhvcNAQwBAzAbBBSRr82F4zxf4h6F237niiz1" + + "YPiSCwIDAMNQBIIEyJzsIONsXoZIhzlwftTqB6hcAi/GcLX2edpElZ9xPmTpHtPBCg3NouN8VC/hBVsP" + + "aFk5TlMRPcFJ6ovbKIV3FyBf7wZNjItByHreYPrJfvBTaliFAxiJqKy99ZtPE4eKbMI5xN4jafkkp5vM" + + "BXRbLOxByiWmHdAMoLhjt9g1nwbvCC+xfiGee+EEUpxxGZXa7nw3DJwkrHSV7lSj4fJP99bwcdRRqQa6" + + "RrbhoWHI63iT2KYvEr0r517+ip7LVzaRkpJLMr723RDfSkWl5COyfIw3+S8FFRvTIjduUkRMMqnlZm6z" + + "cM2vIl+n1XTZaWGa6HEKIt3sh96JYulXs5jZwWEUcqjV/MaWVX0VBn36NVR8xhc+UWgR6HMpNIPeePLZ" + + "N2rmbfIBQedTBQH4SmLw132yioYRqgIRixk98gVyiQqwkQIqBXtPC+XvovC/I9mYc5/HtLCeR6pEBcya" + + "zGypmqfshH0mgxzLutObmHUSRC93nly8N2g+PAM811VxEISVNKaqSHayrb9WLZb9/GOj2iiFLe6lalOv" + + "Lk4e+uzt8Anx0nK2TjLVje6nb7bvyHJYGnBkaf8gBM4PluM2euyDp58SlTA3kGLqsGw3doFi89+RBdvT" + + "Qd8dxv3gxn8HvzeHg0vfDemW8vC74x8hHkXEY8CS4ut3KpmNeg6pU28LBJJXLcyA3GLahg5BfTrl/O9+" + + "JSHFoSYobBA6QO3Nxloms9ZwD9w8vqLHLHfo93LBMSrXeSK8tF4WvnuWj5ixMv1XRs9tD9Raj/F9hlDf" + + "+BJLAqjVbEShSWdXBLX4GKgoG64tfdWfPmVF/aewtnmJxr3gCepI7TEqYsF5W05aLC9OQNmHRVWT5y63" + + "BCo4fmcf+7tVjPIftX9o+NqmMGFb4fo8nWKcGdqhyD6whBTHC4mqpms3oC2ROf8CPqq9Fh9ZRp2PLAz4" + + "BU8j2QQcU6RAUdgwTHX9/TlGfp2Xjw9ZGM3lcWIMcYwS6B4UjUYqOYXMEHvmqObdR/7wtpu9hrTZXaQ/" + + "+8Dyh511XWYwhY1SNpYBIo9UWobPjZaSg2kw1Kvr60EgkXHM7R0wKzb94jZBkH8UC7Tv8p1RSS0cJ+Rj" + + "uZWUtbCr4ukEMCYff08YtPciimQ8KSrUE3Ajra3mBd9lUup8YqZrRbHtKOS2r63vKpc+aoAc/giOM4C3" + + "A52s6xk3ajDgAwlKZdG7EchFbfK3DhBjPAH1h+MG4NVN2oPOIctkZQYdwRVAY6rwcK4b/bfz3tWXtey/" + + "Ob4gN+1sXWlWFoeCsWZazIGPgP9as0pw25mHW+QHRQoowuJOWM3l+EQ4gcohms59jY5MIm6lf9hZKGT/" + + "zrTVSGTj+xv9Wc9gvhbFiBpoTNJ7LaAa2KPU7p3KZDeNnFLtsogVpvLyrlc6UcknzrKioLDbl9uO/SFC" + + "NAoh5Eoo+9OQa9Ryh98ZEOa4J6pP6qJC8kyC3kLBh/b0X7TVSXMdu71dlLCiCTKsomStgMjibbwLzUHI" + + "mL0kKWV20FhtydC+Pyx/9SOaF7/oBQx7itZwT/wQH0E6HaHc20vfl9zq2mCZB1aFe/3KT0sdTOxFtCl9" + + "draeyOeZxzhML+oZPUL9cBcjjzYpaumP9G/UXjl/e9TgNzXnuDFYMDMGCSqGSIb3DQEJFDEmHiQAbgBv" + + "AGQAZQAtADEALgBlAHgAYQBtAHAAbABlAC4AYwBvAG0wIQYJKoZIhvcNAQkVMRQEElRpbWUgMTU5MjI2" + + "MDI0OTgxNDCCBWYGCyqGSIb3DQEMCgECoIIE+zCCBPcwKQYKKoZIhvcNAQwBAzAbBBSxXI/HjXb7VEES" + + "E4trsfsi/nq2VgIDAMNQBIIEyDSVQHKtj+zvjgUviL6gCYl5kqvNV0NAG4YROcv7yiVy+TYjcpYR8LRA" + + "vvJ2LdcCQ/KD4HzxZSnGD34sbrfCVEjkMNI4sxzVesOwva+tEix0WpV4Lw4wqqXDsOwVNAQmoOZxutb8" + + "YjHy+iwhNZoU2okDFwiJK2y1dTGcKVxE0CUhHXdjuIsNo5obu88L85RS+DBtShaF9U+TtgcH6+7tm4KS" + + "ihByhcagRz/P80b7hUCwP+Tc/Nq8pftqq2gr5qrN5mtEXTNrZbq2NfEF9F06bRX99rYnui8A0eym5tpB" + + "SI9oLmCNca2t4l4wK4f9vkA2kgwLi+qPcmY0gF9Ev3kUH+o8FgyeEVgZb4iKTACGw7k7+jPWTgs0WLy3" + + "6WBQi8OWHu1WlsF516zeatGiziK+Xf06FI0MiZXkOigdrWPGnDKakyVYSZ5S2LzIME1f76MPHGW4ZG6J" + + "vXlCChXwJL+SmCkFztmGyKevAs3s0P6trUanRuSXqWUKeyTGD7I4kpoPUHtVegq/6AHVAOMXBoFCt8Xn" + + "csilk74Nn0yuPTOXiMvu07E5Pk0xfzBw5nsumGJSJGJx4bu4n7M/XRW4gJDh2UIu5s7ag9CHiceWmT72" + + "sUYt14DAa0/6BvsFUkKJnpZKgMosADLkvjUaLZ+TTeHfq7hH7Gp4brt5jAiSPSFSNmSt7BWjpAk5Lszn" + + "y89TBCDYbHwPSY75p7cA67SmBBeai3FYt2x/HeVNsLzi99vrMniqvZTWbCTlqBIkQJmmmZbYO/RC68nm" + + "hhNc92SBdEO2txr2H89zqznES025hwEwPHHMGGDSKO4VFk3mTtS7vkc4ojoGm1QiWQE1emyAPiqODPdJ" + + "fR4+C2/u95Mz5z1BvdG/SzzTQObIX0LWrYoBfa8n7/9N/hsozkgP1f1LG1BeYgzKVleuRBEeGc2oqxGu" + + "7GbRsgOn8X7wNXvsjReroszdpsikm766fPT/JhxjD1PM6LYYKBy8vWksaF/SL51ZGwfHtDWatpUGGjin" + + "vdWNya7PqJDSa9668r8olnXJ9yBvrS7o3cZuIQ2YJIwww5O3t4YPmf7bJ1cGpbXLpCckEgrOIQ7fpW/Q" + + "IKX12FnFLn6Ojfa384b7Ly0OZPBPo0XgnL5xchONae06pEuPEbrqhDusD7DCNZg4slzFZx5G7oGTDl/5" + + "CJWNVzVq5uRmaQQuM0CdLXh0rStdGzyCkfTwf2FK+Y1fvDLBXCO7x1+PFOUUa279xvPAW3ZPbDoBHgr2" + + "mXz5S9/mxCoHc1xSgbdEEITDVA/g3pRTA0PAW/sGPhRRXyzlbMk/t+UsIgKf44gTP6+sL6tzLA+BWaGg" + + "dItm6TfRTySJhLe51oM7DZIq6P00qyQMhkKvL/NvoejM1VMM1uyAdvdmAejIDGKP1JwlyKidGQHndZtV" + + "dziOoxv7TEF4VBOgyDJnideCa8cghJfAnUd7NQ8F8daqV4/UXVNrU/gxa/p2inIchY2j6cuJBQQq4MAi" + + "P4b4p8PgCcrPkYDEuWwtxXe7p4ejfmwnhA+yzJpTbmBJSefM9U9M52HTvgEAFrT/mZVxJ2bTyeIPe4Cf" + + "28pWwU5e4G1FiBGMkWaMVIMmVWlozDU5mlG9LtwbPP1Its67h9E4kV+AUzFYMDMGCSqGSIb3DQEJFDEm" + + "HiQAbgBvAGQAZQAtADIALgBlAHgAYQBtAHAAbABlAC4AYwBvAG0wIQYJKoZIhvcNAQkVMRQEElRpbWUg" + + "MTU5MjI2MDI3Nzk2MjCCCKwGCSqGSIb3DQEHBqCCCJ0wggiZAgEAMIIIkgYJKoZIhvcNAQcBMCkGCiqG" + + "SIb3DQEMAQYwGwQUgryHCUhTbLfVVS10fR0mRqeRE1MCAwDDUICCCFgprBuQY0tBbNpdo2MZ3LUnHO5i" + + "TE2zyWdxa0le0dWG+StKqb00Qk1sOQkgicAVjZ5/dVhD6HiFHj87zLgbu1l/DPCNMwW1sj4DPhSsp0PF" + + "DY7kdJeA0xQQauhH6J1O7Y/TvfkUTpQ7c7P5pO3GtUcdtmhmTF7z41FkkXWvYk0/d82Yp9ueG5554sch" + + "oCITwHWxUG1Q9JFNzjWYOSG+p5P3/aAwUJyDVmnJpmXnVDF9LSW1b3hU5EjCVT/GZEg+nmuV6u5VjYLb" + + "wbidhs6gTMNNM845H49nx4uVKVIdL2vbuNAV19AZqpNElbOqW9yDWGdxjRxUb1oquG7ZDTZpRtLjzZX0" + + "L0aU1jb4H/U56o6yMqwzgoPKJlSGG/ZrFgztoaBZ5yKiWAHONu2UEYDF7j+Y25rt6YcKUPZUz4zECelz" + + "M1PvJWsEwCFq3BhvDGNdWBufk+LN9b4DUsIuAOoT9bMTx2tppPqC+a7upl4XDJPHFmMGCZUmcKrB1Y9H" + + "sNhJy8pqXcVV8zETQzFKU/WuEFfs4kx4A+ktLJmC/VfX9jpNjmBaqjeLz/e0rX+paecUbDgy5uavHVNp" + + "O+h5p/Yofbe1saEzvmSucRjNhMIbxZ/KhFvRRp+TXAZ642/fUXOSVFnU9ZA9CeRz2kWcZo3O9tgZX1gN" + + "XigXuxQwLRNt9EBAaisllQa+Tx3eV0JV9faIUyCWUoAX97wm2eFZuT/Su2EUVSWpHdB3g+HtakOUCLDW" + + "kDr5KgjTJA2KHESllgXy3DytU8IXFg3C8h89zKkcRwz9e8UPJHw/7h26DGjHEQn0JEUmAY/eeYjAdhB6" + + "eyuMjdzhhWuA4n6yXt46EVYv/dRG8DX9y38Hpb5mxqCmkZBEtZFKzTKYrYoXqidt26tK5c+ac7Rs9H0e" + + "fDHRp0H3ER+webWC4CkVewI4t5GMhhJcu21zic+wEK3WxbDWnx4d2FpLld9NgKhcgrxaXE2zp0HxW9Dh" + + "OXDyL7bVEcX7Omq8+3oxWNbfFoae/bJkVHMT7+i/xwGnWiAOyZeTgeR6aZLLRQ3Uln8XC+5cqAtzTnjb" + + "PttDyRPy/3Jr9sdWhvp32xI+nacpVYys/ln7+gCO2ss84uTMLJ/HxluJtIUbcikr1gSvh8Dnb/zVlhQ6" + + "4vrZ1/xN2i925crVxw6G/hyhuxWAbNGl/l/6MV59f1d0xAN/gwne4J7wo14mkHtnanF0B8vxG+nqpSeI" + + "7zuCtf9D0fvItboQlgtBXnjxR19pdMGMXn7vz2lYC1qUI0I7JqkzC9EyG7Hck2KVKt6yp6tAVgkdJxx9" + + "E9HYM4o8WxD5xGHxf0KUNZy1kkOeOdf1QrtYB2wBqPuwfgGVxs8UkTahQ7D0XQnSvA/elpDd5/IEJ3ra" + + "cR5p/aM5s4ZcW4v3JQnT/7tIYz1ybk7KWpwRQdOKRKQN8kZSILIvehS9KBmS/0tQ6hkBLx/irWedyP1T" + + "fo34jsV455+5esLpRSDPIA7mx3aGyqQoVxrs3Ak9Nk9+XDITddDREPh93Hj8fyNXk6HWkuVFoE6T8M63" + + "lCrq7w6Vs0ngcgGkFJCH4si45MgG2NFCGaSI2FFHTy3egMN5/vZzVvtXM4YAqCXnoSLvUoniYKm0TGmW" + + "FXdnHifx+oY1RhgojAntbX0MPYLOZwaoTa4gul7m9keGyU72P3HdE19L55uoXOE148K5ozrlh9IEoeC2" + + "HYNEXNHTF5UZOYngL7wzkmwpPoODygB6YCs5uKYx6PD33ApMo4d0Uu00rGihUzHBdMlaCG5DHRQkMcSc" + + "VKFFCN6YcwbBEgP3aXN6EaTO7u6XIRAPH1K7q5HOSAvr975Cyx4GPcavPd7ngDkTEtjlxvs4aqpBBmzv" + + "KBGZnJFNLwWHsXo9ZxGvM2y4i8zqnQCHYGF4Z3+XtDPLMMFvZqR+NzkvMxz8KFYbNie5iqFigOanU+UU" + + "1nRIgBlI0wGVUMHHIYeU0Vf9yL/GL0EBv4dsMTGJs1RSEaQl3bOAvI2TQLHfT4588cyW5Aa8R/omzO9z" + + "HaaU11vjTGkfUBYrdfBZ059kQiIuZu+2StC3kDlK2AWwDrjbjOgwNDJ7s8/A82kc75eENUiJrFQcM+Xz" + + "VpRhI1BgYRLnybONmiKnAi1WH1KBktl0bji8+amxV0xDuIyiiToTxFH1Eo3nxh/l8vZdqyhwWxgV40Hx" + + "7qlp2LaklhWB3BaAGnrExrt/PHJK+bhg5fkZ3I4MOdjvEgrEE+vVqz+OT+J5sxO1WQy7OlGWyAtqV+r2" + + "xvuZTg2pac/sgJwhuM+n2Qr7fPs1ET9fAN+uuJeo+nPKjomEXHkkq5eTjXJTngWuGAOhu9N6TqGYph8u" + + "49wnhO2AON6xYTaQdcI0yVz8NmRHmuW8m58/E0X6H4xGTd0F7nF0NQ/lC7Na6nQ4tZdHv2JuHsceKZCp" + + "DYD084GcjIuQGT7mkKT65PxmkA7JhfmgtWmB7i9EXyB0irvQTVTwWF1yIfbBiEX8hAT040SDF4U1sHIu" + + "tzfr4yyDM1sTQyiQUQxTx0PKD9gQyLVeiW5mhx/mPzm5h+oh/iBRoHRxn2g4sjMM/laVZfWij35la8F8" + + "31qHKVndV7VBBz0zxXkYXddiQIWYcpFSuzn0wZgLqnprHwpgCXfoF5xKq0PXaSnikydBCf4CToc6d7TV" + + "/tYtqBEyrShIcjiYwdJ2jkM/VJGZE1GgdV++fujKYczONq3w5pX7TQ2Mo64TchnycwuaPTvNNyxCgXPK" + + "nzS/mFgXCEl+DwPB469U7ErKS1sRH05CQY5iaz7oWszQSYhH5rBLdD0QjoNaWmBuW+hJwuJ1LMbcLS4K" + + "Eg++Iap/jHyj8rIVhYW65/owPjAhMAkGBSsOAwIaBQAEFMudZv8KHO7eCDfrQRKmsxpQQAq+BBQmpJrx" + + "RG28Kr/df87mNo9qmAQcpgIDAYag"; private static final String KEY_PASSWORD = "password"; private static final String KEYSTORE_PASSWORD = "password"; private static final String TRUSTSTORE_PASSWORD = "password"; - private static final AtomicReference keyStorePathNode1 = new AtomicReference<>(); - private static final AtomicReference keyStorePathNode2 = new AtomicReference<>(); + private static final AtomicReference keyStorePathNode = new AtomicReference<>(); private MultiNodeKeyStore() { } @@ -131,7 +124,7 @@ private MultiNodeKeyStore() { /** * @return props brokers will need to connect to support SSL connections. */ - public static Map keyStoreNode1Props() { + public static Map keyStoreProps() { return ImmutableMap.of( SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, keyStorePathNode1(), SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, KEYSTORE_PASSWORD, @@ -142,39 +135,13 @@ SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, keyStorePathNode1(), } private static String keyStorePathNode1() { - final Path path = keyStorePathNode1.updateAndGet(existing -> { - if (existing != null) { - return existing; - } - - return KeyStoreUtil.createTemporaryStore("server-key-store-node1", - BASE64_ENCODED_STORE_NODE1); - }); - - return path.toAbsolutePath().toString(); - } - - /** - * @return props brokers will need to connect to support SSL connections. - */ - public static Map keyStoreNode2Props() { - return ImmutableMap.of( - SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, keyStorePathNode2(), - SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, KEYSTORE_PASSWORD, - SslConfigs.SSL_KEY_PASSWORD_CONFIG, KEY_PASSWORD, - SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, keyStorePathNode2(), - SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, TRUSTSTORE_PASSWORD - ); - } - - private static String keyStorePathNode2() { - final Path path = keyStorePathNode2.updateAndGet(existing -> { + final Path path = keyStorePathNode.updateAndGet(existing -> { if (existing != null) { return existing; } - return KeyStoreUtil.createTemporaryStore("server-key-store-node2", - BASE64_ENCODED_STORE_NODE2); + return KeyStoreUtil.createTemporaryStore("server-key-store", + BASE64_ENCODED_STORE); }); return path.toAbsolutePath().toString();