Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
3.7.0, 3.6.2
Description
Since portunification (ZOOKEEPER-3371), AdminServer supports https. But there is no way to disable http and allow https only. It is my understanding, that to be FIPS compliant, only https is allowed. This is one reason it is good to have such a feature.
To enable https currently, we need to set these parameters in zoo.cfg:
ssl.quorum.keyStore.location=/tmp/zookeeper/keystore.jks
ssl.quorum.keyStore.password=password
ssl.quorum.trustStore.location=/tmp/zookeeper/truststore.jks
ssl.quorum.trustStore.password=password
admin.portUnification=true
I generated keystore and truststore with the following commands:
#create test/dev keystore/truststore (ZK runs only on localhost)
keytool -genkeypair -alias zk.dev -keyalg RSA -keysize 2048 -dname "cn=zk.dev" -keypass password -keystore /tmp/zookeeper/keystore.jks -ext san=dns:localhost -storepass password
keytool -exportcert -alias zk.dev -keystore /tmp/zookeeper/keystore.jks -file /tmp/zookeeper/zk.dev.cer -rfc
keytool -keystore /tmp/zookeeper/truststore.jks -storepass password -importcert -alias zk.dev -file /tmp/zookeeper/zk.dev.cer
#check
keytool -list -v -keystore /tmp/zookeeper/truststore.jks
Attachments
Issue Links
- is caused by
-
ZOOKEEPER-3371 Port unification for admin server
- Resolved
- links to