Setting Filebeat 5 with Kafka 0.10 over TLS

anefassa · September 2, 2016, 6:48pm

I created a new bash script to create a self-signed RootCA, create the required server and client certificates, keystores, truststores and these worked for me.

#!/bin/bash
PASSWORD=password
VALIDITY=365
SERVER_HOSTNAME=YourServerHostname


# Step 1 - Generate CA cert
echo ""
echo "##############"
echo "Will Create key pair for Root CA, to be used for signing other certs"
echo "##############"
read -n1 -rsp $'Press any key to continue or Ctrl+C to exit...\n'
openssl req -new -x509 -keyout rootca.key.pem -out rootca.cert.pem -days $VALIDITY

# Generate server keystore with RSA private key
echo ""
echo "##############"
echo "Will create jks with server private key in RSA format"
echo "***** When asked for first and last name"
echo "***** Make sure to provide the hostname client uses for connecting"
echo "##############"
read -n1 -rsp $'Press any key to continue or Ctrl+C to exit...\n'
keytool -genkey -alias $SERVER_HOSTNAME -keyalg RSA -keystore $SERVER_HOSTNAME-server.keystore.jks -keysize 2048 -validity $VALIDITY -storepass $PASSWORD

# Generate cert signing request
echo ""
echo "##############"
echo "Will generate server's cert signing request"
echo "##############"
read -n1 -rsp $'Press any key to continue or Ctrl+C to exit...\n'
keytool -keystore $SERVER_HOSTNAME-server.keystore.jks -alias $SERVER_HOSTNAME -certreq -file $SERVER_HOSTNAME-server.csr  -storepass $PASSWORD

# Sign server certificate with self-signed CA from Step 1
echo ""
echo "##############"
echo "Will sign server certificate"
echo "##############"
read -n1 -rsp $'Press any key to continue or Ctrl+C to exit...\n'
openssl x509 -req -CA rootca.cert.pem -CAkey rootca.key.pem -in $SERVER_HOSTNAME-server.csr -out $SERVER_HOSTNAME-server.cert.pem -days 365 -CAcreateserial -passin pass:$PASSWORD

# Import RootCA cert from step 1 into server's keystore
echo ""
echo "##############"
echo "Will import RootCA into server's keystore"
echo "##############"
read -n1 -rsp $'Press any key to continue or Ctrl+C to exit...\n'
keytool -keystore $SERVER_HOSTNAME-server.keystore.jks -alias CARoot -import -file rootca.cert.pem -storepass $PASSWORD


# Import signed server cert into server's keystore
echo ""
echo "##############"
echo "Will import signed server cert into server's keystore"
echo "##############"
read -n1 -rsp $'Press any key to continue or Ctrl+C to exit...\n'
keytool -keystore $SERVER_HOSTNAME-server.keystore.jks -alias $SERVER_HOSTNAME -import -file $SERVER_HOSTNAME-server.cert.pem -storepass $PASSWORD

# Import RootCA cert into server truststore
echo ""
echo "##############"
echo "Will import RootCA cert into server's truststore"
echo "##############"
read -n1 -rsp $'Press any key to continue or Ctrl+C to exit...\n'
keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file rootca.cert.pem -storepass $PASSWORD

### Create client cert
# Create client RSA private key and certificate request
echo ""
echo "##############"
echo "Will create client RSA private key and certificate request"
echo "##############"
read -n1 -rsp $'Press any key to continue or Ctrl+C to exit...\n'
openssl req -nodes -new -keyout mytestclient.key.pem -out mytestclient.csr -days $VALIDITY

# Sign client certificate with CA cert from step 1
echo ""
echo "##############"
echo "Will sign client certificate with CA cert and key from step 1"
echo "##############"
read -n1 -rsp $'Press any key to continue or Ctrl+C to exit...\n'
openssl x509 -req -CA rootca.cert.pem -CAkey rootca.key.pem -in mytestclient.csr -out mytestclient.cert.pem -days 365 -CAcreateserial

echo ""
echo "##############"
echo "Following files were generated"
echo "Server java keystore: $SERVER_HOSTNAME-server.keystore.jks"
echo "Server java truststore: kafka.server.truststore.jks"
echo "Signed Client cert: mytestclient.cert.pem"
echo "Client RSA private key: mytestclient.key.pem"
echo "Client PEM truststore: rootca.cert.pem"

The Kafka config
ssl.keystore.location=/home/kafka/cert-test2/vm-kafka-001-server.keystore.jks
ssl.keystore.password=password
ssl.key.password=password
ssl.truststore.location=/home/kafka/cert-test2/kafka.server.truststore.jks
ssl.truststore.password=password
ssl.client.auth=required
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
ssl.keystore.type=JKS
ssl.truststore.type=JKS

Filebeat config
kafka:
hosts: ["vm-kafka-001.mydomain.com:9093"]
tls:
certificate: /fs/opt/filebeat/config/cert-test2/mytestclient.cert.pem
certificate_key: /fs/opt/filebeat/config/cert-test2/mytestclient.key.pem
certificate_authorities: /fs/opt/filebeat/config/cert-test2/rootca.cert.pem

Hope this helps.

Topic		Replies	Views
TLS for Filebeat Kafka Output Beats filebeat	12	9841	September 13, 2016
Error Return code 21: SSL encryption between filebeat 5.2 and kafka 1.0 (self signed) Beats filebeat	30	5998	March 12, 2018
Filebeat ssl kafka Beats filebeat	2	993	May 3, 2018
SSL communication between Filebeat and Kafka Beats filebeat	6	3234	August 4, 2018
Filebeat cannot connect Kafka TLS Beats filebeat	1	1323	April 7, 2020

Setting Filebeat 5 with Kafka 0.10 over TLS

Related topics