SSL communication between Filebeat and Kafka

Hi All,

We have a cluster where we have 2-way SSL authentication enabled in Kafka.

Also we have log management setup in the same cluster like FileBeat --> Kafka --> Logstash --> ElasticSearch --> Kibana.

Now since SSL is enabled in Kafka, client (FileBeat and Logstash) should be enabled with SSL option. Though I'm clear to certain level how Kafka SSL works with keystore and truststore, I'm not able to understand how Filebeat should be configured with the CA of Kafka.

Can someone give detailed explanation on what are the files I've to pass on to the below configurations in filebeat.yml.

ssl.certificate_authorities
ssl.certificate
ssl.key

Regards,
Subash Kunjupillai

Hi,

  • ssl.certificate_authorities: This is a list of certificates that the Beat will trust. So you put in here the root certificate that signed the certificate that Kafka uses.

  • ssl.certificate: This is the client-side certificate. As you are using 2-way authentication, here you have to put the certificate that identifies the Beat.

  • ssl.key: This is the private key for the certificate in ssl.certificate.

Hi Adrisr,

Thanks for sharing the details.

To start off, I just tried to add the CA of Kafka in ssl.certificate_authorities so that encryption of data will happen.

But on doing so, I'm getting the "x509 : cannot validate certificate for [Public IP] because it doesn't contain any IP SANs" error in Filebeat log.

I'm sure that I've set SAN with the public IP of the respective Kafka broker machines and I've validated them before signing the certificate with CA.

Can you please help me to understand where I would be going wrong.

Regards,
Subash Kunjupillai

can you double-check that the certificate contains the IP SANs?

You can get the certificate with:

openssl s_client -showcerts -connect IP:9093

Hi Adrisr,

On running the above command, I'm getting the below

openssl s_client -showcerts -connect XX.XX.XX.115:9093
CONNECTED(00000003)
depth=0 C = XX, ST = XX, L = XX, O = XXXX, OU = XX, CN = *
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, ST = XX, L = XX, O = XXXX, OU = XX, CN = *
verify return:1
Certificate chain
0 s:/C=XX/ST=XX/L=XX/O=XXXX/OU=XX/CN=*
i:/C=XX/ST=XX/L=XX/O=XXXX/OU=XX/CN=*
-----BEGIN CERTIFICATE-----
MIIDJDCCAgwCCQC13GlMA2vKPzANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJT
VzELMAkGA1UECAwCS0ExCzAJBgNVBAcMAktBMREwDwYDVQQKDAhFcmljc3NvbjEM
MAoGA1UECwwDQ1JTMQowCAYDVQQDDAEqMB4XDTE4MDcwNjE3MTYyN1oXDTI4MDcw
MzE3MTYyN1owVDELMAkGA1UEBhMCU1cxCzAJBgNVBAgTAktBMQswCQYDVQQHEwJL
QTERMA8GA1UEChMIRXJpY3Nzb24xDDAKBgNVBAsTA0NSUzEKMAgGA1UEAwwBKjCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMO5YHnHocbmN+zg/Qqq+aUJ
vQ9w1lTMfP6BHuobG2xd20hoXsj+DpdDrBry+iF1MvuOC+xYl25ODb7WhllVO+bz
kwPh1bbjGe7+PGKu3cLIAK9WWnlt3KCx0UsUhF7HuG9YcbpNz+xxjb6wlH0q4cre
QT9Q4aNhLn67HUA/ZjEXA9OEzxyiqEctYPGZIpkcn98jmymS+aEIBkiWGUS45+Cj
fg4jqy6Ow7vmC/3qndQ0iU4zxZgGkjhLwc7a30CNfQa3jBHj24ajOzAVb1US/hCZ
X2Y1QOVDLa6hfMkEXUivoD60nbcGLajS3WmJIer4FP/FZKACVoclrVkTELFI3GMC
AwEAATANBgkqhkiG9w0BAQUFAAOCAQEAr0Pnf/UHjVfWQWfSlSP4DQIoL5LesFY+
qRqY9db4j0Msg1q91zRoUiioe7w5Vw5Nd78bwwLpBFmFqbKga7ymid42+ZMglc/d
/laiv1TxbCdEQjnLIxOtQJ7gFysxV+XwKsCqUSQHYaTjOibuPR2LbbzTCO17PRMy
b+vuhD6+WBlpefBArm+3HildWQz7qn5Zt/PB1oANU0HwkMOyDa9dpoTiM2yjndsK
1Y1mnfRLm/+a9Z9q/VGwNBQPBT/xI/QgaGtE1k/3gJUn/vOuJ6lLM4D/b3wPcI+J
KKhWpDEH3rUKyoQTpWHeN4x+a3P0iKl7B06cv+ONpCoa8HutL5hv0w==
-----END CERTIFICATE-----
1 s:/C=XX/ST=XX/L=XX/O=XXXX/OU=XX/CN=*
i:/C=XX/ST=XX/L=XX/O=XXXX/OU=XX/CN=*
-----BEGIN CERTIFICATE-----
MIIDezCCAmOgAwIBAgIJAOeDYHjSIpe4MA0GCSqGSIb3DQEBCwUAMFQxCzAJBgNV
BAYTAlNXMQswCQYDVQQIDAJLQTELMAkGA1UEBwwCS0ExETAPBgNVBAoMCEVyaWNz
c29uMQwwCgYDVQQLDANDUlMxCjAIBgNVBAMMASowHhcNMTgwNzA2MTcxNjE1WhcN
MjgwNzAzMTcxNjE1WjBUMQswCQYDVQQGEwJTVzELMAkGA1UECAwCS0ExCzAJBgNV
BAcMAktBMREwDwYDVQQKDAhFcmljc3NvbjEMMAoGA1UECwwDQ1JTMQowCAYDVQQD
DAEqMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5mey7Asqpk+muzH5
et7xtGW+3hZlZDrv6FWd5GneFCucF/GGjY3yTEqlHa5wxth8HIUNYcCS2tQjSsmv
jxAlhE7lF5R/iUgYvlC+LTvCP2q/g1us5TK+eCwVhQAL4QAf9igytvBE/Fsnn6fX
AM1EkPDbnUP1I+fPPHgFRdF6geRVTEUc1SR/LOAZbLzahGQ5WMt53GRj5xs08WEn
zD9eWeZPKTSP97q4jhG9JFkeZwFXFN5Xzif+podLIzM0LTBD04xSuIsH+A6XT+Bf
LS3QKjDs0PART9po+pSZKdI3Gv+gLGgUOjkwOAFyJMCi0g6Z5JsxmsRD8ae+WScg
CS64vwIDAQABo1AwTjAdBgNVHQ4EFgQUgs1yRIV0x6s3dZkIAGbATjFjDCgwHwYD
VR0jBBgwFoAUgs1yRIV0x6s3dZkIAGbATjFjDCgwDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAQEAErCcrBhHEEm7aNQpTnjTZd8I/3oGAju2bdw1ysqYKZLQ
spVFU20gvHAshMCg/+fTBcKVwDkzsjP1TDeuQ81SOyWHWNtNGsuVdsJN8oIxx5AG
Llv0WkedazvxG3GamxK8vtiitjgwDdS/K4cT5HTredCiGEbD5Qft2LYleMpqGzRo
84xICYEgSZpHEY29QXqcM0kWiz6jo+TGtjRtCHBeawdfQb2OuzexkOoKOadj4liH
8DzGIoFE2RBbjc7kd6idUgxh9Uenra/ks7uhf6IFjztAvGMPPEY9qt0CPR+cPYIn
kykBKeYZ1MsPxYlrQGqeYcnz6bM/6G58JIjTAOitlQ==
-----END CERTIFICATE-----
Server certificate
subject=/C=XX/ST=XX/L=XX/O=XXXX/OU=XX/CN=*
issuer=/C=XX/ST=XX/L=XX/O=XXXX/OU=XX/CN=*
No client certificate CA names sent
Server Temp Key: ECDH, secp521r1, 521 bits
SSL handshake has read 2258 bytes and written 441 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 5B3FA65DDE9A09886C1A725F46758274B810610F1DF11D23811773D44362A7F3
Session-ID-ctx:
Master-Key: 8105A8F49419A1D6AB3C06810FB3CCCF0A668DC7F812A9D5B2379AE7BAC4BEC0270A47C68E8A1B4549845E1B49CD2BF8
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1530898013
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)

The SAN was not set by the CA while signing the CSR. By following this link I was able to set SAN in the signed certificate.

Thanks a lot for your help!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.