我想让aws msk Kafka集群启用TLS,并希望从我的本地windows机器连接到broker。
我在cloudformation中使用以下TLS配置创建了MSK集群:
EncryptionInfo:
EncryptionInTransit:
ClientBroker: TLS
InCluster: True字符串
我跟随这个AWS博客在服务器和客户端机器上启用TLS。https://docs.aws.amazon.com/msk/latest/developerguide/msk-working-with-encryption.html
我确实复制了我本地窗口的java的truststore cacerts到E:\kafka_2.13-3.2.1\tmp\(执行以下命令)
copy "C:\Program Files (x86)\Java\jre-1.8\lib\security\cacerts" "E:\kafka_2.13-3.2.1\tmp\kafka.client.truststore.jks"型
并创建了config.properties
security.protocol=SSL
ssl.truststore.location=C:\\Program Files (x86)\\Java\\jre-1.8\\lib\\security\\cacerts
ssl.endpoint.identification.algorithm=https
ssl.truststore.password=changeit型
我执行了以下命令在安全的Kafka代理上创建一个主题
kafka-topics.bat --create --bootstrap-server b-2.xxx.amazonaws.com:9094,b-1.xxx.amazonaws.com:9094 --command-config client.properties --replication-factor 2 --partitions 1 --topic TLSTestTopic型
但得到以下错误
E:\kafka_2.13-3.2.1\bin\windows>kafka-topics.bat --create --bootstrap-server b-2.xxx.amazonaws.com:9094,b-1.xxx.amazonaws.com:9094 --command-config client.properties --replication-factor 2 --partitions 1 --topic TLSTestTopic
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/E:/kafka_2.13-3.2.1/libs/slf4j-reload4j-1.7.36.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/E:/Edifecs/TM/sdk/lib/log4j-slf4j-impl-2.17.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Reload4jLoggerFactory]
[2023-07-18 00:03:52,275] WARN [AdminClient clientId=adminclient-1] Connection to node -1 (b-2.kafkatlsmskcluster.1lyy3o.c14.kafka.us-west-2.amazonaws.com/10.151.46.36:9094) could not be established. Broker may not be available. (org.apache.kafka.clients.NetworkClient)
Error while executing topic command : Timed out waiting for a node assignment. Call: createTopics
[2023-07-18 00:04:14,090] ERROR org.apache.kafka.common.errors.TimeoutException: Timed out waiting for a node assignment. Call: createTopics
(kafka.admin.TopicCommand$)型
我还允许TLS端口9094在入站规则中的相关安全组中。我错过了什么?它应该与Java的信任存储一起工作,对吗?
1条答案
按热度按时间lrl1mhuk1#
我能够通过在与AWS MSK群集关联的安全组的入站规则中允许端口=9094的正确IP来解决它