java - zkCli.sh 连接到 SSL 端口 2281 上的服务器
问题描述
我们在连接到端口(安全端口)2281 上的 Zookeeper 服务器时遇到问题,尝试使用 zkCli.sh -server localhost:2281 如何通过 SSL 连接到 zk
at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1262) [zookeeper-3.6.1.jar:3.6.1]
2020-12-01T15:59:48.672+0000 [myid:localhost:2281] - INFO [main-SendThread(localhost:2281):ClientCnxn$SendThread@1154] - Opening socket connection to server localhost/127.0.0.1:2281.
2020-12-01T15:59:48.672+0000 [myid:localhost:2281] - INFO [main-SendThread(localhost:2281):ClientCnxn$SendThread@1156] - SASL config status: Will not attempt to authenticate using SASL (unknown error)
2020-12-01T15:59:48.673+0000 [myid:localhost:2281] - INFO [main-SendThread(localhost:2281):ClientCnxn$SendThread@986] - Socket connection established, initiating session, client: /127.0.0.1:55104, server: localhost/127.0.0.1:2281
2020-12-01T15:59:48.675+0000 [myid:localhost:2281] - WARN [main-SendThread(localhost:2281):ClientCnxn$SendThread@1272] - Session 0x0 for sever localhost/127.0.0.1:2281, Closing socket connection. Attempting reconnect except it is a SessionExpiredException.
org.apache.zookeeper.ClientCnxn$EndOfStreamException: Unable to read additional data from server sessionid 0x0, likely server has closed socket
at org.apache.zookeeper.ClientCnxnSocketNIO.doIO(ClientCnxnSocketNIO.java:75) ~[zookeeper-3.6.1.jar:3.6.1]
at org.apache.zookeeper.ClientCnxnSocketNIO.doTransport(ClientCnxnSocketNIO.java:348) ~[zookeeper-3.6.1.jar:3.6.1]
at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1262) [zookeeper-3.6.1.jar:3.6.1]
2020-12-01T15:59:50.562+0000 [myid:localhost:2281] - INFO [main-SendThread(localhost:2281):ClientCnxn$SendThread@1154] - Opening socket connection to server localhost/127.0.0.1:2281.
2020-12-01T15:59:50.562+0000 [myid:localhost:2281] - INFO [main-SendThread(localhost:2281):ClientCnxn$SendThread@1156] - SASL config status: Will not attempt to authenticate using SASL (unknown error)
2020-12-01T15:59:50.563+0000 [myid:localhost:2281] - INFO [main-SendThread(localhost:2281):ClientCnxn$SendThread@986] - Socket connection established, initiating session, client: /127.0.0.1:55118, server: localhost/127.0.0.1:2281
2020-12-01T15:59:50.565+0000 [myid:localhost:2281] - WARN [main-SendThread(localhost:2281):ClientCnxn$SendThread@1272] - Session 0x0 for sever localhost/127.0.0.1:2281, Closing socket connection. Attempting reconnect except it is a SessionExpiredException.
org.apache.zookeeper.ClientCnxn$EndOfStreamException: Unable to read additional data from server sessionid 0x0, likely server has closed socket
at org.apache.zookeeper.ClientCnxnSocketNIO.doIO(ClientCnxnSocketNIO.java:75) ~[zookeeper-3.6.1.jar:3.6.1]
at org.apache.zookeeper.ClientCnxnSocketNIO.doTransport(ClientCnxnSocketNIO.java:348) ~[zookeeper-3.6.1.jar:3.6.1]
at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1262) [zookeeper-3.6.1.jar:3.6.1]
2020-12-01T15:59:52.068+0000 [myid:localhost:2281] - INFO [main-SendThread(localhost:2281):ClientCnxn$SendThread@1154] - Opening socket connection to server localhost/127.0.0.1:2281.
2020-12-01T15:59:52.068+0000 [myid:localhost:2281] - INFO [main-SendThread(localhost:2281):ClientCnxn$SendThread@1156] - SASL config status: Will not attempt to authenticate using SASL (unknown error)
2020-12-01T15:59:52.069+0000 [myid:localhost:2281] - INFO [main-SendThread(localhost:2281):ClientCnxn$SendThread@986] - Socket connection established, initiating session, client: /127.0.0.1:55140, server: localhost/127.0.0.1:2281
2020-12-01T15:59:52.071+0000 [myid:localhost:2281] - WARN [main-SendThread(localhost:2281):ClientCnxn$SendThread@1272] - Session 0x0 for sever localhost/127.0.0.1:2281, Closing socket connection. Attempting reconnect except it is a SessionExpiredException.
org.apache.zookeeper.ClientCnxn$EndOfStreamException: Unable to read additional data from server sessionid 0x0, likely server has closed socket
at org.apache.zookeeper.ClientCnxnSocketNIO.doIO(ClientCnxnSocketNIO.java:75) ~[zookeeper-3.6.1.jar:3.6.1]
at org.apache.zookeeper.ClientCnxnSocketNIO.doTransport(ClientCnxnSocketNIO.java:348) ~[zookeeper-3.6.1.jar:3.6.1]
at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1262) [zookeeper-3.6.1.jar:3.6.1]
服务器配置
authProvider.loadableX509=com.mom.generic.conn.authentication.AuthenticationLoader
ssl.authProvider=loadableX509
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
sslQuorumReloadCertFiles=true
secureClientPort=2281
sslQuorum=false
portUnification=true
ssl.quorum.clientAuth=need
ssl.quorum.hostnameVerification=true
ssl.quorum.keyStore.location=/etc/zookeeper/secrets/cert.pem
ssl.quorum.trustStore.location=/run/zookeeper/secrets/tlsca/cacertpem
ssl.trustStore.location=/run/zookeeper/secrets/client_ca/clientca.pem
ssl.keyStore.location=/etc/zookeeper/secrets/cert.pem
ssl.clientAuth=need
在这方面需要帮助。
解决方案
您已ssl.clientAuth设置为need. 如果是这种情况,您将必须通过配置文件提供 ZK 客户端配置数据,并使用bin/zkCli.sh -client-configuration client.conf -server localhost:2281提到的客户端证书数据(信任库/密钥库)以及要信任的服务器证书client.conf。您甚至可以将CLIENT_JVMARGS设置设置为环境变量,如本ZooKeeper SSL 指南中所述
通过 TLS 测试与 ZK 的连接性的快速方法是在服务器端运行 4 个字母的单词命令,disable ssl.clientAuth例如srvr,stat或as:mntrnc
echo mntr | nc --ssl localhost:2281
这将告诉您是否在服务器端正确设置了 TLS,并且您可以连接到securePort.
推荐阅读
- r - 当我们使用多个 geom_bar 时如何添加多个图例?
- spring-boot - 为什么 SpringBoot 应用程序的堆内存使用量不断增加?
- javascript - 为什么 Vue.js 中从挂载钩子发送的 AJAX GET 请求总是忽略浏览器缓存?
- powershell - URL 健康检查 PowerShell 脚本在大多数站点上正确获取 HTTP 200,但在某些站点上不正确的“0”状态代码...API 超时问题?
- c++ - 这个警告“指向算术中使用的函数的指针”是什么意思?
- arrays - 为什么链表叫链表 为什么不链表?
- php - 使用 PHP MVC 框架,未填充从 db 到选择框的选定值
- c - 如何将我的输出从 10.000 更改为 10
- python - Backtrader 给出 IndexError:数组分配索引超出范围
- java - 为什么我需要 Servlet 的映射或注释,而不是 JSP?