Uploaded image for project: 'AMQ Streams'
  1. AMQ Streams
  2. ENTMQST-1519

[QE] - Possibility for users to configure the broker certificates just for the listeners

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Major Major
    • 1.4.0.GA
    • 1.2.0.GA
    • openshift-integration
    • None
    • 2020.1

      Customer main issue is:

      We need to change the server certificate used by Kafka such that it uses a our own Signed certificate that we sign using our official Bank CA, rather than the one that is automatically generated by the Operator and added to Kafka.

      Problem is:
      1. we cant get an intermediate CA from the Bank, the Bank security only uses locked downed CA's and will not provide a CA of any kind we can use.

      2. Tried TCP with SNI: AMQ Streams engineering tried re-encrypt but it doesn't seem work. The Kafka client does not get through into the broker. So this is not an option for us unless OpenShift improves the Router capabilities.

      With above 2 problems there is an alternate solution:
      The possibility for users to configure the broker certificates just for the listeners. I.e. configure just the certificates used by brokers on the external interface for example, while the inter cluster communication would be still done through Strimzi CA. This is much easier for the users to configure since the listeners designed for their applications are not used for replication and the requirements would be much more relaxed (i.e. just a regular server certificate, no CAs).

              jstejska@redhat.com Jakub Stejskal
              morsak Maros Orsak
              Jakub Stejskal Jakub Stejskal
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: