forked from moksamedia/okta-kafka-streams-quarkus
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathcreate_ssl_dir.sh
67 lines (54 loc) · 2.66 KB
/
create_ssl_dir.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/bin/bash
# Password used for all the certs, keys, and stores
PASS=test1234
# Broker server host
SERVER_HOST=localhost
# Client server host
CLIENT_HOST=localhost
# Create the root CA
openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 \
-passout pass:$PASS -batch \
-subj "/C=US/ST=Oregon/L=Portlad/O=Okta/CN=CARoot"
# Import the root CA into server truststore
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert -storepass $PASS -noprompt
# Import the root CA into the client truststore
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert -storepass $PASS -noprompt
# Create the server keystore with a private key and unsigned certificate.
keytool -keystore server.keystore.jks -alias server \
-validity 365 -keyalg RSA -genkey -storepass $PASS -ext SAN=DNS:$SERVER_HOST \
-dname "CN=$SERVER_HOST,OU=Kafka-Spring,O=Okta,L=Portland,S=Oregon,C=US"
# Export server cert
keytool -keystore server.keystore.jks -alias server -certreq -file cert-file-server -storepass $PASS
# Sign the server cert with the root CA
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file-server -out cert-signed-server -days 365 -CAcreateserial -passin pass:$PASS
# Import server cert and root CA into server keystore
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert -storepass $PASS -noprompt
keytool -keystore server.keystore.jks -alias server -import -file cert-signed-server -storepass $PASS -noprompt
keytool -keystore client.keystore.jks -alias client \
-validity 365 -keyalg RSA -genkey -storepass $PASS -ext SAN=DNS:$CLIENT_HOST \
-dname "CN=$CLIENT_HOST,OU=Kafka-Spring,O=Okta,L=Portland,S=Oregon,C=US"
# Export client cert
keytool -keystore client.keystore.jks -alias client -certreq -file cert-file-client -storepass $PASS
# Sign the client cert
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file-client -out cert-signed-client -days 365 -CAcreateserial -passin pass:$PASS
# Import client cert and CA into client keystore
keytool -keystore client.keystore.jks -alias CARoot -import -file ca-cert -storepass $PASS -noprompt
keytool -keystore client.keystore.jks -alias client -import -file cert-signed-client -storepass $PASS -noprompt
# Create the Kafka server config
cat <<EOT >> kafka_server_jaas.conf
KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="admin-secret"
user_alice="alice-secret";
};
EOT
# Create the Kafka client config
cat <<EOT >> kafka_client_jaas.conf
KafkaClient {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="alice"
password="alice-secret";
};
EOT