Authentication using TLS

provides TLS related cipher suites and algorithms in Pulsar. If you need version of Bouncy Castle Provider, please reference Bouncy Castle page.

Client certificates are generated using the certificate authority. Server certificates are also generated with the same certificate authority.

The biggest difference between client certs and server certs is that the common name for the client certificate is the role token which that client is authenticated as.

To use client certificates, you need to set tlsRequireTrustedClientCertOnConnect=true at the broker side. For details, refer to .

First, you need to enter the following command to generate the key :

  2. $ openssl pkcs8 -topk8 -inform PEM -outform PEM \
  3.       -in admin.key.pem -out admin.key-pk8.pem -nocrypt

Next, enter the command below to generate the certificate request. When you are asked for a common name, enter the role token that you want this key pair to authenticate a client as.

  2. $ openssl req -config openssl.cnf \
  3.       -key admin.key.pem -new -sha256 -out admin.csr.pem
note

If openssl.cnf is not specified, read to get the openssl.cnf.

Then, enter the command below to sign with request with the certificate authority. Note that the client certs uses the usr_cert extension, which allows the cert to be used for client authentication.

  2. $ openssl ca -config openssl.cnf -extensions usr_cert \
  3.       -days 1000 -notext -md sha256 \
  4.       -in admin.csr.pem -out admin.cert.pem

You can get a cert, admin.cert.pem, and a key, admin.key-pk8.pem from this command. With ca.cert.pem, clients can use this cert and this key to authenticate themselves to brokers and proxies as the role token admin.

note

If the “unable to load CA private key” error occurs and the reason of this error is “No such file or directory: /etc/pki/CA/private/cakey.pem” in this step. Try the command below:

To configure brokers to authenticate clients, add the following parameters to broker.conf, alongside :

  2. # Configuration to enable authentication
  3. authenticationEnabled=true
  4. authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderTls
  6. superUserRoles=admin
  8. # Authentication settings of the broker itself. Used when the broker connects to other brokers, either in same or other clusters
  9. brokerClientTlsEnabled=true
  11. brokerClientAuthenticationParameters={"tlsCertFile":"/path/my-ca/admin.cert.pem","tlsKeyFile":"/path/my-ca/admin.key-pk8.pem"}
  12. brokerClientTrustCertsFilePath=/path/my-ca/certs/ca.cert.pem

To configure proxies to authenticate clients, add the following parameters to proxy.conf, alongside the configuration to enable tls transport:

The proxy should have its own client key pair for connecting to brokers. You need to configure the role token for this key pair in the proxyRoles of the brokers. See the for more details.

  2. # For clients connecting to the proxy
  3. authenticationEnabled=true
  4. authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderTls
  6. # For the proxy to connect to brokers
  7. brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
  8. brokerClientAuthenticationParameters=tlsCertFile:/path/to/proxy.cert.pem,tlsKeyFile:/path/to/proxy.key-pk8.pem

When you use TLS authentication, client connects via TLS transport. You need to configure the client to use https:// and 8443 port for the web service URL, pulsar+ssl:// and 6651 port for the broker service URL.

CLI tools

like pulsar-admin, , and pulsar-client use the conf/client.conf config file in a Pulsar installation.

  2. webServiceUrl=https://broker.example.com:8443/
  3. brokerServiceUrl=pulsar+ssl://broker.example.com:6651/
  4. useTls=true
  5. tlsAllowInsecureConnection=false
  6. tlsTrustCertsFilePath=/path/to/ca.cert.pem
  7. authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
  8. authParams=tlsCertFile:/path/to/my-role.cert.pem,tlsKeyFile:/path/to/my-role.key-pk8.pem

Python client

  2. from pulsar import Client, AuthenticationTLS
  4. auth = AuthenticationTLS("/path/to/my-role.cert.pem", "/path/to/my-role.key-pk8.pem")
  5. client = Client("pulsar+ssl://broker.example.com:6651/",
  6.                 tls_allow_insecure_connection=False,
  7.                 authentication=auth)
  2. #include <pulsar/Client.h>
  4. pulsar::ClientConfiguration config;
  5. config.setUseTls(true);
  6. config.setTlsTrustCertsFilePath("/path/to/ca.cert.pem");
  7. config.setTlsAllowInsecureConnection(false);
  9. pulsar::AuthenticationPtr auth = pulsar::AuthTls::create("/path/to/my-role.cert.pem",
  10.                                                          "/path/to/my-role.key-pk8.pem")
  11. config.setAuth(auth);
  13. pulsar::Client client("pulsar+ssl://broker.example.com:6651/", config);

Node.js client

  2. const Pulsar = require('pulsar-client');
  4. (async () => {
  5.   const auth = new Pulsar.AuthenticationTls({
  6.     certificatePath: '/path/to/my-role.cert.pem',
  7.     privateKeyPath: '/path/to/my-role.key-pk8.pem',
  8.   });
  10.   const client = new Pulsar.Client({
  11.     serviceUrl: 'pulsar+ssl://broker.example.com:6651/',
  12.     authentication: auth,
  13.     tlsTrustCertsFilePath: '/path/to/ca.cert.pem',
  14. })();