provides TLS related cipher suites and algorithms in Pulsar. If you need version of Bouncy Castle Provider, please reference Bouncy Castle page.

Client certificates are generated using the certificate authority. Server certificates are also generated with the same certificate authority.

The biggest difference between client certs and server certs is that the common name for the client certificate is the role token which that client is authenticated as.

First, you need to enter the following command to generate the key :

$ openssl pkcs8 -topk8 -inform PEM -outform PEM \
      -in admin.key.pem -out admin.key-pk8.pem -nocrypt

接下来，输入下面的命令来生成证书请求。 When you are asked for a common name, enter the role token that you want this key pair to authenticate a client as.

$ openssl req -config openssl.cnf \
      -key admin.key.pem -new -sha256 -out admin.csr.pem

然后输入下面的命令来与证书权威签约。 Note that the client certs uses the usr_cert extension, which allows the cert to be used for client authentication.

$ openssl ca -config openssl.cnf -extensions usr_cert \
      -days 1000 -notext -md sha256 \
      -in admin.csr.pem -out admin.cert.pem

你可以从此命令获得证书、 admin.cert.pem和一个密钥。 admin.key-pk8.pem 使用 ca.cert. em， 客户可以使用此证书和此密钥向 broker 和 proxy 进行身份验证，作为 管理员

$ cd /etc/pki/tls/misc/CA $ ./CA -newca

要配置 proxy 服务器来验证客户端，请在 代理.conf的配置中加上 :

代理服务器应该有自己的客户端密钥对。 你需要在 broker 的 代理角色 中配置此密钥对的角色标记。 详情请访问 认证指南。

# For clients connecting to the proxy
authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderTls
# For the proxy to connect to brokers
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls

When you use TLS authentication, client connects via TLS transport. You need to configure the client to use https:// and 8443 port for the web service URL, pulsar+ssl:// and 6651 port for the broker service URL.

命令行工具

你需要添加以下参数到该文件以使用 Pulsar 的 CLI 工具使用 TLS 身份验证：

webServiceUrl=https://broker.example.com:8443/
brokerServiceUrl=pulsar+ssl://broker.example.com:6651/
useTls=true
tlsAllowInsecureConnection=false
tlsTrustCertsFilePath=/path/to/ca.cert.pem
authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
authParams=tlsCertFile:/path/to/my-role.cert.pem,tlsKeyFile:/path/to/my-role.key-pk8.pem

import org.apache.pulsar.client.api.PulsarClient;
PulsarClient client = PulsarClient.builder()
    .serviceUrl("pulsar+ssl://broker.example.com:6651/")
    .enableTls(true)
    .tlsTrustCertsFilePath("/path/to/ca.cert.pem")
    .authentication("org.apache.pulsar.client.impl.auth.AuthenticationTls",
                    "tlsCertFile:/path/to/my-role.cert.pem,tlsKeyFile:/path/to/my-role.key-pk8.pem")
    .build();

Python client

#include <pulsar/Client.h>
pulsar::ClientConfiguration config;
config.setUseTls(true);
config.setTlsAllowInsecureConnection(false);
pulsar::AuthenticationPtr auth = pulsar::AuthTls::create("/path/to/my-role.cert.pem",
                                                         "/path/to/my-role.key-pk8.pem")
config.setAuth(auth);
pulsar::Client client("pulsar+ssl://broker.example.com:6651/", config);

Node.js 客户端

const Pulsar = require('pulsar-client');
(async () => {
  const auth = new Pulsar.AuthenticationTls({
    certificatePath: '/path/to/my-role.cert.pem',
    privateKeyPath: '/path/to/my-role.key-pk8.pem',
  });
  const client = new Pulsar.Client({
    serviceUrl: 'pulsar+ssl://broker.example.com:6651/',
    authentication: auth,
    tlsTrustCertsFilePath: '/path/to/ca.cert.pem',
  });
})();

var clientCertificate = new X509Certificate2("admin.pfx");
var client = PulsarClient.Builder()