golang zookeeper加密连接
golang 使用ssl连接示例
package main
import (
"crypto/tls"
"crypto/x509"
"fmt"
"github.com/samuel/go-zookeeper/zk"
"io/ioutil"
"net"
"time"
)
func main(){
dialer := getDialer()
options := zk.WithDialer(dialer)
conn, _, err := zk.Connect([]string{"192.168.20.32:2182"}, time.Second, options)
if err !=nil {
fmt.Printf("zk connect failed,err:%v",err)
return
}
// 创建目录
serverPath,err := conn.Create("/1500Server",[]byte("hello world"),1,zk.WorldACL(zk.PermAll))
if err !=nil {
fmt.Printf("zk create path failed,err:%v",err)
return
}
fmt.Printf("----------serverPath:%v\n",serverPath)
// 获取目录内容
exist,_,err := conn.Exists("/1500Server")
if err !=nil {
fmt.Printf("zk exist path failed,err:%v",err)
return
}
fmt.Printf("----------exist:%v\n",exist)
// 获取目录数据
byteData,_,err := conn.Get("/1500Server")
if err !=nil {
fmt.Printf("zk get path failed,err:%v",err)
return
}
fmt.Printf("----------get data:%v\n",string(byteData))
}
func getDialer() zk.Dialer {
return func(network, addr string, timeout time.Duration) (net.Conn, error) {
pool := x509.NewCertPool()
// 这里加载服务端提供的证书,用于校验服务端返回的数据
// 添加服务端证书
serverCrtPath:= "E:/code/gocode/TestCode/src/Zookeeper-demo/cert/server.crt"
aCrt, err := ioutil.ReadFile(serverCrtPath)
if err!= nil {
fmt.Println("ReadFile err:",err)
return nil,err
}
pool.AppendCertsFromPEM(aCrt)
// 加载客户端证书
cliCrt, err := tls.LoadX509KeyPair("E:/code/gocode/TestCode/src/Zookeeper-demo/cert/client.crt", "E:/code/gocode/TestCode/src/Zookeeper-demo/cert/client.key")
if err != nil {
fmt.Println("Loadx509keypair err:", err)
return nil, err
}
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cliCrt},
RootCAs: pool,
InsecureSkipVerify: true,
}
// Establish a TCP connection to the address with the specified timeout
// using the DialTimeout method
ipConn, err := net.DialTimeout("tcp", "192.168.20.32:2182", timeout)
if err != nil {
fmt.Printf("Could not connect \n")
return nil, err
} else {
fmt.Printf("TCP Connected n", )
}
// Use the TCP connection created above to establish the TLS connection
// Need to use the Client method since we already have the TCP connection
tlsConn := tls.Client(ipConn, tlsConfig)
tlsErr := tlsConn.Handshake()
if tlsErr != nil {
fmt.Printf("tlsconn handshake failed,err:%v", err)
}
return tlsConn, nil
}
}
2.证书的转化
# 服务端证书 转化jks为pks12
keytool -importkeystore -srckeystore client.jks -destkeystore client.p12 -srcstoretype jks -deststoretype pkcs12
# 服务端证书 转换p12为crt
openssl pkcs12 -in server.p12 -nokeys -clcerts -out server.crt
----------------------------------------------------------------------------------------
# 客户端 转换jks为pks12
keytool -importkeystore -srckeystore server.jks -destkeystore server.p12 -srcstoretype jks -deststoretype pkcs12
# 客户端 转换p12到crt
openssl pkcs12 -in client.p12 -nokeys -clcerts -out client.crt
# 客户端 转换p12到key文件
openssl pkcs12 -in client.p12 -nocerts -nodes -out client.key
--------------------------------------------------------------------------------------
其他:
openssl pkcs12 -nodes -in client.p12 -out client.pem // p12 --> pem
3.keytool生成证书
(1.)生成客户端证书
keytool -h
keytool -genkeypair -alias zkClientKey -keyalg RSA -validity 3650 -keystore client.jks -dname "CN=localhost"
keytool -importkeystore -srckeystore client.jks -destkeystore client.jks -deststoretype pkcs12
keytool -export -alias zkClientKey -keystore client.jks -rfc -file client_pub.cer
(2.)生成服务端证书
keytool -genkeypair -alias zkServerKey -keyalg RSA -validity 3650 -keystore server.jks -dname "CN=localhost"
keytool -importkeystore -srckeystore server.jks -destkeystore server.jks -deststoretype pkcs12
keytool -export -alias zkServerKey -keystore server.jks -rfc -file server_pub.cer
4.zk配置
zookeeper-3.5.9 kafka_2.12-2.5.0 注意版本两者要匹配
(1.)conf/zoo.cfg
secureClientPort=2182
(2.)zkServer.sh中加入如下内容
export SERVER_JVMFLAGS="
-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
-Dzookeeper.ssl.keyStore.location=/home/clusterzookeeper/zookeeper/apache-zookeeper-3.5.9-bin/conf/ssl/server.jks
-Dzookeeper.ssl.keyStore.password=123456
-Dzookeeper.ssl.trustStore.location=/home/clusterzookeeper/zookeeper/apache-zookeeper-3.5.9-bin/conf/ssl/serverTruststore.jks
-Dzookeeper.ssl.trustStore.password=123456"
(3.)zkCli.sh中加入如下内容
export CLIENT_JVMFLAGS="
-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
-Dzookeeper.client.secure=true
-Dzookeeper.ssl.keyStore.location=/home/clusterzookeeper/zookeeper/apache-zookeeper-3.5.9-bin/conf/ssl/client.jks
-Dzookeeper.ssl.keyStore.password=123456
-Dzookeeper.ssl.trustStore.location=/home/clusterzookeeper/zookeeper/apache-zookeeper-3.5.9-bin/conf/ssl/clientTruststore.jks
-Dzookeeper.ssl.trustStore.password=123456"
5.kafka配置
vi server.propertites
listeners=PLAINTEXT://zk_IP:9092
advertised.listeners=PLAINTEXT://zk_IP:9092