From: Kai Moritz Date: Fri, 21 Nov 2025 18:41:10 +0000 (+0100) Subject: Manually added content, that was only linked from the markup X-Git-Tag: hugo--rebase--2025-12-17--20-25~11 X-Git-Url: https://juplo.de/gitweb/?a=commitdiff_plain;h=ac7137754d2340111e6f65c6909e7159b3946489;p=website Manually added content, that was only linked from the markup --- diff --git a/hugo/static/wp-uploads/selfsigned+san/create-ca.sh b/hugo/static/wp-uploads/selfsigned+san/create-ca.sh new file mode 100755 index 00000000..8f2eaafb --- /dev/null +++ b/hugo/static/wp-uploads/selfsigned+san/create-ca.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# +# Example-script to show, how to set up a self-signed CA +# +# Usage: +# ./create-ca.sh PASSWORD VALIDITY + +. settings.conf + +if [ -z "$1" ] +then + PASSWORD=$DEFAULT_PASSWORD +else + PASSWORD="$1" +fi + +if [ -z "$2" ] +then + VALIDITY=$DEFAULT_VALIDITY +else + VALIDITY="$2" +fi + +if [ -a ca-cert ] +then + echo "The root-certificate for the CA already exists..." +else + echo "Creating a x509-certificate for the CA..." + openssl req -new -x509 -subj "/C=$C/ST=$ST/L=$L/O=$O/OU=$OU/CN=Root-CA" -keyout ca-key -out ca-cert -days $VALIDITY -passout pass:$PASSWORD +fi +# + +if [ -a truststore.p12 ] +then + echo "The keystore truststore.jks already exists!" +else + echo "Importing the root-certificate of the CA into truststore.jks..." + keytool -keystore truststore.p12 -storetype pkcs12 -storepass $PASSWORD -alias CARoot -import -file ca-cert -noprompt +fi diff --git a/hugo/static/wp-uploads/selfsigned+san/gencert.sh b/hugo/static/wp-uploads/selfsigned+san/gencert.sh new file mode 100755 index 00000000..a62a6d93 --- /dev/null +++ b/hugo/static/wp-uploads/selfsigned+san/gencert.sh @@ -0,0 +1,64 @@ +#!/bin/bash +# +# Example-script to show, how to create and sign a selfsigned certificate, that +# contains multiple DNS-entries (SAN-extension) +# +# Usage: +# ./gencert.sh CN [CA_PASSWORD [KEYSTORE_PASSWORD [VALIDITY]]] + + +. settings.conf + +if [ -z "$1" ]; +then + echo "CN must not be empty!" + echo "$0 CN [CA_PASSWORD [KEYSTORE_PASSWORD [VALIDITY]]]" + exit; +fi + +if [ -a $1.p12 ]; +then + echo "The keystore $1.jks already exists"; + exit; +fi + + +if [ -z "$2" ] +then + CA_PASSWORD=$DEFAULT_PASSWORD +else + CA_PASSWORD="$2" +fi + +if [ -z "$3" ] +then + KEYSTORE_PASSWORD=$DEFAULT_PASSWORD +else + KEYSTORE_PASSWORD="$3" +fi + +if [ -z "$4" ] +then + VALIDITY=365 +else + VALIDITY="$4" +fi + + +echo "Creating keystore $1.jks with a certificate and a key-pair for CN $1" +keytool -keystore $1.p12 -storetype pkcs12 -alias $1 -validity $VALIDITY -genkey -storepass $KEYSTORE_PASSWORD -dname "CN=$1,OU=$OU,O=$O,L=$L,ST=$ST,C=$C" + +echo "Creating a Certificate-Signing-Request for the generated certificate" +keytool -keystore $1.p12 -storetype pkcs12 -alias $1 -certreq -file cert-file -storepass $KEYSTORE_PASSWORD + +echo "Signing the Certificate-Signing-Request and adding an additional DNS-entry for localhost" +openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out $1.pem -days $VALIDITY -CAcreateserial -passin pass:$CA_PASSWORD -extensions SAN -extfile <(printf "\n[SAN]\nsubjectAltName=DNS:$1,DNS:localhost") + +echo "Importing the root-certificate for the CA into the keystore $1.jks" +keytool -keystore $1.p12 -storetype pkcs12 -alias ca-root -import -file ca-cert -storepass $KEYSTORE_PASSWORD -noprompt + +echo "Importing the signed certificate for CN $1 into the keystore $1.jks" +keytool -keystore $1.p12 -storetype pkcs12 -alias $1 -import -file $1.pem -storepass $KEYSTORE_PASSWORD + +echo "Removing obsolet files..." +rm -v cert-file diff --git a/hugo/static/wp-uploads/selfsigned+san/jks.txt b/hugo/static/wp-uploads/selfsigned+san/jks.txt new file mode 100644 index 00000000..e6aa425a --- /dev/null +++ b/hugo/static/wp-uploads/selfsigned+san/jks.txt @@ -0,0 +1,120 @@ +Keystore-Typ: jks +Keystore-Provider: SUN + +Keystore enthält 2 Einträge + +Aliasname: ca-root +Erstellungsdatum: 26.06.2019 +Eintragstyp: trustedCertEntry + +Eigentümer: CN=Root-CA, OU=security, O=juplo, L=Juist, ST=Niedersachsen, C=DE +Aussteller: CN=Root-CA, OU=security, O=juplo, L=Juist, ST=Niedersachsen, C=DE +Seriennummer: 8c62092a6d59c829 +Gültig von: Wed Jun 26 10:26:50 CEST 2019 bis: Thu Jun 25 10:26:50 CEST 2020 +Zertifikatfingerprints: + MD5: EE:55:36:1F:19:7A:01:58:3F:54:C3:8B:BF:D9:3C:36 + SHA1: 3B:D6:01:F1:A1:9D:B1:6E:CA:4D:E7:FA:A6:C1:A1:3A:D8:CA:FD:0C + SHA256: 38:5F:6E:2A:E4:25:8A:54:31:57:91:5C:34:FA:E6:9A:E0:1A:2A:27:8C:D7:E5:B0:FB:8B:D7:1A:F6:79:CC:5E +Signaturalgorithmusname: SHA256withRSA +Algorithmus des Public Key von Betreff: 2048-Bit-RSA-Schlüssel +Version: 3 + +Erweiterungen: + +#1: ObjectId: 2.5.29.35 Criticality=false +AuthorityKeyIdentifier [ +KeyIdentifier [ +0000: 9D 29 BD 63 D1 D7 C1 98 26 E4 47 3E 27 6A DE AC .).c....&.G>'j.. +0010: ED 8A 75 2F ..u/ +] +] + +#2: ObjectId: 2.5.29.19 Criticality=false +BasicConstraints:[ + CA:true + PathLen:2147483647 +] + +#3: ObjectId: 2.5.29.14 Criticality=false +SubjectKeyIdentifier [ +KeyIdentifier [ +0000: 9D 29 BD 63 D1 D7 C1 98 26 E4 47 3E 27 6A DE AC .).c....&.G>'j.. +0010: ED 8A 75 2F ..u/ +] +] + + + +******************************************* +******************************************* + + +Aliasname: test +Erstellungsdatum: 26.06.2019 +Eintragstyp: PrivateKeyEntry +Zertifikatskettenlänge: 2 +Zertifikat[1]: +Eigentümer: CN=test, OU=security, O=juplo, L=Juist, ST=Niedersachsen, C=DE +Aussteller: CN=Root-CA, OU=security, O=juplo, L=Juist, ST=Niedersachsen, C=DE +Seriennummer: b75834de7e0b9b26 +Gültig von: Wed Jun 26 10:27:23 CEST 2019 bis: Thu Jun 25 10:27:23 CEST 2020 +Zertifikatfingerprints: + MD5: 3F:3E:46:A4:45:28:18:3C:E4:C3:11:6B:6A:AC:88:94 + SHA1: 24:27:02:2F:6A:68:32:EA:5F:9D:53:C5:28:65:F7:FC:6D:5D:BC:B7 + SHA256: 7C:2B:D4:36:06:0C:69:4E:93:75:0F:F9:9C:D8:9D:DD:02:50:14:72:49:95:E3:AC:4C:B4:7A:E6:CE:9D:05:D5 +Signaturalgorithmusname: SHA256withRSA +Algorithmus des Public Key von Betreff: 2048-Bit-DSA-Schlüssel +Version: 3 + +Erweiterungen: + +#1: ObjectId: 2.5.29.17 Criticality=false +SubjectAlternativeName [ + DNSName: test + DNSName: localhost + IPAddress: 127.0.0.1 +] + +Zertifikat[2]: +Eigentümer: CN=Root-CA, OU=security, O=juplo, L=Juist, ST=Niedersachsen, C=DE +Aussteller: CN=Root-CA, OU=security, O=juplo, L=Juist, ST=Niedersachsen, C=DE +Seriennummer: 8c62092a6d59c829 +Gültig von: Wed Jun 26 10:26:50 CEST 2019 bis: Thu Jun 25 10:26:50 CEST 2020 +Zertifikatfingerprints: + MD5: EE:55:36:1F:19:7A:01:58:3F:54:C3:8B:BF:D9:3C:36 + SHA1: 3B:D6:01:F1:A1:9D:B1:6E:CA:4D:E7:FA:A6:C1:A1:3A:D8:CA:FD:0C + SHA256: 38:5F:6E:2A:E4:25:8A:54:31:57:91:5C:34:FA:E6:9A:E0:1A:2A:27:8C:D7:E5:B0:FB:8B:D7:1A:F6:79:CC:5E +Signaturalgorithmusname: SHA256withRSA +Algorithmus des Public Key von Betreff: 2048-Bit-RSA-Schlüssel +Version: 3 + +Erweiterungen: + +#1: ObjectId: 2.5.29.35 Criticality=false +AuthorityKeyIdentifier [ +KeyIdentifier [ +0000: 9D 29 BD 63 D1 D7 C1 98 26 E4 47 3E 27 6A DE AC .).c....&.G>'j.. +0010: ED 8A 75 2F ..u/ +] +] + +#2: ObjectId: 2.5.29.19 Criticality=false +BasicConstraints:[ + CA:true + PathLen:2147483647 +] + +#3: ObjectId: 2.5.29.14 Criticality=false +SubjectKeyIdentifier [ +KeyIdentifier [ +0000: 9D 29 BD 63 D1 D7 C1 98 26 E4 47 3E 27 6A DE AC .).c....&.G>'j.. +0010: ED 8A 75 2F ..u/ +] +] + + + +******************************************* +******************************************* + + diff --git a/hugo/static/wp-uploads/selfsigned+san/pem.txt b/hugo/static/wp-uploads/selfsigned+san/pem.txt new file mode 100644 index 00000000..b5ac4138 --- /dev/null +++ b/hugo/static/wp-uploads/selfsigned+san/pem.txt @@ -0,0 +1,123 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 13211367637093423910 (0xb75834de7e0b9b26) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=DE, ST=Niedersachsen, L=Juist, O=juplo, OU=security, CN=Root-CA + Validity + Not Before: Jun 26 08:27:23 2019 GMT + Not After : Jun 25 08:27:23 2020 GMT + Subject: C=DE, ST=Niedersachsen, L=Juist, O=juplo, OU=security, CN=test + Subject Public Key Info: + Public Key Algorithm: dsaEncryption + pub: + 00:8d:f8:cc:68:da:ab:56:e0:30:b1:cf:68:49:6f: + ff:30:ba:fe:b6:63:c7:7f:70:e4:db:f4:c1:b5:7d: + 90:34:58:a1:93:2a:90:cc:19:2f:eb:e8:f9:81:1d: + 19:a4:ad:18:23:b1:5e:94:27:a3:1d:87:60:6a:d6: + 44:b1:40:d2:86:e7:53:3e:95:86:ec:c6:3f:2a:f5: + 6a:2a:79:40:08:d9:a9:c9:04:83:3f:65:6b:81:75: + 5d:ec:78:3d:df:a5:0f:49:98:9a:ef:98:b3:c9:8e: + 61:ee:b2:c1:e5:08:4a:13:20:d6:5b:33:0e:bd:38: + e5:cb:f7:dc:7c:43:bb:fc:33:a4:b0:81:8b:3c:24: + 10:0f:8f:d6:fe:8c:52:05:1d:07:8f:f7:06:86:e8: + 77:20:32:b6:ec:26:cf:19:e1:aa:48:66:ba:d4:be: + 8b:7d:e3:a9:3b:45:ca:fc:18:04:19:ec:53:f1:86: + 9b:b3:0b:c0:86:8a:ca:47:01:02:8e:ba:91:54:89: + 9e:43:d5:0a:73:47:31:36:39:2e:26:07:92:a7:5d: + 26:cd:2c:2a:b3:aa:97:d1:65:34:8f:2a:fc:1a:19: + 7f:03:b7:ca:88:0f:73:31:bf:0c:d1:8d:9a:3c:d7: + a1:56:76:ee:f0:ad:f3:77:2f:0b:2a:d6:c9:8b:70: + 27:cd + P: + 00:8f:79:35:d9:b9:aa:e9:bf:ab:ed:88:7a:cf:49: + 51:b6:f3:2e:c5:9e:3b:af:37:18:e8:ea:c4:96:1f: + 3e:fd:36:06:e7:43:51:a9:c4:18:33:39:b8:09:e7: + c2:ae:1c:53:9b:a7:47:5b:85:d0:11:ad:b8:b4:79: + 87:75:49:84:69:5c:ac:0e:8f:14:b3:36:08:28:a2: + 2f:fa:27:11:0a:3d:62:a9:93:45:34:09:a0:fe:69: + 6c:46:58:f8:4b:dd:20:81:9c:37:09:a0:10:57:b1: + 95:ad:cd:00:23:3d:ba:54:84:b6:29:1f:9d:64:8e: + f8:83:44:86:77:97:9c:ec:04:b4:34:a6:ac:2e:75: + e9:98:5d:e2:3d:b0:29:2f:c1:11:8c:9f:fa:9d:81: + 81:e7:33:8d:b7:92:b7:30:d7:b9:e3:49:59:2f:68: + 09:98:72:15:39:15:ea:3d:6b:8b:46:53:c6:33:45: + 8f:80:3b:32:a4:c2:e0:f2:72:90:25:6e:4e:3f:8a: + 3b:08:38:a1:c4:50:e4:e1:8c:1a:29:a3:7d:df:5e: + a1:43:de:4b:66:ff:04:90:3e:d5:cf:16:23:e1:58: + d4:87:c6:08:e9:7f:21:1c:d8:1d:ca:23:cb:6e:38: + 07:65:f8:22:e3:42:be:48:4c:05:76:39:39:60:1c: + d6:67 + Q: + 00:ba:f6:96:a6:85:78:f7:df:de:e7:fa:67:c9:77: + c7:85:ef:32:b2:33:ba:e5:80:c0:bc:d5:69:5d + G: + 16:a6:5c:58:20:48:50:70:4e:75:02:a3:97:57:04: + 0d:34:da:3a:34:78:c1:54:d4:e4:a5:c0:2d:24:2e: + e0:4f:96:e6:1e:4b:d0:90:4a:bd:ac:8f:37:ee:b1: + e0:9f:31:82:d2:3c:90:43:cb:64:2f:88:00:41:60: + ed:f9:ca:09:b3:20:76:a7:9c:32:a6:27:f2:47:3e: + 91:87:9b:a2:c4:e7:44:bd:20:81:54:4c:b5:5b:80: + 2c:36:8d:1f:a8:3e:d4:89:e9:4e:0f:a0:68:8e:32: + 42:8a:5c:78:c4:78:c6:8d:05:27:b7:1c:9a:3a:bb: + 0b:0b:e1:2c:44:68:96:39:e7:d3:ce:74:db:10:1a: + 65:aa:2b:87:f6:4c:68:26:db:3e:c7:2f:4b:55:99: + 83:4b:b4:ed:b0:2f:7c:90:e9:a4:96:d3:a5:5d:53: + 5b:eb:fc:45:d4:f6:19:f6:3f:3d:ed:bb:87:39:25: + c2:f2:24:e0:77:31:29:6d:a8:87:ec:1e:47:48:f8: + 7e:fb:5f:de:b7:54:84:31:6b:22:32:de:e5:53:dd: + af:02:11:2b:0d:1f:02:da:30:97:32:24:fe:27:ae: + da:8b:9d:4b:29:22:d9:ba:8b:e3:9e:d9:e1:03:a6: + 3c:52:81:0b:c6:88:b7:e2:ed:43:16:e1:ef:17:db: + de + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:test, DNS:localhost, IP Address:127.0.0.1 + Signature Algorithm: sha256WithRSAEncryption + 60:80:c4:5e:7d:c6:cf:88:94:14:69:8d:c2:d7:ce:af:b4:97: + 1c:08:9b:ff:65:db:77:24:c5:8a:87:1e:6f:30:70:71:a1:c5: + ac:af:67:49:ce:b0:91:b9:5a:55:27:12:49:72:be:7d:f5:45: + 12:ff:32:1a:ee:b1:f9:44:cd:62:1f:20:48:ac:0f:5a:f4:c7: + b0:1b:05:b0:84:20:fe:da:6d:73:92:da:32:f6:77:3c:df:07: + 5b:da:fd:c3:f3:6f:08:e8:4d:3e:ba:35:b2:a8:cc:a5:b3:9c: + 5c:61:c0:cb:35:ea:fe:c8:d2:e7:d3:ea:e0:0e:3b:7d:fb:22: + 60:e6:96:34:af:a4:bc:cb:70:e0:60:75:f9:93:0d:31:f1:60: + aa:50:34:8a:87:50:13:d1:8a:db:ee:d9:59:17:25:d9:b2:ad: + 55:14:09:92:9a:80:54:70:01:9f:65:ed:bf:e5:10:65:f5:8b: + b8:7c:72:48:65:72:60:56:d8:de:b3:9f:90:9a:58:a4:ed:eb: + 27:b2:a1:ae:90:52:0f:a4:d6:52:bd:36:b1:bb:d1:49:54:d1: + df:d9:1a:92:55:4a:56:e1:47:e7:f2:7e:52:c6:64:68:db:70: + 87:cc:a5:ed:e7:fe:93:5b:bc:21:57:c9:02:06:0c:2b:c5:5d: + 29:57:95:76 +-----BEGIN CERTIFICATE----- +MIIFmTCCBIGgAwIBAgIJALdYNN5+C5smMA0GCSqGSIb3DQEBCwUAMGoxCzAJBgNV +BAYTAkRFMRYwFAYDVQQIDA1OaWVkZXJzYWNoc2VuMQ4wDAYDVQQHDAVKdWlzdDEO +MAwGA1UECgwFanVwbG8xETAPBgNVBAsMCHNlY3VyaXR5MRAwDgYDVQQDDAdSb290 +LUNBMB4XDTE5MDYyNjA4MjcyM1oXDTIwMDYyNTA4MjcyM1owZzELMAkGA1UEBhMC +REUxFjAUBgNVBAgTDU5pZWRlcnNhY2hzZW4xDjAMBgNVBAcTBUp1aXN0MQ4wDAYD +VQQKEwVqdXBsbzERMA8GA1UECxMIc2VjdXJpdHkxDTALBgNVBAMTBHRlc3QwggND +MIICNQYHKoZIzjgEATCCAigCggEBAI95Ndm5qum/q+2Ies9JUbbzLsWeO683GOjq +xJYfPv02BudDUanEGDM5uAnnwq4cU5unR1uF0BGtuLR5h3VJhGlcrA6PFLM2CCii +L/onEQo9YqmTRTQJoP5pbEZY+EvdIIGcNwmgEFexla3NACM9ulSEtikfnWSO+INE +hneXnOwEtDSmrC516Zhd4j2wKS/BEYyf+p2BgeczjbeStzDXueNJWS9oCZhyFTkV +6j1ri0ZTxjNFj4A7MqTC4PJykCVuTj+KOwg4ocRQ5OGMGimjfd9eoUPeS2b/BJA+ +1c8WI+FY1IfGCOl/IRzYHcojy244B2X4IuNCvkhMBXY5OWAc1mcCHQC69pamhXj3 +397n+mfJd8eF7zKyM7rlgMC81WldAoIBABamXFggSFBwTnUCo5dXBA002jo0eMFU +1OSlwC0kLuBPluYeS9CQSr2sjzfuseCfMYLSPJBDy2QviABBYO35ygmzIHannDKm +J/JHPpGHm6LE50S9IIFUTLVbgCw2jR+oPtSJ6U4PoGiOMkKKXHjEeMaNBSe3HJo6 +uwsL4SxEaJY559POdNsQGmWqK4f2TGgm2z7HL0tVmYNLtO2wL3yQ6aSW06VdU1vr +/EXU9hn2Pz3tu4c5JcLyJOB3MSltqIfsHkdI+H77X963VIQxayIy3uVT3a8CESsN +HwLaMJcyJP4nrtqLnUspItm6i+Oe2eEDpjxSgQvGiLfi7UMW4e8X294DggEGAAKC +AQEAjfjMaNqrVuAwsc9oSW//MLr+tmPHf3Dk2/TBtX2QNFihkyqQzBkv6+j5gR0Z +pK0YI7FelCejHYdgatZEsUDShudTPpWG7MY/KvVqKnlACNmpyQSDP2VrgXVd7Hg9 +36UPSZia75izyY5h7rLB5QhKEyDWWzMOvTjly/fcfEO7/DOksIGLPCQQD4/W/oxS +BR0Hj/cGhuh3IDK27CbPGeGqSGa61L6LfeOpO0XK/BgEGexT8YabswvAhorKRwEC +jrqRVImeQ9UKc0cxNjkuJgeSp10mzSwqs6qX0WU0jyr8Ghl/A7fKiA9zMb8M0Y2a +PNehVnbu8K3zdy8LKtbJi3AnzaMkMCIwIAYDVR0RBBkwF4IEdGVzdIIJbG9jYWxo +b3N0hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQBggMRefcbPiJQUaY3C186vtJcc +CJv/Zdt3JMWKhx5vMHBxocWsr2dJzrCRuVpVJxJJcr599UUS/zIa7rH5RM1iHyBI +rA9a9MewGwWwhCD+2m1zktoy9nc83wdb2v3D828I6E0+ujWyqMyls5xcYcDLNer+ +yNLn0+rgDjt9+yJg5pY0r6S8y3DgYHX5kw0x8WCqUDSKh1AT0Yrb7tlZFyXZsq1V +FAmSmoBUcAGfZe2/5RBl9Yu4fHJIZXJgVtjes5+Qmlik7esnsqGukFIPpNZSvTax +u9FJVNHf2RqSVUpW4Ufn8n5SxmRo23CHzKXt5/6TW7whV8kCBgwrxV0pV5V2 +-----END CERTIFICATE----- diff --git a/hugo/static/wp-uploads/selfsigned+san/settings.conf b/hugo/static/wp-uploads/selfsigned+san/settings.conf new file mode 100644 index 00000000..5715d828 --- /dev/null +++ b/hugo/static/wp-uploads/selfsigned+san/settings.conf @@ -0,0 +1,8 @@ +DEFAULT_PASSWORD=confidential +DEFAULT_VALIDITY=365 + +OU=security +O=juplo +L=Juist +ST=Niedersachsen +C=DE diff --git a/hugo/static/wp-uploads/zookeeper+tls/README.sh b/hugo/static/wp-uploads/zookeeper+tls/README.sh new file mode 100755 index 00000000..efe60ab9 --- /dev/null +++ b/hugo/static/wp-uploads/zookeeper+tls/README.sh @@ -0,0 +1,217 @@ +#!/bin/bash +# +# Example-script to show, how to encrypt the communication between two +# Kafka-brokers and a standalone ZooKeeper +# +# Usage: +# ./README.sh -- Download Kafka/ZooKeeper, create the needed +# certificates and start a ZooKeeper and two brokers +# -------- +# Will not shut down the services, so that one can +# experiment with single commands from this example. +# Can be run multiple times: certificates are only +# recreated and services are only restart, if they were +# removed / stopped +# ./README.sh stop -- Stop the standalone ZooKeeper and the two brokers +# ./README.sh cleanup -- Stop the standalone ZooKeeper and the two brokers, +# then remove all data, the created certificates and +# the written logs (does not remove dowloaded data) + + +ZOOKEEPER_DOWNLOAD=http://ftp.fau.de/apache/zookeeper/zookeeper-3.5.5/apache-zookeeper-3.5.5-bin.tar.gz +ZOOKEEPER_DIR=apache-zookeeper-3.5.5-bin +KAFKA_DOWNLOAD=http://ftp.fau.de/apache/kafka/2.3.0/kafka_2.12-2.3.0.tgz +KAFKA_DIR=kafka_2.12-2.3.0 + +PASSWORD=confidential + + +# Stops all services (Kafka and ZooKeeper) +# +function stop +{ + if [ -a ZOOKEEPER ] + then + ZOOPIDFILE=ZOOKEEPER $ZOOKEEPER_DIR/bin/zkServer.sh --config . stop + fi + if [ -a KAFKA-1 ] + then + kill $(cat KAFKA-1) + rm -f KAFKA-1 + fi + if [ -a KAFKA-2 ] + then + kill $(cat KAFKA-2) + rm -f KAFKA-2 + fi + + if [ -a CONSUMER ] + then + kill $(cat CONSUMER) + rm -f CONSUMER + fi + if [ -a PRODUCER ] + then + kill $(cat PRODUCER) + rm -f PRODUCER + fi +} + + +# Stops all services (Kafka/ZooKeeper) +# +if [ "$1" = "stop" ] +then + stop + exit +fi + +# Removes data, certificates and logs (does not remove the downloads) +# +if [ "$1" = "cleanup" ] +then + + stop + + rm -rvf /tmp/zookeeper + rm -rvf /tmp/kafka-1-logs + rm -rvf /tmp/kafka-2-logs + + rm -rfv *.log *.out ca-cert* ca-key *.jks + + exit + +fi + + +if [ -x "$ZOOKEEPER_DIR" ]; +then + echo "Version 3.5.5 of Apache ZooKeeper already downloaded"; +else + echo "Downloading version 3.5.5 of Apache ZooKeeper..."; + curl -sc - $ZOOKEEPER_DOWNLOAD | tar -xzv + cp -av $ZOOKEEPER_DIR/conf/log4j.properties ./ +fi + +if [ -x "$KAFKA_DIR" ]; +then + echo "Version 2.3.0 of Apache Kafka already downloaded"; +else + echo "Downloading version 2.3.0 of Apache Kafka..."; + curl -sc - $KAFKA_DOWNLOAD | tar -xzv + echo "Replacing ZooKeeper-libs in Kafka with versions from 3.5.5..." + rm -v $KAFKA_DIR/libs/zookeeper-3.4.14.jar + cp -av $ZOOKEEPER_DIR/lib/zookeeper-3.5.5.jar $KAFKA_DIR/libs/ + cp -av $ZOOKEEPER_DIR/lib/zookeeper-jute-3.5.5.jar $KAFKA_DIR/libs/ + cp -av $ZOOKEEPER_DIR/lib/netty-all-4.1.29.Final.jar $KAFKA_DIR/libs/ + echo "Only needed for ZooKeeper-CLI-clients (for example zookeeper-shell.sh):" + cp -av $ZOOKEEPER_DIR/lib/commons-cli-1.2.jar $KAFKA_DIR/libs/ +fi + + +./create-certs.sh + + +if [ -a ZOOKEEPER ] +then + echo "zookeeper is already running!" +else + echo "Starting zookeeper on port 2128..." + ( + ZOOPIDFILE=ZOOKEEPER $ZOOKEEPER_DIR/bin/zkServer.sh --config . start + ) +fi + +if [ -a KAFKA-1 ] +then + echo "kafka-1 is already running!" +else + echo "Starting kafka-1 on port 9193/9194..." + ( + export KAFKA_OPTS=" + -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty + -Dzookeeper.client.secure=true + -Dzookeeper.ssl.keyStore.location=kafka-1.jks + -Dzookeeper.ssl.keyStore.password=$PASSWORD + -Dzookeeper.ssl.trustStore.location=truststore.jks + -Dzookeeper.ssl.trustStore.password=$PASSWORD + " + $KAFKA_DIR/bin/kafka-server-start.sh kafka-1.properties & echo $! > KAFKA-1 + ) > kafka-1.log & +fi +if [ -a KAFKA-2 ] +then + echo "kafka-2 is already running!" +else + echo "Starting kafka-2 on port 9293/9294..." + ( + export KAFKA_OPTS=" + -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty + -Dzookeeper.client.secure=true + -Dzookeeper.ssl.keyStore.location=kafka-2.jks + -Dzookeeper.ssl.keyStore.password=$PASSWORD + -Dzookeeper.ssl.trustStore.location=truststore.jks + -Dzookeeper.ssl.trustStore.password=$PASSWORD + " + $KAFKA_DIR/bin/kafka-server-start.sh kafka-2.properties & echo $! > KAFKA-2 + ) > kafka-2.log & +fi + + +while ! nc -w1 kafka-1 9193; do echo "Waiting for kafka-1..."; sleep 1; done +while ! nc -w1 kafka-1 9293; do echo "Waiting for kafka-2..."; sleep 1; done + +# Creates topic "test", if it does not exist already +# Note the usage of KAFKA_OPTS, to configure the SSL-encryption +( + export KAFKA_OPTS=" + -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty + -Dzookeeper.client.secure=true + -Dzookeeper.ssl.keyStore.location=client.jks + -Dzookeeper.ssl.keyStore.password=$PASSWORD + -Dzookeeper.ssl.trustStore.location=truststore.jks + -Dzookeeper.ssl.trustStore.password=$PASSWORD + " + $KAFKA_DIR/bin/kafka-topics.sh --zookeeper zookeeper:2182 --if-not-exists --create --topic test --partitions 1 --replication-factor 2 +) +# Prints information about topic "test" +# Note the usage of KAFKA_OPTS, to configure the SSL-encryption +( + export KAFKA_OPTS=" + -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty + -Dzookeeper.client.secure=true + -Dzookeeper.ssl.keyStore.location=client.jks + -Dzookeeper.ssl.keyStore.password=$PASSWORD + -Dzookeeper.ssl.trustStore.location=truststore.jks + -Dzookeeper.ssl.trustStore.password=$PASSWORD + " + $KAFKA_DIR/bin/kafka-topics.sh --zookeeper zookeeper:2182 --describe --topic test +) + +# Starts a console-consumer, that reads 3 messages from the topic "test" +# See consumer.config for the configuration of the SSL-encryption +{ $KAFKA_DIR/bin/kafka-console-consumer.sh --bootstrap-server kafka-1:9194 --consumer.config consumer.config --topic test --from-beginning --max-messages 3 & echo $! > CONSUMER ; } |& tee consumer.log & +echo "Started consumer with PID $(cat CONSUMER)" + +# Starts a console-consumer, that writes some messages to the topic "test" +# See producer.config for the configuration of the SSL-encryption +{ echo -e "Foo\nBar\nFooBar\n" | $KAFKA_DIR/bin/kafka-console-producer.sh --broker-list kafka-1:9194 --producer.config producer.config --topic test & echo $! > PRODUCER ; } |& tee producer.log & +echo "Started producer with PID $(cat PRODUCER)" + +echo "Waiting for consumer/producer..." +wait +rm -f PRODUCER CONSUMER + +# Connect to ZooKeeper and get some informations about the broker 1 +# Note the usage of KAFKA_OPTS, to configure the SSL-encryption +( + export KAFKA_OPTS=" + -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty + -Dzookeeper.client.secure=true + -Dzookeeper.ssl.keyStore.location=client.jks + -Dzookeeper.ssl.keyStore.password=$PASSWORD + -Dzookeeper.ssl.trustStore.location=truststore.jks + -Dzookeeper.ssl.trustStore.password=$PASSWORD + " + $KAFKA_DIR/bin/zookeeper-shell.sh zookeeper:2182 get /brokers/ids/1 +) diff --git a/hugo/static/wp-uploads/zookeeper+tls/consumer.config b/hugo/static/wp-uploads/zookeeper+tls/consumer.config new file mode 100644 index 00000000..960ae669 --- /dev/null +++ b/hugo/static/wp-uploads/zookeeper+tls/consumer.config @@ -0,0 +1,5 @@ +security.protocol=SASL_SSL +sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="consumer" password="pw4consumer"; +sasl.mechanism=PLAIN +ssl.truststore.location=truststore.jks +ssl.truststore.password=confidential diff --git a/hugo/static/wp-uploads/zookeeper+tls/create-certs.sh b/hugo/static/wp-uploads/zookeeper+tls/create-certs.sh new file mode 100755 index 00000000..a989bf70 --- /dev/null +++ b/hugo/static/wp-uploads/zookeeper+tls/create-certs.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# +# Example-script to show, how to set up a self-signed CA +# +# Usage: +# ./create-certs.sh + +VALIDITY=365 +PASSWORD=confidential +if [ -a ca-cert ]; +then + echo "The root-certificate for the CA already exists..."; +else + echo "Creating a x509-certificate for the CA..."; + openssl req -new -x509 -subj "/C=DE/ST=NRW/L=MS/O=trion/OU=kafka/CN=Root-CA" -keyout ca-key -out ca-cert -days $VALIDITY -passout pass:$PASSWORD +fi +# + +if [ -a truststore.jks ]; +then + echo "The keystore truststore.jks already exists!"; +else + echo "Importing the root-certificate of the CA into truststore.jks..." + keytool -keystore truststore.jks -storepass $PASSWORD -alias CARoot -import -file ca-cert -noprompt +fi + + +# Generating certificates for the standalone ZooKeeper, an example CLI-client +# and the two Kafka-Brokers +./gencert.sh zookeeper +./gencert.sh client +./gencert.sh kafka-1 +./gencert.sh kafka-2 diff --git a/hugo/static/wp-uploads/zookeeper+tls/gencert.sh b/hugo/static/wp-uploads/zookeeper+tls/gencert.sh new file mode 100755 index 00000000..dbdd0320 --- /dev/null +++ b/hugo/static/wp-uploads/zookeeper+tls/gencert.sh @@ -0,0 +1,31 @@ +#!/bin/bash +# +# Example-script to show, how to create and sign a selfsigned certificate, that +# contains multiple DNS-entries (SAN-extension) +# +# Usage: +# ./gencert.sh NAME + +VALIDITY=365 +PASSWORD=confidential + +if [ -a $1.jks ]; +then + echo "The keystore $1.jks already exists"; + exit; +fi + +echo "Creating keystore $1.jks with a certificate and a key-pair for CN $1" +keytool -keystore $1.jks -alias $1 -validity $VALIDITY -genkey -storepass $PASSWORD -keypass $PASSWORD -dname "CN=$1,OU=kafka,O=trion,L=MS,ST=NRW,C=DE" +echo "Creating a Certificate-Signing-Request for the generated certificate" +keytool -keystore $1.jks -alias $1 -certreq -file cert-file -storepass $PASSWORD +echo "Signing the Certificate-Signing-Request and adding an additional DNS-entry for localhost" +openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days $VALIDITY -CAcreateserial -passin pass:$PASSWORD -extensions SAN -extfile <(printf "\n[SAN]\nsubjectAltName=DNS:$1,DNS:localhost") +echo "Importing the root-certificate for the CA into the keystore $1.jks" +keytool -keystore $1.jks -alias CARoot -import -file ca-cert -storepass $PASSWORD -noprompt +echo "Importing the signed certificate for CN $1 into the keystore $1.jks" +keytool -keystore $1.jks -alias $1 -import -file cert-signed -storepass $PASSWORD +echo "Removing obsolet files..." +rm -v cert-file cert-signed + + diff --git a/hugo/static/wp-uploads/zookeeper+tls/java.env b/hugo/static/wp-uploads/zookeeper+tls/java.env new file mode 100644 index 00000000..e3ebca62 --- /dev/null +++ b/hugo/static/wp-uploads/zookeeper+tls/java.env @@ -0,0 +1,2 @@ +SERVER_JVMFLAGS="-Xms512m -Xmx512m -Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory" +ZOO_LOG_DIR=. diff --git a/hugo/static/wp-uploads/zookeeper+tls/kafka-1.properties b/hugo/static/wp-uploads/zookeeper+tls/kafka-1.properties new file mode 100644 index 00000000..1e7c305c --- /dev/null +++ b/hugo/static/wp-uploads/zookeeper+tls/kafka-1.properties @@ -0,0 +1,17 @@ +broker.id=1 +zookeeper.connect=zookeeper:2182 +listeners=SSL://kafka-1:9193,SASL_SSL://kafka-1:9194 +security.inter.broker.protocol=SSL +ssl.client.auth=required +ssl.keystore.location=kafka-1.jks +ssl.keystore.password=confidential +ssl.key.password=confidential +ssl.truststore.location=truststore.jks +ssl.truststore.password=confidential +listener.name.sasl_ssl.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required user_consumer="pw4consumer" user_producer="pw4producer"; +sasl.enabled.mechanisms=PLAIN + +log.dirs=/tmp/kafka-1-logs +offsets.topic.replication.factor=2 +transaction.state.log.replication.factor=2 +transaction.state.log.min.isr=2 diff --git a/hugo/static/wp-uploads/zookeeper+tls/kafka-2.properties b/hugo/static/wp-uploads/zookeeper+tls/kafka-2.properties new file mode 100644 index 00000000..ec53f9be --- /dev/null +++ b/hugo/static/wp-uploads/zookeeper+tls/kafka-2.properties @@ -0,0 +1,17 @@ +broker.id=2 +zookeeper.connect=zookeeper:2182 +listeners=SSL://kafka-2:9293,SASL_SSL://kafka-2:9294 +security.inter.broker.protocol=SSL +ssl.client.auth=required +ssl.keystore.location=kafka-2.jks +ssl.keystore.password=confidential +ssl.key.password=confidential +ssl.truststore.location=truststore.jks +ssl.truststore.password=confidential +listener.name.sasl_ssl.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required user_consumer="pw4consumer" user_producer="pw4producer"; +sasl.enabled.mechanisms=PLAIN + +log.dirs=/tmp/kafka-2-logs +offsets.topic.replication.factor=2 +transaction.state.log.replication.factor=2 +transaction.state.log.min.isr=2 diff --git a/hugo/static/wp-uploads/zookeeper+tls/producer.config b/hugo/static/wp-uploads/zookeeper+tls/producer.config new file mode 100644 index 00000000..5809edf6 --- /dev/null +++ b/hugo/static/wp-uploads/zookeeper+tls/producer.config @@ -0,0 +1,5 @@ +security.protocol=SASL_SSL +sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="producer" password="pw4producer"; +sasl.mechanism=PLAIN +ssl.truststore.location=truststore.jks +ssl.truststore.password=confidential diff --git a/hugo/static/wp-uploads/zookeeper+tls/zoo.cfg b/hugo/static/wp-uploads/zookeeper+tls/zoo.cfg new file mode 100644 index 00000000..ad80add7 --- /dev/null +++ b/hugo/static/wp-uploads/zookeeper+tls/zoo.cfg @@ -0,0 +1,8 @@ +dataDir=/tmp/zookeeper +secureClientPort=2182 +maxClientCnxns=0 +authProvider.1=org.apache.zookeeper.server.auth.X509AuthenticationProvider +ssl.keyStore.location=zookeeper.jks +ssl.keyStore.password=confidential +ssl.trustStore.location=truststore.jks +ssl.trustStore.password=confidential