Enabling node-to-node encryption for Apache ZooKeeper

Node-to-node encryption secures the internal connections between ZooKeeper servers in the cluster with SSL. Node-to-node encryption is done strictly between ZooKeeper nodes. Global Mailbox nodes are not affected.

Before you begin

Each ZooKeeper server must have a keystore containing a key-certificate (private key + public certificate). The key-certificate can be self-signed or signed by a certificate authority (CA).
  1. Generating a self-signed personal certificate.
  2. Creating a truststore.
Important: Before you set up the node-to-node encryption, make sure you stop the Watchdog service. To do this, run the command: 
./stopGMCoordinateWatchdog.sh

About this task

To set up node-to-node encryption:

Procedure

  1. Log in to the ZooKeeper server as the user who installed Sterling B2B Integrator and Global Mailbox.
  2. Add each server certificate to each other server truststore using the Java keytool command to import the certificate of every server into each server truststore. 
    keytool -importcert -alias <name> -file <path to cert file> -keystore <path to truststore> -storepass <password> -storetype JKS
    Where,
    • -alias <name>: Alias can be anything that does not exist in the truststore. It might be a descriptive label, such as server 1.
    • -file <path to cert file>: Specifies the fully-qualified path to the file where the server public certificate is exported when its personal certificate was created in Generating a self-signed personal certificate.
    • -keystore <path to truststore>: Specifies the fully-qualified path of the server truststore file. For example, /etc/zookeeper/ssl/keystore.jks.
    • -storepass <password>: The truststore password specifies the password of the server truststore file.
    • -storetype JKS: The keystore type must be JKS.
    Note: For the ZooKeeper servers to trust each other, they must have the certificate of every server in their truststore. When the personal certificate for each server is created in the Generating a self-signed personal certificate, its public certificate is exported to a file. Copy the public certificate file of each server to the file system of all servers, or to a shared file system that can be accessed by the servers (for example: <config_root>).
  3. Quorum TLS is disabled by default and must be explicitly enabled by editing the zoo.cfg file located at <installed-directory>/zookeeper/conf in all the servers as follows: 
    sslQuorum=true
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
ssl.quorum.keyStore.location=<path to keystore>
ssl.quorum.keyStore.password=<password>
ssl.quorum.trustStore.location=<path to truststore>
ssl.quorum.trustStore.password=<password>
    Where,
    • keyStore.location=<path to keystore>: Specifies the fully-qualified path to the server keystore file. For example, /etc/zookeeper/ssl/keystore.jks.
    • keystore.password=<password>: Specifies the password used when the keystore was created.
    • trustStore.location=<path to truststore>: Specifies the fully-qualified path to the server truststore file. For example, /etc/zookeeper/ssl/truststore.jks.
    • trustStore.password=<password>: Specifies the password used when the truststore is created.
  4. Optional: Configure a specific SSL version and its cipher suites.
    Add the properties to zoo.cfg:
    ssl.quorum.protocol=<SSL protocol version>
ssl.quorum.ciphersuites=<list of SSL ciphers>
    Where,
    • ssl.quorum.protocol: Specify the SSL protocol version. If not specified, the default value TLSv1.2 is used. For the list of supported values, see SSL Protocols.
    • ssl.quorum.cipherSuites: Specify the comma separated list of cipher suites. If not specified, all supported cipher suites will be used. For the list of supported values, see Cipher suites.
    Note: You can establish a more secure connection by configuring TLS 1.3 as the default mode of communication. To do this, you must override both the properties as follows:
    ssl.quorum.protocol=TLSv1.3
ssl.quorum.ciphersuites=<list of supported ciphers for TLS 1.3>

    Where, ssl.ciphersuites is the list of cipher suites as comma separated values. It can consist of one or a combination of all the supported ciphers.

    For example, 
    ssl.quorum.protocol=TLSv1.3
ssl.quorum.ciphersuites=TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256
  5. Restart ZooKeeper by running the following commands from the /bin directory within the Global Mailbox install:
    1. Stop ZooKeeper by running the command: 
      ./stopGMCoordinate.sh.
    2. Restart ZooKeeper by running the command: 
      ./startGMCoordinate.sh.
  6. Start ZooKeeper service on all servers. Once all the ZooKeeper server instances are up, navigate to <zookeeper install directory>/logs/zookeeper.log to verify the SSL handshake between servers.