1:在kafka的每个 broker机器上 生产证书文件
keytool -genkeypair -keyalg RSA -validity 3650 -keystore ~/.keystore -alias ${keyname}
2:导出证书文件
keytool -exportcert -keystore ~/.keystore -alias ${keyname} -file ${filename}.cert
3:在部署jmxtrans的机器上导入全部 broker上的证书文件
keytool -importcert -keystore ~/.truststore -alias ${keyname} -file ${filename}.cert
4:在kafka的每个broker上修改bin/kafka-server-start.sh文件,在exec 之前加入
export KAFKA_JMX_OPTS="-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.port=9999
-Dcom.sun.management.jmxremote.rmi.port=9999
-Dcom.sun.management.jmxremote.registry.ssl=true
-Djavax.net.ssl.keyStore=/root/.keystore
-Djavax.net.ssl.keyStorePassword=${keystorepassword}
-Djavax.net.ssl.trustStore=/root/.truststore
-Djavax.net.ssl.trustStorePassword=${truststroepassword}
"
5:重启kafka集群
bin/kafka-server-start.sh -daemon config/server.properties
6:在jmxtrans机器上,配置文件中添加ssl=true
{
"servers":[
{
"port":"12345",
"host":"monitoredhost",
"ssl":true,
"queries": [ ... ]
}
]
}
7:启动jmxtrans.sh 脚本时,加入jvm参数
-Djavax.net.ssl.trustStore=/root/.truststroe
-Djavax.net.ssl.trustStorePassword=${truststorepassword}
