Authentication using TLS

    Client certificates are generated using the same certificate authority as was used to generate the server certificates.

    The biggest difference between client certs and server certs is that the common name for the client certificate is the role token which that client will be authenticated as.

    First generate the key.

    Similar to the broker, the client expects the key to be in PKCS 8 format, so convert it.

    2.       -in admin.key.pem -out admin.key-pk8.pem -nocrypt
    1. $ openssl req -config openssl.cnf \
    2.       -key admin.key.pem -new -sha256 -out admin.csr.pem

    Sign with request with the certificate authority. Note that that client certs uses the usr_cert extension, which allows the cert to be used for client authentication.

    This will give you a cert, admin.cert.pem, and a key, admin.key-pk8.pem, which, with ca.cert.pem, can be used by clients to authenticate themselves to brokers and proxies as the role token admin.

    NoteIf got "unable to load CA private key" error and the reason is "No such file or directory: /etc/pki/CA/private/cakey.pem" in this step. Please try :

      … on Brokers

      To configure brokers to authenticate clients, put the following in broker.conf, alongside the configuration to enable tls transport:

      1. # Configuration to enable authentication
      2. authenticationEnabled=true
      3. authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderTls

      To configure proxies to authenticate clients, put the folling in proxy.conf, alongside :

      The proxy should have its own client key pair for connecting to brokers. The role token for this key pair should be configured in the proxyRoles of the brokers. See the authorization guide for more details.

      When TLS authentication, the client needs to connect via TLS transport, so you need to configure the client to use and port 8443 for the web service URL, and pulsar+ssl:// and port 6651 for the broker service URL.

      CLI tools

      You'll need to add the following parameters to that file to use TLS authentication with Pulsar's CLI tools:

      1. webServiceUrl=https://broker.example.com:8443/
      2. brokerServiceUrl=pulsar+ssl://broker.example.com:6651/
      3. useTls=true
      4. tlsAllowInsecureConnection=false
      5. tlsTrustCertsFilePath=/path/to/ca.cert.pem
      6. authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
      7. authParams=tlsCertFile:/path/to/my-role.cert.pem,tlsKeyFile:/path/to/my-role.key-pk8.pem
      1. import org.apache.pulsar.client.api.PulsarClient;
      3. PulsarClient client = PulsarClient.builder()
      5.     .tlsTrustCertsFilePath("/path/to/ca.cert.pem")
      6.     .authentication("org.apache.pulsar.client.impl.auth.AuthenticationTls",
      7.                     "tlsCertFile:/path/to/my-role.cert.pem,tlsKeyFile:/path/to/my-role.key-pk8.pem")
      8.     .build();

      Python client

      1. #include <pulsar/Client.h>
      3. pulsar::ClientConfiguration config;
      4. config.setUseTls(true);
      5. config.setTlsTrustCertsFilePath("/path/to/ca.cert.pem");
      6. config.setTlsAllowInsecureConnection(false);
      8. pulsar::AuthenticationPtr auth = pulsar::AuthTls::create("/path/to/my-role.cert.pem",
      9.                                                          "/path/to/my-role.key-pk8.pem")
      10. config.setAuth(auth);
      11. pulsar::Client client("pulsar+ssl://broker.example.com:6651/", config);