Enable https communication for Kafka Manager interface

[shades198]

Kafka Manager is running on plain http. Is there any setting/provision to make it run on https? I couldn't find it in documentation. If not, it would be really great feature addition

[dan-frohlich]

The current kafka manager uses play framework 2.4.x as an http server. It uses a self-signed cert by default and can be configured for https as via system properties follows: ./kafka-manager -Dhttp.port=disabled -Dhttps.port=443

[thammuio]

how can we use CA cert instead of its default self-signed cert?

[thammuio]

-Dplay.server.https.keyStore.path=/home//keystore.jks -Dplay.server.https.keyStore.password=pass-Dplay.server.https.keyStore.type=JKS

I have used this but getting the below error: [error] p.c.s.NettyServer$PlayPipelineFactory - cannot load SSL context java.lang.reflect.InvocationTargetException: null at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.8.0_162] at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[na:1.8.0_162] at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[na:1.8.0_162] at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[na:1.8.0_162] at play.core.server.ssl.ServerSSLEngine$.createScalaSSLEngineProvider(ServerSSLEngine.scala:96) ~[com.typesafe.play.play-server_2.11-2.4.6.jar:2.4.6] at play.core.server.ssl.ServerSSLEngine$.createSSLEngineProvider(ServerSSLEngine.scala:32) ~[com.typesafe.play.play-server_2.11-2.4.6.jar:2.4.6] at play.core.server.NettyServer$PlayPipelineFactory.liftedTree1$1(NettyServer.scala:113) [com.typesafe.play.play-netty-server_2.11-2.4.6.jar:2.4.6] at play.core.server.NettyServer$PlayPipelineFactory.sslEngineProvider$lzycompute(NettyServer.scala:112) [com.typesafe.play.play-netty-server_2.11-2.4.6.jar:2.4.6] at play.core.server.NettyServer$PlayPipelineFactory.sslEngineProvider(NettyServer.scala:111) [com.typesafe.play.play-netty-server_2.11-2.4.6.jar:2.4.6] at play.core.server.NettyServer$PlayPipelineFactory.getPipeline(NettyServer.scala:90) [com.typesafe.play.play-netty-server_2.11-2.4.6.jar:2.4.6] Caused by: java.lang.Exception: Error loading HTTPS keystore from /home/keystore.jks at play.core.server.ssl.DefaultSSLEngineProvider.createSSLContext(DefaultSSLEngineProvider.scala:47) ~[com.typesafe.play.play-server_2.11-2.4.6.jar:2.4.6] at play.core.server.ssl.DefaultSSLEngineProvider.(DefaultSSLEngineProvider.scala:21) ~[com.typesafe.play.play-server_2.11-2.4.6.jar:2.4.6] at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.8.0_162] at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[na:1.8.0_162] at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[na:1.8.0_162] at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[na:1.8.0_162] at play.core.server.ssl.ServerSSLEngine$.createScalaSSLEngineProvider(ServerSSLEngine.scala:96) ~[com.typesafe.play.play-server_2.11-2.4.6.jar:2.4.6] at play.core.server.ssl.ServerSSLEngine$.createSSLEngineProvider(ServerSSLEngine.scala:32) ~[com.typesafe.play.play-server_2.11-2.4.6.jar:2.4.6] at play.core.server.NettyServer$PlayPipelineFactory.liftedTree1$1(NettyServer.scala:113) [com.typesafe.play.play-netty-server_2.11-2.4.6.jar:2.4.6] at play.core.server.NettyServer$PlayPipelineFactory.sslEngineProvider$lzycompute(NettyServer.scala:112) [com.typesafe.play.play-netty-server_2.11-2.4.6.jar:2.4.6] Caused by: java.security.UnrecoverableKeyException: Cannot recover key at sun.security.provider.KeyProtector.recover(KeyProtector.java:328) ~[na:1.8.0_162] at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146) ~[na:1.8.0_162] at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56) ~[na:1.8.0_162] at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96) ~[na:1.8.0_162] at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70) ~[na:1.8.0_162] at java.security.KeyStore.getKey(KeyStore.java:1023) ~[na:1.8.0_162] at sun.security.ssl.SunX509KeyManagerImpl.(SunX509KeyManagerImpl.java:133) ~[na:1.8.0_162] at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70) ~[na:1.8.0_162] at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) ~[na:1.8.0_162] at play.core.server.ssl.DefaultSSLEngineProvider.createSSLContext(DefaultSSLEngineProvider.scala:43) ~[com.typesafe.play.play-server_2.11-2.4.6.jar:2.4.6]

[pmbuko]

I was able to successfully configure SSL (using version 1.3.3.17) by generating a jks file and adding the following lines to my application.conf:

play.server.https.keyStore.path=/path/to/keystore.jks
play.server.https.keyStore.password=XXXX

Permissions on the jks file are 400 and owned by the same user under which kafka-manager is running.

[YiGene]

play.server.https.keyStore.path=/path/to/server.keystoreXXX http.port=disabled https.port=9443

and then open the page with https://xxx:9443

[HayDegha0917]

I found you have to do the following:

Use Java properties to set the HTTP/HTTPS ports:

-Dhttp.port=disabled -Dhttps.port=9443

Then modify application.conf and set

play.server.https.keyStore.path=/path/to/keystore.jks
play.server.https.keyStore.password="<keystore_pass>"
play.server.https.keyStore.type=JKS
play.http.port=disabled
play.https.port=9443

If you are using a private cert, then you need to update cacerts for your Java installation. If there is a way to specify it in application.conf, I have not found it.

It may be OK to omit play.http.port and play.https.port if you are passing them as Java properties, or maybe they need to be specified as https.port and https.port in application.conf, but you'll have to experiment. With almost no documentation, I just found what worked for me.