Kafka fips:BCFIPS 无法升级到 JAVA11
Kafka fips: BCFIPS not working with upgrade to JAVA11
我在 FIPS 模式下有一个 kafka 集群 运行,配置如下。
Brokers: 3, Zookeeper Nodes: 3
Kafka: 2.0.0, Scala: 2.12
Zookeeper: 3.4.14
Java - 8
bc-fips - 1.0.1
此集群 运行 正常并且处于健康状态。
目前我们升级了Kafka(2.4.0)和Java(11)版本,之后FIPS集群无法加载bc-fips库和启动kafka。新集群配置:
Brokers: 3, Zookeeper Nodes: 3
Kafka: 2.4.0, Scala: 2.12
Zookeeper: 3.4.14
Java - 11
bc-fips - 1.0.2
根据目前的分析,问题似乎出在使用新的 JAVA 版本 (11) 加载 bc-fips jar,如 java医生说:
- JDK9 以后不再支持通过 jre/lib/ext 添加外部 jar。
- 删除了在加载时向安全提供程序传递额外参数的功能
因此,当我启动 kafka 服务时,它因以下错误而失败:
org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: java.security.NoSuchAlgorithmException: DEFAULT SecureRandom not available
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:158)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:146)
at org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:85)
at kafka.network.Processor.<init>(SocketServer.scala:753)
at kafka.network.SocketServer.newProcessor(SocketServer.scala:394)
at kafka.network.SocketServer.$anonfun$addDataPlaneProcessors(SocketServer.scala:279)
at scala.collection.immutable.Range.foreach$mVc$sp(Range.scala:158)
at kafka.network.SocketServer.addDataPlaneProcessors(SocketServer.scala:278)
at kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors(SocketServer.scala:241)
at kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$adapted(SocketServer.scala:238)
at scala.collection.mutable.ResizableArray.foreach(ResizableArray.scala:62)
at scala.collection.mutable.ResizableArray.foreach$(ResizableArray.scala:55)
at scala.collection.mutable.ArrayBuffer.foreach(ArrayBuffer.scala:49)
at kafka.network.SocketServer.createDataPlaneAcceptorsAndProcessors(SocketServer.scala:238)
at kafka.network.SocketServer.startup(SocketServer.scala:121)
at kafka.server.KafkaServer.startup(KafkaServer.scala:263)
at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:44)
at kafka.Kafka$.main(Kafka.scala:84)
at kafka.Kafka.main(Kafka.scala)
Caused by: org.apache.kafka.common.KafkaException: java.security.NoSuchAlgorithmException: DEFAULT SecureRandom not available
at org.apache.kafka.common.security.ssl.SslEngineBuilder.createSecureRandom(SslEngineBuilder.java:126)
at org.apache.kafka.common.security.ssl.SslEngineBuilder.<init>(SslEngineBuilder.java:86)
at org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:95)
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:154)
... 18 more
Caused by: java.security.NoSuchAlgorithmException: DEFAULT SecureRandom not available
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.base/java.security.SecureRandom.getInstance(SecureRandom.java:364)
at org.apache.kafka.common.security.ssl.SslEngineBuilder.createSecureRandom(SslEngineBuilder.java:124)
... 21 more
[2020-05-18 11:59:39,646] INFO [KafkaServer id=48] shutting down (kafka.server.KafkaServer)
注意:如上所述,相同的配置适用于java-8。
任何帮助将不胜感激。
好的,我用下面的设置得到了这个
Java: 11.0.7
BCFIPS: bc-fips-1.0.2.jar
在kafka lib目录中添加bcfips jar:<-kafka-root-directory->/libs/bc-fips-1.0.2.jar
并启动kafka服务器,它会加载bcfips jar。
我在 FIPS 模式下有一个 kafka 集群 运行,配置如下。
Brokers: 3, Zookeeper Nodes: 3
Kafka: 2.0.0, Scala: 2.12
Zookeeper: 3.4.14
Java - 8
bc-fips - 1.0.1
此集群 运行 正常并且处于健康状态。
目前我们升级了Kafka(2.4.0)和Java(11)版本,之后FIPS集群无法加载bc-fips库和启动kafka。新集群配置:
Brokers: 3, Zookeeper Nodes: 3
Kafka: 2.4.0, Scala: 2.12
Zookeeper: 3.4.14
Java - 11
bc-fips - 1.0.2
根据目前的分析,问题似乎出在使用新的 JAVA 版本 (11) 加载 bc-fips jar,如 java医生说:
- JDK9 以后不再支持通过 jre/lib/ext 添加外部 jar。
- 删除了在加载时向安全提供程序传递额外参数的功能
因此,当我启动 kafka 服务时,它因以下错误而失败:
org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: java.security.NoSuchAlgorithmException: DEFAULT SecureRandom not available
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:158)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:146)
at org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:85)
at kafka.network.Processor.<init>(SocketServer.scala:753)
at kafka.network.SocketServer.newProcessor(SocketServer.scala:394)
at kafka.network.SocketServer.$anonfun$addDataPlaneProcessors(SocketServer.scala:279)
at scala.collection.immutable.Range.foreach$mVc$sp(Range.scala:158)
at kafka.network.SocketServer.addDataPlaneProcessors(SocketServer.scala:278)
at kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors(SocketServer.scala:241)
at kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$adapted(SocketServer.scala:238)
at scala.collection.mutable.ResizableArray.foreach(ResizableArray.scala:62)
at scala.collection.mutable.ResizableArray.foreach$(ResizableArray.scala:55)
at scala.collection.mutable.ArrayBuffer.foreach(ArrayBuffer.scala:49)
at kafka.network.SocketServer.createDataPlaneAcceptorsAndProcessors(SocketServer.scala:238)
at kafka.network.SocketServer.startup(SocketServer.scala:121)
at kafka.server.KafkaServer.startup(KafkaServer.scala:263)
at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:44)
at kafka.Kafka$.main(Kafka.scala:84)
at kafka.Kafka.main(Kafka.scala)
Caused by: org.apache.kafka.common.KafkaException: java.security.NoSuchAlgorithmException: DEFAULT SecureRandom not available
at org.apache.kafka.common.security.ssl.SslEngineBuilder.createSecureRandom(SslEngineBuilder.java:126)
at org.apache.kafka.common.security.ssl.SslEngineBuilder.<init>(SslEngineBuilder.java:86)
at org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:95)
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:154)
... 18 more
Caused by: java.security.NoSuchAlgorithmException: DEFAULT SecureRandom not available
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.base/java.security.SecureRandom.getInstance(SecureRandom.java:364)
at org.apache.kafka.common.security.ssl.SslEngineBuilder.createSecureRandom(SslEngineBuilder.java:124)
... 21 more
[2020-05-18 11:59:39,646] INFO [KafkaServer id=48] shutting down (kafka.server.KafkaServer)
注意:如上所述,相同的配置适用于java-8。
任何帮助将不胜感激。
好的,我用下面的设置得到了这个
Java: 11.0.7
BCFIPS: bc-fips-1.0.2.jar
在kafka lib目录中添加bcfips jar:<-kafka-root-directory->/libs/bc-fips-1.0.2.jar
并启动kafka服务器,它会加载bcfips jar。