Skip to content

ZOOKEEPER-5023: Allow to set TLS version and ciphers for AdminServer#2359

Merged
anmolnar merged 3 commits intoapache:masterfrom
PDavid:ZOOKEEPER-5023-AdminServer-TLS-proto-ciphers
Mar 23, 2026
Merged

ZOOKEEPER-5023: Allow to set TLS version and ciphers for AdminServer#2359
anmolnar merged 3 commits intoapache:masterfrom
PDavid:ZOOKEEPER-5023-AdminServer-TLS-proto-ciphers

Conversation

@PDavid
Copy link
Contributor

@PDavid PDavid commented Mar 10, 2026
edited
Loading

Use the already existing properties for this in AdminServer:

  • zookeeper.ssl.quorum.enabledProtocols
  • zookeeper.ssl.quorum.ciphersuites

@PDavid
Copy link
Contributor Author

PDavid commented Mar 10, 2026
edited
Loading

Testing

Tested this locally as follows:

Created keystore:

keytool -genkeypair -alias zkAdmin -keyalg RSA -keysize 2048 \
  -dname "CN=your.server.com" -validity 365 \
  -keystore keystore.jks -storepass password -keypass password

Created truststore:

# Export the cert
keytool -export -alias zkAdmin -file zkAdmin.crt \
  -keystore keystore.jks -storepass password

# Import into truststore
keytool -import -alias zkAdmin -file zkAdmin.crt \
  -keystore truststore.jks -storepass password -noprompt

Added these to zoo.cfg:

...
admin.enableServer=true
admin.serverPort=8080
admin.forceHttps=true
ssl.enabledProtocols=TLSv1.2,TLSv1.3
ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ssl.keyStore.type=jks
ssl.trustStore.type=jks
ssl.quorum.enabledProtocols=TLSv1.2,TLSv1.3
ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ssl.quorum.keyStore.type=jks
ssl.quorum.keyStore.location=keystore.jks
ssl.quorum.keyStore.password=password
ssl.quorum.trustStore.type=jks
ssl.quorum.trustStore.location=truststore.jks
ssl.quorum.trustStore.password=password
ssl.clientAuth=none

Started ZooKeeper:

mvn clean install -DskipTests && bin/zkServer.sh start

ZooKeeper log:

...
2026-03-11 11:38:00,985 [myid:] - INFO  [main:o.a.z.s.ZooKeeperServer@387] - Created server with tickTime 2000 ms minSessionTimeout 4000 ms maxSessionTimeout 40000 ms clientPortListenBacklog -1 dataLogdir /tmp/zookeeper/version-2 snapdir /tmp/zookeeper/version-2
2026-03-11 11:38:00,987 [myid:] - INFO  [main:o.a.z.c.X509Util@85] - Setting -D jdk.tls.rejectClientInitiatedRenegotiation=true to disable client-initiated TLS renegotiation
2026-03-11 11:38:01,053 [myid:] - INFO  [main:o.a.z.c.X509Util@109] - Default TLS protocol is TLSv1.3, supported TLS protocols are [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello]
2026-03-11 11:38:01,100 [myid:] - INFO  [main:o.a.z.s.a.JettyAdminServer@143] - Successfully loaded private key from keystore.jks
2026-03-11 11:38:01,100 [myid:] - INFO  [main:o.a.z.s.a.JettyAdminServer@144] - Successfully loaded certificate authority from truststore.jks
2026-03-11 11:38:01,102 [myid:] - INFO  [main:o.a.z.s.a.JettyAdminServer@159] - Setting enabled protocols: 'TLSv1.2,TLSv1.3'
2026-03-11 11:38:01,102 [myid:] - INFO  [main:o.a.z.s.a.JettyAdminServer@166] - Setting enabled cipherSuites: 'TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'
2026-03-11 11:38:01,105 [myid:] - WARN  [main:o.e.j.s.h.ContextHandler@1662] - o.e.j.s.ServletContextHandler@56303b57{/,null,STOPPED} contextPath ends with /*
2026-03-11 11:38:01,105 [myid:] - WARN  [main:o.e.j.s.h.ContextHandler@1673] - Empty contextPath
2026-03-11 11:38:01,108 [myid:] - INFO  [main:o.e.j.s.Server@375] - jetty-9.4.58.v20250814; built: 2025-08-14T02:28:49.637Z; git: 8f1440587e9e4ae7db3d74cf205643f3d707148d; jvm 17.0.12+7
2026-03-11 11:38:01,112 [myid:] - INFO  [main:o.e.j.s.s.DefaultSessionIdManager@334] - DefaultSessionIdManager workerName=node0
2026-03-11 11:38:01,112 [myid:] - INFO  [main:o.e.j.s.s.DefaultSessionIdManager@339] - No SessionScavenger set, using defaults
2026-03-11 11:38:01,112 [myid:] - INFO  [main:o.e.j.s.s.HouseKeeper@132] - node0 Scavenging every 660000ms
2026-03-11 11:38:01,114 [myid:] - WARN  [main:o.e.j.s.ConstraintSecurityHandler@759] - ServletContext@o.e.j.s.ServletContextHandler@56303b57{/,null,STARTING} has uncovered http methods for path: /*
2026-03-11 11:38:01,115 [myid:] - INFO  [main:o.e.j.s.h.ContextHandler@921] - Started o.e.j.s.ServletContextHandler@56303b57{/,null,AVAILABLE}
2026-03-11 11:38:01,117 [myid:] - INFO  [main:o.e.j.u.s.SslContextFactory@358] - x509=X509@aafcffa(zkadmin,h=[your.server.com],a=[],w=[]) for Server@6955cb39[provider=null,keyStore=null,trustStore=null]
2026-03-11 11:38:01,126 [myid:] - INFO  [main:o.e.j.s.AbstractConnector@333] - Started ServerConnector@7216fb24{SSL, (ssl, http/1.1)}{0.0.0.0:8080}
2026-03-11 11:38:01,126 [myid:] - INFO  [main:o.e.j.s.Server@415] - Started @521ms
2026-03-11 11:38:01,126 [myid:] - INFO  [main:o.a.z.s.a.JettyAdminServer@215] - Started AdminServer on address 0.0.0.0, port 8080 and command URL /commands
2026-03-11 11:38:01,129 [myid:] - INFO  [main:o.a.z.s.ServerCnxnFactory@172] - Using org.apache.zookeeper.server.NIOServerCnxnFactory as server connection factory
2026-03-11 11:38:01,129 [myid:] - WARN  [main:o.a.z.s.ServerCnxnFactory@337] - maxCnxns is not configured, using default value 0.
2026-03-11 11:38:01,130 [myid:] - INFO  [main:o.a.z.s.NIOServerCnxnFactory@652] - Configuring NIO connection handler with 10s sessionless connection timeout, 3 selector thread(s), 40 worker threads, and 64 kB direct buffers.
2026-03-11 11:38:01,131 [myid:] - INFO  [main:o.a.z.s.NIOServerCnxnFactory@660] - binding to port 0.0.0.0/0.0.0.0:2181
2026-03-11 11:38:01,137 [myid:] - INFO  [main:o.a.z.s.w.WatchManagerFactory@42] - Using org.apache.zookeeper.server.watch.WatchManager as watch manager
2026-03-11 11:38:01,137 [myid:] - INFO  [main:o.a.z.s.w.WatchManagerFactory@42] - Using org.apache.zookeeper.server.watch.WatchManager as watch manager
2026-03-11 11:38:01,137 [myid:] - INFO  [main:o.a.z.s.ZKDatabase@137] - zookeeper.snapshotSizeFactor = 0.33
2026-03-11 11:38:01,137 [myid:] - INFO  [main:o.a.z.s.ZKDatabase@157] - zookeeper.commitLogCount=500
2026-03-11 11:38:01,139 [myid:] - INFO  [main:o.a.z.s.p.SnapStream@61] - zookeeper.snapshot.compression.method = CHECKED
2026-03-11 11:38:01,139 [myid:] - INFO  [main:o.a.z.s.p.FileSnap@86] - Reading snapshot /tmp/zookeeper/version-2/snapshot.70
2026-03-11 11:38:01,141 [myid:] - INFO  [main:o.a.z.s.DataTree@1699] - The digest in the snapshot has digest version of 2, with zxid as 0x70, and digest value as 1371985504
2026-03-11 11:38:01,146 [myid:] - INFO  [main:o.a.z.s.ZKDatabase@294] - Snapshot loaded in 8 ms, highest zxid is 0x70, digest is 1371985504
2026-03-11 11:38:01,146 [myid:] - INFO  [main:o.a.z.s.p.FileTxnSnapLog@480] - Snapshotting: 0x70 to /tmp/zookeeper/version-2/snapshot.70
2026-03-11 11:38:01,147 [myid:] - INFO  [main:o.a.z.s.ZooKeeperServer@588] - Snapshot taken in 1 ms
2026-03-11 11:38:01,151 [myid:] - INFO  [ProcessThread(sid:0 cport:2181)::o.a.z.s.PrepRequestProcessor@135] - PrepRequestProcessor (sid:0) started, reconfigEnabled=false
2026-03-11 11:38:01,151 [myid:] - INFO  [main:o.a.z.s.RequestThrottler@75] - zookeeper.request_throttler.shutdownTimeout = 10000 ms
2026-03-11 11:38:01,158 [myid:] - INFO  [main:o.a.z.s.ContainerManager@97] - Using checkIntervalMs=60000 maxPerMinute=10000 maxNeverUsedIntervalMs=300000
2026-03-11 11:38:01,158 [myid:] - INFO  [main:o.a.z.a.ZKAuditProvider@42] - ZooKeeper audit is disabled.

Call AdminServer:

curl -v -k https://localhost:8080/commands/stat
* Host localhost:8080 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:8080...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / x25519 / RSASSA-PSS
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=your.server.com
*  start date: Mar 10 12:58:28 2026 GMT
*  expire date: Mar 10 12:58:28 2027 GMT
*  issuer: CN=your.server.com
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to localhost (::1) port 8080
* using HTTP/1.x
> GET /commands/stat HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.15.0
> Accept: */*
> 
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
< Date: Wed, 11 Mar 2026 10:40:14 GMT
< Strict-Transport-Security: max-age=86400; includeSubDomains
< Content-Type: application/json
< Content-Length: 1039
< Server: Jetty(9.4.58.v20250814)
< 
{
  "version" : "3.10.0-SNAPSHOT-fe714fc6238d4510cfb1f1763f5dd0f90ed526ab-dirty, built on 2026-03-11 10:35 UTC",
  "read_only" : false,
  "server_stats" : {
    "packets_sent" : 0,
    "packets_received" : 0,
    "fsync_threshold_exceed_count" : 0,
    "client_response_stats" : {
      "last_buffer_size" : -1,
      "min_buffer_size" : -1,
      "max_buffer_size" : -1
    },
    "data_dir_size" : 335547292,
    "log_dir_size" : 335547292,
    "last_processed_zxid" : 112,
    "provider_null" : false,
    "server_state" : "standalone",
    "outstanding_requests" : 0,
    "avg_latency" : 0.0,
    "max_latency" : 0,
    "min_latency" : 0,
    "num_alive_client_connections" : 0,
    "auth_failed_count" : 0,
    "non_mtlsremote_conn_count" : 0,
    "non_mtlslocal_conn_count" : 0,
    "uptime" : 133271
  },
  "client_response" : {
    "last_buffer_size" : -1,
    "min_buffer_size" : -1,
    "max_buffer_size" : -1
  },
  "node_count" : 5,
  "connections" : [ ],
  "secure_connections" : [ ],
  "command" : "stats",
  "error" : null
* Connection #0 to host localhost left intact
}%

@PDavid PDavid marked this pull request as ready for review March 11, 2026 08:13
@PDavid PDavid marked this pull request as draft March 11, 2026 09:44
@PDavid PDavid force-pushed the ZOOKEEPER-5023-AdminServer-TLS-proto-ciphers branch from 92a6b05 to fe714fc Compare March 11, 2026 10:33
@PDavid PDavid force-pushed the ZOOKEEPER-5023-AdminServer-TLS-proto-ciphers branch from fe714fc to af277a6 Compare March 11, 2026 11:44
@PDavid PDavid marked this pull request as ready for review March 11, 2026 13:02
anmolnar
anmolnar requested changes Mar 11, 2026
View reviewed changes
Copy link
Contributor

@anmolnar anmolnar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please don't reuse existing properties for this purpose. Historically we use separate TLS settings for the different protocols is ZooKeeper, so I recommend introducing the following settings:

  • admin.ssl.ciphersuites
  • admin.ssl.enabledProtocols

Check the following documentation as a reference:
https://zookeeper.apache.org/doc/r3.9.5/zookeeperAdmin.html#sc_adminserver_config

Thanks!

anmolnar
anmolnar approved these changes Mar 11, 2026
View reviewed changes
Copy link
Contributor

@anmolnar anmolnar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed my mind. Since we're already reusing quorum SSL properties in Admin server, it's okay to keep following that road.
Patch lgtm, just a nitpick. Thanks!

@PDavid
ZOOKEEPER-5023: Changed logging to DEBUG
f880376 
The logging of setting the enabled protocols and ciphers in JettyAdminServer is now changed to DEBUG.
@anmolnar anmolnar merged commit eab1659 into apache:master Mar 23, 2026
16 checks passed
@PDavid PDavid deleted the ZOOKEEPER-5023-AdminServer-TLS-proto-ciphers branch March 24, 2026 07:52
PDavid added a commit to PDavid/zookeeper that referenced this pull request Mar 24, 2026
@PDavid
ZOOKEEPER-5023: Allow to set TLS version and ciphers for AdminServer
34fbde6 
Reviewers: meszibalu, anmolnar
Author: PDavid
Closes apache#2359 from PDavid/ZOOKEEPER-5023-AdminServer-TLS-proto-ciphers

(cherry picked from commit eab1659)
@PDavid PDavid mentioned this pull request Mar 24, 2026
Closed
PDavid added a commit to PDavid/zookeeper that referenced this pull request Mar 24, 2026
@PDavid
ZOOKEEPER-5023: Allow to set TLS version and ciphers for AdminServer
d7e168f 
Reviewers: meszibalu, anmolnar
Author: PDavid
Closes apache#2359 from PDavid/ZOOKEEPER-5023-AdminServer-TLS-proto-ciphers

(cherry picked from commit eab1659)
@PDavid PDavid mentioned this pull request Mar 24, 2026
Closed
PDavid added a commit to PDavid/zookeeper that referenced this pull request Mar 24, 2026
@PDavid
ZOOKEEPER-5023: Allow to set TLS version and ciphers for AdminServer
2847c8f 
Reviewers: meszibalu, anmolnar
Author: PDavid
Closes apache#2359 from PDavid/ZOOKEEPER-5023-AdminServer-TLS-proto-ciphers

(cherry picked from commit eab1659)
asf-gitbox-commits pushed a commit that referenced this pull request Mar 24, 2026
@PDavid @anmolnar
ZOOKEEPER-5023: Allow to set TLS version and ciphers for AdminServer
49df972 
Reviewers: meszibalu, anmolnar
Author: PDavid
Closes #2359 from PDavid/ZOOKEEPER-5023-AdminServer-TLS-proto-ciphers

(cherry picked from commit eab1659)
Signed-off-by: Andor Molnar <andor@cloudera.com>
@anmolnar
Copy link
Contributor

anmolnar commented Mar 24, 2026

Merged to master and branch-3.9 branches. Thanks @PDavid !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anmolnar anmolnar anmolnar approved these changes

+1 more reviewer

@meszibalu meszibalu meszibalu approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@PDavid @anmolnar @meszibalu