Debugging SSL issues

Introduction

The Kafka operators can be configured to use SSL for encryption and authentication. Issues in this area can be trouble-shooted by enabling SSL debugging.

Toolkit version 2.0 and older

Set the javax.net.debug system property using the vmArg parameter.

Example:

stream <MessageType.StringMessage, MessageType.ConsumerMessageMetadata> ReceivedMessages as O = KafkaConsumer() {
    param
        propertiesFile: "etc/consumer.properties";    // here we set up the SSL related configs
        topic: "topic1", "topic2";
        clientId: "consumerClient-0";
        groupId: "group-0";

        vmArg: "-Djavax.net.debug=ssl:trustmanager";
}

Hint: If you need to specify multiple arguments for Java, specify multiple values for the vmArg parameter:

vmArg: "-Djavax.net.debug=ssl:trustmanager", "-Xmx1G";

Toolkit version 2.1 and newer

Use the optional sslDebug operators parameter to turn on SSL debugging. When both, -Djavax.net.debug via vmArg, and sslDebug operator parameter is used, the sslDebug parameter is ignored regardless of its value.

Example:

stream <MessageType.StringMessage, MessageType.ConsumerMessageMetadata> ReceivedMessages as O = KafkaConsumer() {
    param
        propertiesFile: "etc/consumer.properties";    // here we set up the SSL related configs
        topic: "topic1", "topic2";
        clientId: "consumerClient-0";
        groupId: "group-0";
        sslDebug: true;   // equivalent to javax.net.debug=all
}

For finer debugging specifications, you can of course also use the way described for the older toolkit versions.

Fine-grained debugging options

The options that can be used for the javax.net.debug=<x> system property are described in the IBM Knowledge Center.

Where <x> is one of :

x	description
`help`	prints out this help
`all`	turn on all debugging
`true`	turn on all debugging, for compatibility
`ssl`	turn on ssl debugging

The following can be used with ssl:

ssl:x	description
`record`	enable per-record tracing
`handshake`	print each handshake message
`keygen`	print key generation data
`session`	print session activity
`defaultctx`	print default SSL initialization
`sslctx`	print SSLContext tracing
`sessioncache`	print session cache tracing
`keymanager`	print key manager tracing
`trustmanager`	print trust manager tracing
`nio`	print nio tracing
`pluggability`	print pluggability tracing

handshake debugging can be widened with:

ssl`:handshake:`x	description
`data`	hex dump of each handshake message
`verbose`	verbose handshake message printing

record debugging can be widened with:

ssl:record:x	description
`plaintext`	hex dump of record plaintext
`packet`	print raw SSL/TLS packets

Examples:

vmArg: "-Djavax.net.debug=ssl:trustmanager,session,handshake:verbose";
vmArg: "-Djavax.net.debug=ssl:nio,session";

Unfortunately the SSL trace appears in stdout without timestamps, so that they cannot be correlated with PE operator trace. Turning on debugging for SSL has no effect (also no negative effect) as long as no SSL provider is active within the Java virtual machine.