Scram authentication fails with redhat-jdk-17 in fips environment.

Thu, 21 Aug 2025 14:14:37 -0700 

*Overview:*

We’re running a Kafka cluster in *KRaft mode* with each node configured as
broker,controller, using *Red Hat JDK 17*.
We recently migrated the *inter.broker.protocol* and
*controller.protocol* authentication
mechanisms to *SCRAM-SHA-512*, and updated the necessary files:
server.properties, kafkaJaas.conf, and kafka-storage.sh.

The new authentication works fine in non-FIPS environments, and Kafka runs
without issues.
However, in the *FIPS-enabled setup*, the Kafka pods fail with the
following error:

"[2025-08-13 19:26:36,693] ERROR [RaftManager id=0] Connection to node 1
(address:19092) failed authentication due to: Authentication failed during
authentication due to invalid credentials with SASL mechanism SCRAM-SHA-512
(org.apache.kafka.clients.NetworkClient)"

Below are the configs we are using:

bash-5.1$ cd opt/kafka/milvus/

bash-5.1$ cat kafkaJaas.conf

KafkaServer {

  org.apache.kafka.common.security.scram.ScramLoginModule required

  username="lakehouse"

  password="twbSDhryzmIWkQPmREfMZZ0rfKyoI5yy"

  user_admin="twbSDhryzmIWkQPmREfMZZ0rfKyoI5yy"

user_lakehouse="twbSDhryzmIWkQPmREfMZZ0rfKyoI5yy"

  user_user="twbSDhryzmIWkQPmREfMZZ0rfKyoI5yy";

};




bash-5.1$ cat server.properties | tail -n 15

# ------ watsonx.data kafka broker SSL configuration ------

ssl.endpoint.identification.algorithm=

ssl.keystore.type=PKCS12

ssl.keystore.password=btqxlns0eEbAw2sew0dAtfm3

ssl.keystore.location=/opt/kafka/milvus/keystore.pkcs12

ssl.truststore.type=PKCS12

ssl.truststore.password=btqxlns0eEbAw2sew0dAtfm3

ssl.truststore.location=/opt/kafka/milvus/truststore.pkcs12

security.inter.broker.protocol=SASL_SSL

sasl.enabled.mechanisms=SCRAM-SHA-512

sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512

sasl.mechanism.controller.protocol=SCRAM-SHA-512

listener.name.controller.scram-sha-512.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule
required username="lakehouse" password="twbSDhryzmIWkQPmREfMZZ0rfKyoI5yy"
user_admin="twbSDhryzmIWkQPmREfMZZ0rfKyoI5yy"
user_user="twbSDhryzmIWkQPmREfMZZ0rfKyoI5yy"
user_lakehouse="twbSDhryzmIWkQPmREfMZZ0rfKyoI5yy";

ssl.enabled.protocols=TLSv1.3

ssl.protocol=TLSv1.3 user_lakehouse="twbSDhryzmIWkQPmREfMZZ0rfKyoI5yy";

ssl.enabled.protocols=TLSv1.3

ssl.protocol=TLSv1.3


opt/kafka/bin/kafka-storage.sh format \
            -t "$KAFKA_CLUSTER_ID" \
            -c "$KAFKA_HOME/milvus/server.properties" \
            --add-scram "SCRAM-SHA-512=[name=lakehouse,password=
twbSDhryzmIWkQPmREfMZZ0rfKyoI5yy]" \

            --ignore-formatted || true


Can you revert on this issue on priority? Thanks.

Reply via email to