Hi All,
Error: SSL peer is not authenticated, returning ANONYMOUS instead while
connecting as a producer on port 9094 (which is sasl-ssl with SCRAM mechanism)
I have kafka 2.2.0 in windows systems with SSL enabled, where the kafka broker
with plaintext is running on 9092 and SSL on 9093. On top of that, configured
the SASL with SCRAM mechanism with listener port as 9094. The Kafka is running
properly for the above configuration and producers/consumers are able to
connect on ports 9092 & 9093.
But when producer/consumer trying to connect on 9094, it is giving the error
mentioned above.
Below are the SASL configurations (mentioned SASL configuration details only).
zookeeper.properties
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl
jaasLoginRenew=3600000
server.properties
listeners=PLAINTEXT://0.0.0.0:9092,SSL://0.0.0.0:9093,SASL_SSL://0.0.0.0:9094
advertised.listeners=PLAINTEXT://localhost:9092,SSL://localhost:9093,SASL_SSL://localhost:9094
sasl.enabled.mechanisms=SCRAM-SHA-256
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
producer.properties
security.protocol=SSL
zookeeper_server_jaas.conf
Server {
org.apache.kafka.common.security.scram.ScramLoginModule required
username="admin"
password="admin-pwd"
user_admin="admin-pwd"
user_other1="other1-pwd"
user_other2="other2-pwd";
};
Kafka_server_jaas.conf
KafkaServer {
org.apache.kafka.common.security.scram.ScramLoginModule required
username="admin"
password="admin-pwd";
};
Client {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-pwd";
};
kafka_client_jaas.conf
KafkaClient {
org.apache.kafka.common.security.scram.ScramLoginModule required
username="admin"
password="admin-pwd";
};
Start Zookeeper as
set
KAFKA_OPTS=-Djava.security.auth.login.config=%KAFKA_HOME%/config/zookeeper_server_jaas.conf
zookeeper-server-start.bat %KAFKA_HOME%/config/zookeeper.properties
Start kafka
set
KAFKA_OPTS=-Djava.security.auth.login.config=%KAFKA_HOME%/config/kafka_server_jaas.conf
kafka-server-start.bat %KAFKA_HOME%/config/server.properties
Start Producer
set
KAFKA_OPTS=-Djava.security.auth.login.config=%KAFKA_HOME%/config/kafka_client_jaas.conf
kafka-console-producer.bat --broker-list localhost:9094 --topic xxx
Error:
[2019-10-14 15:39:42,108] DEBUG [SslTransportLayer
channelId=127.0.0.1:9094-127.0.0.1:63848-0
key=sun.nio.ch.SelectionKeyImpl@222a223c] SSL peer is not authenticated,
returning ANONYMOUS instead (org.apache.kafka.common.network.SslTransportLayer)
[2019-10-14 15:39:42,108] DEBUG [SslTransportLayer
channelId=127.0.0.1:9094-127.0.0.1:63848-0
key=sun.nio.ch.SelectionKeyImpl@222a223c] SSL handshake completed successfully
with peerHost '127.0.0.1' peerPort 63848 peerPrincipal 'User:ANONYMOUS'
cipherSuite 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256'
(org.apache.kafka.common.network.SslTransportLayer) [2019-10-14 15:39:42,108]
DEBUG Set SASL server state to HANDSHAKE_OR_VERSIONS_REQUEST during
authentication
(org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
[2019-10-14 15:39:42,108] DEBUG Handling Kafka request API_VERSIONS during
authentication
(org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
[2019-10-14 15:39:42,108] DEBUG Set SASL server state to HANDSHAKE_REQUEST
during authentication
(org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
[2019-10-14 15:39:42,108] DEBUG Set SASL server state to FAILED during
authentication
(org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
[2019-10-14 15:39:42,108] INFO [SocketServer brokerId=0] Failed authentication
with 127.0.0.1/127.0.0.1 (Unexpected Kafka request of type METADATA during SASL
handshake.) (org.apache.kafka.common.network.Selector)
Did I missed some configuration?
Thanks & Regards
Venkata MR
+91 98455 77125
::DISCLAIMER::
________________________________
The contents of this e-mail and any attachment(s) are confidential and intended
for the named recipient(s) only. E-mail transmission is not guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or may contain viruses in transmission.
The e mail and its contents (with or without referred errors) shall therefore
not attach any liability on the originator or HCL or its affiliates. Views or
opinions, if any, presented in this email are solely those of the author and
may not necessarily reflect the views or opinions of HCL or its affiliates. Any
form of reproduction, dissemination, copying, disclosure, modification,
distribution and / or publication of this message without the prior written
consent of authorized representative of HCL is strictly prohibited. If you have
received this email in error please delete it and notify the sender
immediately. Before opening any email and/or attachments, please check them for
viruses and other defects.
________________________________
