Configuring Kerberos Authentication for a Kafka Client
You can configure Kerberos authentication for a Kafka client by placing the required Kerberos configuration files on the Secure Agent machine and specifying the required JAAS configuration in the Kafka connection. The JAAS configuration defines the keytab and principal details that the Kafka broker must use to authenticate the Kafka client.
1Get the following files from your Kafka Kerberos administrator.
- kafka_server.keytab
- krb5.ini or krb5.conf
- kafka_jaas.conf
2Copy the kafka_server.keytab file to the Secure Agent machine.
3On the Secure Agent machine, based on the operating system that you use, copy the krb5.ini file or the krb5.conf file to the specified location:
Operating System
File Location
Windows
C:\\Windows\krb5.ini
Linux
/etc/krb5.conf
4Copy all the broker and KDC server entries from the Kafka Kerberos environment to the hosts file of the Secure Agent machine.
5Perform the following steps in the Kafka connection:
aEnter the host name and port number of the Kafka broker that is in a Kerberized domain.
bIn the Use SASL field, select the value as Yes.
cIn the SASL Mechanism field, enter the value as GSSAPI.
dIn the Jaas Config field, provide details about the Kerberos keytab file and the principal from the kafka_jaas.conf file as shown in the following example:
com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="<path and file name of the keytab file on the Secure Agent machine>" serviceName="kafka" principal="<principal value from the kafka_jaas.conf file>";