Kafka Connector > Kafka connections > Connecting to a kerberised Kafka cluster on Windows
  

Connecting to a kerberised Kafka cluster on Windows

To read from or write to a Kerberised Kafka cluster that runs on Windows operating system, configure the default realm, KDC, and Kafka advanced source or target properties.
You can configure Kerberos authentication for a Kafka client by placing the required Kerberos configuration files on the Secure Agent machine and specifying the required JAAS configuration in the Kafka connection. The JAAS configuration defines the keytab and principal details that the Kafka broker must use to authenticate the Kafka client.
Before you read from or write to a Kerberised Kafka cluster, perform the following tasks:
  1. 1Ensure that you have the krb5.ini file for the Kerberised Kafka cluster.
  2. 2Configure the default realm and KDC. If the default C:\Windows\krb5.ini file is not configured or you want to change the configuration, add the following lines to the C:\Windows\krb5.ini file:
    3. [libdefaults]
    default_realm = <REALM NAME>
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true

    [realms]
    <REALM NAME> = {
    kdc = <Location where KDC is installed>
    admin_server = <Location where KDC is installed>
    }
    [domain_realm]
    .<domain name or hostname> = <KERBEROS DOMAIN NAME>
    <domain name or hostname> = <KERBEROS DOMAIN NAME>
  3. 3In the System Configuration Details section of the Secure Agent, select the Type as Tomcat JRE for the Data Integration Server. Edit JRE_OPTS as '-Xrs -Djava.security.krb5.conf=C:\Windows\krb5.ini'
  4. 4To pass a static JAAS configuration file into the JVM using the java.security.auth.login.config property at runtime, perform the following tasks:
    1. aEnsure that you have JAAS configuration file.
      2. For information about creating JAAS configuration and configuring Keytab for Kafka clients, see the Apache Kafka documentation at https://kafka.apache.org/0101/documentation/#security
      For example, the JAAS configuration file can contain the following lines of configuration:
      //Kafka Client Authentication. Used for client to kafka broker connection
      KafkaClient {
      com.sun.security.auth.module.Krb5LoginModule required
      doNotPrompt=true
      useKeyTab=true
      storeKey=true
      keyTab="<Kafka keytab file directory>\\<Kafka keytab file name>"
      principal="<principal name>"
      client=true
      };
    2. bPlace the JAAS config file and keytab file in the same location on all the nodes.
      3. Informatica recommends that you place the files in a location that is accessible to all the nodes in the cluster. Example: C:\\Windows or \temp
    3. cConfigure the following properties:
      4. Kafka connection
      Configure the Additional Connection Properties property in a Kafka connection and specify the value in the following format:
      security.protocol=SASL_PLAINTEXT,sasl.kerberos.service.name=kafka,sasl.mechanism=GSSAPI
      Sources
      Configure the Consumer Configuration Properties property in the advanced source properties to override the value specified in the Additional Connection Properties property in a Kafka connection. Specify the value in the following format:
      security.protocol=SASL_PLAINTEXT,sasl.kerberos.service.name=kafka,sasl.mechanism=GSSAPI
      Targets
      Configure the Producer Configuration Properties property in the advanced target properties to override the value specified in the Additional Connection Properties property in a Kafka connection. Specify the value in the following format:
      security.protocol=SASL_PLAINTEXT,sasl.kerberos.service.name=kafka,sasl.mechanism=GSSAPI
  5. 5To embed the JAAS configuration in the sasl.jaas.config configuration property, configure the following properties:
    6. Kafka connection
    Configure the Additional Connection Properties property in a Kafka connection and specify the value in the following format:
    security.protocol=SASL_PLAINTEXT,sasl.kerberos.service.name=kafka,sasl.mechanism=GSSAPI,
    sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true
    storeKey=true doNotPrompt=true serviceName="<service_name>" keyTab="<Kafka keytab file directory>\\<Kafka keytab file name>"
    client=true principal="<principal_name>";
    Sources
    Configure the Consumer Configuration Properties property in the advanced source properties to override the value specified in the Kerberos Configuration Properties property in a Kafka connection. Specify the value in the following format:
    security.protocol=SASL_PLAINTEXT,sasl.kerberos.service.name=kafka,sasl.mechanism=GSSAPI,
    sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true
    storeKey=true doNotPrompt=true serviceName="<service_name>" keyTab="<Kafka keytab file directory>\\<Kafka keytab file name>"
    client=true principal="<principal_name>";
    Targets
    Configure the Producer Configuration Properties property in the advanced target properties to override the value specified in the Kerberos Configuration Properties property in a Kafka connection. Specify the value in the following format:
    security.protocol=SASL_PLAINTEXT,sasl.kerberos.service.name=kafka,sasl.mechanism=GSSAPI,
    sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true
    storeKey=true doNotPrompt=true serviceName="<service_name>" keyTab="<Kafka keytab file directory>\\<Kafka keytab file name>"
    client=true principal="<principal_name>";