Generic Kafka Producer: Do we need Keystore/CA fields when using SASL (user/pass)?

144 viewskafka
0
0 Comments

Hi all — quick question on the Generic KAFKA Producer connector. We’re configuring it with SASL (username/password) and the broker connection is failing with

Confluent.Kafka.KafkaException: Local: Broker transport failure,

while a Kafka consumer using the same broker/creds works. In the Producer element UI we also see fields like Keystore Location, Keystore Password, and CA Certificate Location. Do these need to be filled in when using SASL, or only when the broker requires TLS (e.g., SASL_SSL)? If TLS is required, what’s the expected format/location for the cert/keystore on the DMA and which of those fields are mandatory?

Edson Alfaro [SLC] [DevOps Advocate] Answered question

1 Answer

0
1.62K 0 Comments

Hi!

No, the Keystore and CA certificate fields are not required when using plain SASL (SASL_PLAINTEXT). They are only required when the Kafka broker uses TLS encryption, such as SASL_SSL or SSL.

Regarding the error Local: Broker transport failure, usually indicates one of these issues:

  • Wrong security.protocol
  • TLS required but not configured
  • Firewall blocking broker port (In my experience, Cofluent was blocked by a firewall in the application layer)
  • Broker expects SSL but client uses PLAINTEXT
  • advertised.listeners mismatch

Since your consumer works, compare these settings carefully:

security.protocol
sasl.mechanism
sasl.username
sasl.password
bootstrap.servers

Edson Alfaro [SLC] [DevOps Advocate] Answered question
You are viewing 1 out of 1 answers, click here to view all answers.