Kafka Channel fatal error caused by "javax.security.auth.login.LoginException: Receive timed out"
Article ID: KB0072864
Updated On:
| Products | Versions |
|---|---|
| TIBCO BusinessEvents Enterprise Edition | 6.1 and later |
Description
When a BE application that uses the Kafka Channel is started, a fatal error occurs:
Our Kafka broker requires that clients authenticate with Kerberos. What does this error mean and how can it be avoided?
[Krb5LoginModule] authentication failed
Receive timed out
...
2021 Oct 28 14:06:17.087 GMT -04:00 kafka.tibco.com FATAL [main] -
[container.standalone] Failed to construct kafka consumer
...
Caused by: org.apache.kafka.common.KafkaException:
javax.security.auth.login.LoginException: Receive timed out
...
Caused by: javax.security.auth.login.LoginException: Receive timed out
...
Caused by: java.net.SocketTimeoutException: Receive timed out
Our Kafka broker requires that clients authenticate with Kerberos. What does this error mean and how can it be avoided?
Issue/Introduction
Provides some details and background on the fatal error caused by "javax.security.auth.login.LoginException: Receive timed out".
Environment
All Supported Platforms
Resolution
This error indicates that the Kerberos krb5 configuration sets an incorrect 'kdc' value in the krb5 configuration file, or the kdc server machine is unreachable from client machine (due to firewall or a network problem).
First, check the 'kdc' value set in the krb5 configuration file on the client machine. For example..
Check with your Kerberos administrator to confirm if the server name listed in the krb5 configuration is correct for your system.
In this case, the machine that runs the BE application needs to be able to communicate with the kdc and admin servers running on 'ec2-174-129-102-157.compute-1.amazonaws.com'. By default, Kerberos uses tcp/udp port 88. To check connectivity to the kdc, use telnet (linux/mac) or portqry (Windows) from a command prompt. For example:
To assist in troubleshooting, set the sun.security.krb5.debug system property to 'true'. You may set this in your project's CDD file under Cluster > Properties:
For detailed guidance on configuring the Kafka adapters for Kerberos authentication, refer to the Knowledge article entitled "How to enable Kerberos SASL_SSL authentication for the TIBCO BusinessEvents Kafka Channel".
First, check the 'kdc' value set in the krb5 configuration file on the client machine. For example..
[realms]
KAFKA.SECURE = {
kdc = ec2-174-129-102-157.compute-1.amazonaws.com
admin_server = ec2-174-129-102-157.compute-1.amazonaws.com
}
...
[domain_realm]
.amazonaws.com = KAFKA.SECURE
amazonaws.com = KAFKA.SECURE
Check with your Kerberos administrator to confirm if the server name listed in the krb5 configuration is correct for your system.
In this case, the machine that runs the BE application needs to be able to communicate with the kdc and admin servers running on 'ec2-174-129-102-157.compute-1.amazonaws.com'. By default, Kerberos uses tcp/udp port 88. To check connectivity to the kdc, use telnet (linux/mac) or portqry (Windows) from a command prompt. For example:
$ telnet ec2-174-129-102-157.compute-1.amazonaws.com 88
> portqry -n ec2-174-129-102-157.compute-1.amazonaws.com -e 88 -p both
To assist in troubleshooting, set the sun.security.krb5.debug system property to 'true'. You may set this in your project's CDD file under Cluster > Properties:
sun.security.krb5.debug = true
For detailed guidance on configuring the Kafka adapters for Kerberos authentication, refer to the Knowledge article entitled "How to enable Kerberos SASL_SSL authentication for the TIBCO BusinessEvents Kafka Channel".
Feedback
Yes
No
Powered by
