Kafka Channel fatal error caused by "javax.security.auth.login.LoginException: Receive timed out"

Kafka Channel fatal error caused by "javax.security.auth.login.LoginException: Receive timed out"

book

Article ID: KB0072864

calendar_today

Updated On:

Products Versions
TIBCO BusinessEvents Enterprise Edition 6.1 and later

Description

When a BE application that uses the Kafka Channel is started, a fatal error occurs:
 
[Krb5LoginModule] authentication failed 
Receive timed out
...
2021 Oct 28 14:06:17.087 GMT -04:00 kafka.tibco.com FATAL [main] -
[container.standalone] Failed to construct kafka consumer
...
Caused by: org.apache.kafka.common.KafkaException:
javax.security.auth.login.LoginException: Receive timed out
...
Caused by: javax.security.auth.login.LoginException: Receive timed out
...
Caused by: java.net.SocketTimeoutException: Receive timed out

Our Kafka broker requires that clients authenticate with Kerberos. What does this error mean and how can it be avoided?
 

Issue/Introduction

Provides some details and background on the fatal error caused by "javax.security.auth.login.LoginException: Receive timed out".

Environment

All Supported Platforms

Resolution

This error indicates that the Kerberos krb5 configuration sets an incorrect 'kdc' value in the krb5 configuration file, or the kdc server machine is unreachable from client machine (due to firewall or a network problem).

First, check the 'kdc' value set in the krb5 configuration file on the client machine. For example..

 
[realms]
KAFKA.SECURE = {
  kdc = ec2-174-129-102-157.compute-1.amazonaws.com
  admin_server = ec2-174-129-102-157.compute-1.amazonaws.com
}
...
[domain_realm]
  .amazonaws.com = KAFKA.SECURE
  amazonaws.com = KAFKA.SECURE

Check with your Kerberos administrator to confirm if the server name listed in the krb5 configuration is correct for your system.

In this case, the machine that runs the BE application needs to be able to communicate with the kdc and admin servers running on 'ec2-174-129-102-157.compute-1.amazonaws.com'. By default, Kerberos uses tcp/udp port 88. To check connectivity to the kdc, use telnet (linux/mac) or portqry (Windows) from a command prompt. For example:

 
$ telnet ec2-174-129-102-157.compute-1.amazonaws.com 88

> portqry -n ec2-174-129-102-157.compute-1.amazonaws.com -e 88 -p both

To assist in troubleshooting, set the sun.security.krb5.debug system property to 'true'. You may set this in your project's CDD file under Cluster > Properties:
 
sun.security.krb5.debug = true

For detailed guidance on configuring the Kafka adapters for Kerberos authentication, refer to the Knowledge article entitled "How to enable Kerberos SASL_SSL authentication for the TIBCO BusinessEvents Kafka Channel".