Kafka adapter fatal error caused by sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)
Article ID: KB0072907
Updated On:
| Products | Versions |
|---|---|
| TIBCO Streaming | 10.6 and later |
Description
When a Streaming application using the Kafka adapter is started, a fatal error occurs:
(fragment deploy): 2021-10-28 13:22:11.520000-0400 [17748:OperatorThread(default.OutputAdapter.KafkaProducer)] ERROR com.streambase.sb.adapter.kafka.KafkaProducer.default.OutputAdapter: Fatal error ... (fragment deploy): Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: null (68) ... (fragment deploy): Caused by: javax.security.auth.login.LoginException: null (68) ... (fragment deploy): Caused by: sun.security.krb5.KrbException: null (68) ... (fragment deploy): Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)
Our Kafka broker requires that clients authenticate with Kerberos. What does this error mean and how can it be avoided?
Resolution
This error indicates that the client krb5 configuration file (i.e. krb5.conf or krb5.ini) is not being referenced by the TIBCO Streaming application, or it does not define the Kerberos realm name in which the Kafka service runs.
First, make sure that the application is referencing the krb5 configuration file. This can be done by setting the Java system property 'java.security.krb5.conf'. For example, in a StreamBase Engine HOCON configuration:
In addition, confirm that your krb5 configuration file includes the definition for the Kerberos realm in which Kafka is run. For example:
Confirm that the client machine (i.e. the machine running your TIBCO Streaming application) can reach the kdc and admin servers noted in the krb5 configuration file. The default communication port for Kerberos is tcp/udp port 88. Check with your Kerberos administrator to confirm.
To assist in troubleshooting, set the sun.security.krb5.debug system property to 'true'. Again, you may do this in your SB Engine configuration:
For detailed guidance on configuring the Kafka adapters for Kerberos authentication, refer to the Knowledge article entitled "How to enable Kerberos SASL/SSL authentication for the TIBCO Streaming Kafka adapters".
First, make sure that the application is referencing the krb5 configuration file. This can be done by setting the Java system property 'java.security.krb5.conf'. For example, in a StreamBase Engine HOCON configuration:
StreamBaseEngine = {
jvmArgs = [
"-Djava.security.auth.login.config=C:/configs/kafka_client_jaas.conf"
"-Djava.security.krb5.conf=C:/configs/krb5.conf"
]
}
In addition, confirm that your krb5 configuration file includes the definition for the Kerberos realm in which Kafka is run. For example:
[realms]
KAFKA.SECURE = {
kdc = ec2-174-129-102-157.compute-1.amazonaws.com
admin_server = ec2-174-129-102-157.compute-1.amazonaws.com
}
[domain_realm]
.amazonaws.com = KAFKA.SECURE
amazonaws.com = KAFKA.SECURE
Confirm that the client machine (i.e. the machine running your TIBCO Streaming application) can reach the kdc and admin servers noted in the krb5 configuration file. The default communication port for Kerberos is tcp/udp port 88. Check with your Kerberos administrator to confirm.
To assist in troubleshooting, set the sun.security.krb5.debug system property to 'true'. Again, you may do this in your SB Engine configuration:
StreamBaseEngine = {
jvmArgs = [
"-Djava.security.auth.login.config=C:/configs/kafka_client_jaas.conf"
"-Djava.security.krb5.conf=C:/configs/krb5.conf"
"-Dsun.security.krb5.debug=true"
]
}
For detailed guidance on configuring the Kafka adapters for Kerberos authentication, refer to the Knowledge article entitled "How to enable Kerberos SASL/SSL authentication for the TIBCO Streaming Kafka adapters".
Issue/Introduction
Provides some details and background on the fatal error caused by "Identifier doesn't match expected value (906).
Feedback
Yes
No
Powered by
