This error indicates that the Kerberos user's
keytab file is not being referenced in the client's jaas configuration. In this case, the client is the TIBCO Streaming application that uses the Kafka adapters.
Inspect the client's jaas configuration file, which is typically referenced by your TIBCO Streaming application using the Java system property '
java.security.auth.login.config'. For example, in a StreamBase Engine HOCON configuration:
StreamBaseEngine = {
jvmArgs = [
"-Djava.security.auth.login.config=C:/configs/kafka_client_jaas.conf"
"-Djava.security.krb5.conf=C:/configs/krb5.conf"
"-Dsun.security.krb5.debug=true"
]
}
In '
kafka_client_jaas.conf', make sure the '
KafkaClient' definition references the client/user's keytab file:
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
serviceName="kafka"
useKeyTab=true
debug=true
keyTab="C:/keytabs/user1.user.keytab"
principal="user1/@KAFKA.SECURE";
};
Here, the user's keytab file is expected to exist under
C:/keytabs/. If the keytab file exists and you still face this fatal error, consult with your Kerberos administrator to obtain an updated copy of the keytab file.
To assist in troubleshooting, set the '
sun.security.krb5.debug' system property to '
true'. Again, you may do this in your SB Engine configuration:
StreamBaseEngine = {
jvmArgs = [
"-Djava.security.auth.login.config=C:/configs/kafka_client_jaas.conf"
"-Djava.security.krb5.conf=C:/configs/krb5.conf"
"-Dsun.security.krb5.debug=true"
]
}
For detailed guidance on configuring the Kafka adapters for Kerberos authentication, refer to the Knowledge article entitled
"How to enable Kerberos SASL/SSL authentication for the TIBCO Streaming Kafka adapters".