Kafka adapter fatal error caused by "javax.security.auth.login.LoginException: Receive timed out"

Kafka adapter fatal error caused by "javax.security.auth.login.LoginException: Receive timed out"

book

Article ID: KB0072909

calendar_today

Updated On:

Products Versions
TIBCO Streaming 10.6 and later

Description

When a Streaming application using the Kafka adapter is started, a fatal error occurs:
 

(fragment deploy): 2021-10-28 13:36:09.214000-0400 [19292:OperatorThread(default.OutputAdapter.KafkaProducer)] 
ERROR com.streambase.sb.adapter.kafka.KafkaProducer.default.OutputAdapter: Fatal error
...
(fragment deploy): Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Receive timed out
...
(fragment deploy): Caused by: javax.security.auth.login.LoginException: Receive timed out
...
(fragment deploy): Caused by: java.net.SocketTimeoutException: Receive timed out

Our Kafka broker requires that clients authenticate with Kerberos. What does this error mean and how can it be avoided?
 

Resolution

This error indicates that the Kerberos krb5 configuration sets an incorrect 'kdc' value in the krb5 configuration file, or the kdc server machine is unreachable from client machine (due to firewall or a network problem).

First, check the 'kdc' value set in the krb5 configuration file on the client machine. For example..
 
[realms]

KAFKA.SECURE = {
                kdc = ec2-174-129-102-157.compute-1.amazonaws.com
                admin_server = ec2-174-129-102-157.compute-1.amazonaws.com
 }

[domain_realm]
  
  .amazonaws.com = KAFKA.SECURE
  amazonaws.com = KAFKA.SECURE

Check with your Kerberos administrator to confirm if the server name listed in the krb5 configuration is correct for your system.

In this case, the machine that runs the TIBCO Streaming application needs to be able to communicate with the kdc and admin servers running on 'ec2-174-129-102-157.compute-1.amazonaws.com'. By default, Kerberos uses tcp/udp port 88. To check connectivity to the kdc, use telnet (linux/mac) or portqry (Windows) from a command prompt. For example:
 
$ telnet ec2-174-129-102-157.compute-1.amazonaws.com 88

> portqry -n ec2-174-129-102-157.compute-1.amazonaws.com -e 88 -p both

To assist in troubleshooting, set the sun.security.krb5.debug system property to 'true'. Again, you may do this in your SB Engine configuration:
 
StreamBaseEngine = {
        jvmArgs = [
            "-Djava.security.auth.login.config=C:/configs/kafka_client_jaas.conf"
            "-Djava.security.krb5.conf=C:/configs/krb5.conf"
            "-Dsun.security.krb5.debug=true"
        ]
}

For detailed guidance on configuring the Kafka adapters for Kerberos authentication, refer to the Knowledge article entitled "How to enable Kerberos SASL/SSL authentication for the TIBCO Streaming Kafka adapters"
 

Issue/Introduction

Provides some details and background on the fatal error caused by "javax.security.auth.login.LoginException: Receive timed out".