Kafka adapter fatal error caused by "javax.security.auth.login.LoginException: Receive timed out"
Article ID: KB0072909
Updated On:
| Products | Versions |
|---|---|
| TIBCO Streaming | 10.6 and later |
Description
When a Streaming application using the Kafka adapter is started, a fatal error occurs:
(fragment deploy): 2021-10-28 13:36:09.214000-0400 [19292:OperatorThread(default.OutputAdapter.KafkaProducer)] ERROR com.streambase.sb.adapter.kafka.KafkaProducer.default.OutputAdapter: Fatal error ... (fragment deploy): Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Receive timed out ... (fragment deploy): Caused by: javax.security.auth.login.LoginException: Receive timed out ... (fragment deploy): Caused by: java.net.SocketTimeoutException: Receive timed out
Our Kafka broker requires that clients authenticate with Kerberos. What does this error mean and how can it be avoided?
Resolution
This error indicates that the Kerberos krb5 configuration sets an incorrect 'kdc' value in the krb5 configuration file, or the kdc server machine is unreachable from client machine (due to firewall or a network problem).
First, check the 'kdc' value set in the krb5 configuration file on the client machine. For example..
Check with your Kerberos administrator to confirm if the server name listed in the krb5 configuration is correct for your system.
In this case, the machine that runs the TIBCO Streaming application needs to be able to communicate with the kdc and admin servers running on 'ec2-174-129-102-157.compute-1.amazonaws.com'. By default, Kerberos uses tcp/udp port 88. To check connectivity to the kdc, use telnet (linux/mac) or portqry (Windows) from a command prompt. For example:
To assist in troubleshooting, set the sun.security.krb5.debug system property to 'true'. Again, you may do this in your SB Engine configuration:
For detailed guidance on configuring the Kafka adapters for Kerberos authentication, refer to the Knowledge article entitled "How to enable Kerberos SASL/SSL authentication for the TIBCO Streaming Kafka adapters".
First, check the 'kdc' value set in the krb5 configuration file on the client machine. For example..
[realms]
KAFKA.SECURE = {
kdc = ec2-174-129-102-157.compute-1.amazonaws.com
admin_server = ec2-174-129-102-157.compute-1.amazonaws.com
}
[domain_realm]
.amazonaws.com = KAFKA.SECURE
amazonaws.com = KAFKA.SECURE
Check with your Kerberos administrator to confirm if the server name listed in the krb5 configuration is correct for your system.
In this case, the machine that runs the TIBCO Streaming application needs to be able to communicate with the kdc and admin servers running on 'ec2-174-129-102-157.compute-1.amazonaws.com'. By default, Kerberos uses tcp/udp port 88. To check connectivity to the kdc, use telnet (linux/mac) or portqry (Windows) from a command prompt. For example:
$ telnet ec2-174-129-102-157.compute-1.amazonaws.com 88 > portqry -n ec2-174-129-102-157.compute-1.amazonaws.com -e 88 -p both
To assist in troubleshooting, set the sun.security.krb5.debug system property to 'true'. Again, you may do this in your SB Engine configuration:
StreamBaseEngine = {
jvmArgs = [
"-Djava.security.auth.login.config=C:/configs/kafka_client_jaas.conf"
"-Djava.security.krb5.conf=C:/configs/krb5.conf"
"-Dsun.security.krb5.debug=true"
]
}
For detailed guidance on configuring the Kafka adapters for Kerberos authentication, refer to the Knowledge article entitled "How to enable Kerberos SASL/SSL authentication for the TIBCO Streaming Kafka adapters".
Issue/Introduction
Provides some details and background on the fatal error caused by "javax.security.auth.login.LoginException: Receive timed out".
Feedback
Yes
No
Powered by
