---
id: dd4e9c44-12a9-4c94-890b-0b96e408e8c2
---
# Authentication Failure in Kafka Cluster with SASL_SSL protocol.
---

This incident type refers to the failure of authentication in a Kafka cluster that is using the SASL_SSL protocol for authentication. This could be caused by various reasons such as invalid credentials, expired certificates, or configuration issues. As a result, users may not be able to access the Kafka cluster, or may experience delays or errors when attempting to do so. This can have a significant impact on the overall functionality of the software system that relies on the Kafka cluster for data processing and communication.

### Parameters
```shell
export KAFKA_BOOTSTRAP_SERVER="PLACEHOLDER"

export PATH_TO_CA_CERT="PLACEHOLDER"

export KAFKA_BOOTSTRAP_PORT="PLACEHOLDER"

export USERNAME="PLACEHOLDER"

export PASSWORD="PLACEHOLDER"
```

## Debug

### Check if Kafka is running
```shell
systemctl status kafka
```

### Check the Kafka logs for any error messages related to SASL_SSL authentication
```shell
journalctl -u kafka | grep SASL_SSL
```

### Verify that the correct credentials are being used for authentication
```shell
kafka-configs.sh --bootstrap-server ${KAFKA_BOOTSTRAP_SERVER} --describe --entity-type users
```

### Check the Kafka server.properties file to ensure that SASL_SSL is enabled and configured correctly
```shell
cat /etc/kafka/server.properties | grep SASL_SSL
```

### Verify that the correct SSL/TLS certificates are being used for encryption and authentication
```shell
openssl s_client -connect ${KAFKA_BOOTSTRAP_SERVER}:${KAFKA_BOOTSTRAP_PORT} -tls1_2 -CAfile ${PATH_TO_CA_CERT}
```

## Repair

### Check the credentials being used for authentication and verify that they are correct.
```shell


#!/bin/bash



# Check the credentials being used for authentication and verify that they are correct.



# Set the variables for the username and password

username=${USERNAME}

password=${PASSWORD}



# Check if the credentials are correct by attempting to authenticate

if kinit $username@$REALM -kt /path/to/keytab ; then

    echo "Authentication successful"

else

    echo "Authentication failed"

fi


```


This incident type refers to the failure of authentication in a Kafka cluster that is using the SASL\_SSL protocol for authentication. This could be caused by various reasons such as invalid credentials, expired certificates, or configuration issues. As a result, users may not be able to access the Kafka cluster, or may experience delays or errors when attempting to do so. This can have a significant impact on the overall functionality of the software system that relies on the Kafka cluster for data processing and communication.


The "Kubernetes CPU Availability Low" incident type refers to an incident where the available CPU for requests in a Kubernetes cluster is too low. This can cause performance issues and potential downtime for the affected service. This incident may be triggered by a monitoring system or an alert from Kubernetes itself. It is important to investigate and resolve this incident promptly to ensure the service is operating optimally.


Kubernetes CPU Availability Low

This incident type refers to a situation where there is an issue with the communication between Kafka brokers due to network partitioning. A network partition is a situation where a network is split into two or more parts, and communication between them is disrupted. This issue can lead to data inconsistency, loss of messages, delayed message delivery, and other related problems. As a result, it is important to quickly detect and resolve these incidents to prevent any downstream impact on the system.


Network Partitioning Between Kafka Brokers.

This incident type refers to an issue where the network bandwidth on one or more Kafka nodes becomes fully saturated, causing the node(s) to experience performance degradation or even failure. This can result in message delivery delays or loss, and can also impact other nodes that rely on the affected node(s) for message replication. The saturation can be caused by a variety of factors, such as increased message traffic, misconfiguration, or hardware issues.


Network Saturation Check for Kafka Nodes

This incident type refers to when a Kafka node runs out of storage space to store data. This can cause issues with data processing and storage, potentially leading to data loss and system downtime.


Kafka node insufficient storage check

This incident type refers to a scenario where the liveness check for Kafka cannot reach/communicate with the host where the broker is running. This issue can arise due to various reasons such as network issues, broker failure, or configuration errors. This can result in the Kafka broker being unavailable or not responding to requests, leading to potential service disruptions or downtime.


Kafka liveness check failure.

```shell
export KAFKA_BOOTSTRAP_SERVER="PLACEHOLDER"

export PATH_TO_CA_CERT="PLACEHOLDER"

export KAFKA_BOOTSTRAP_PORT="PLACEHOLDER"

export USERNAME="PLACEHOLDER"

export PASSWORD="PLACEHOLDER"
```


### Check if Kafka is running

```shell
systemctl status kafka
```

### Check the Kafka logs for any error messages related to SASL\_SSL authentication

```shell
journalctl -u kafka | grep SASL_SSL
```

### Verify that the correct credentials are being used for authentication

```shell
kafka-configs.sh --bootstrap-server ${KAFKA_BOOTSTRAP_SERVER} --describe --entity-type users
```

### Check the Kafka server.properties file to ensure that SASL\_SSL is enabled and configured correctly

```shell
cat /etc/kafka/server.properties | grep SASL_SSL
```

### Verify that the correct SSL/TLS certificates are being used for encryption and authentication

```shell
openssl s_client -connect ${KAFKA_BOOTSTRAP_SERVER}:${KAFKA_BOOTSTRAP_PORT} -tls1_2 -CAfile ${PATH_TO_CA_CERT}
```


### Check the credentials being used for authentication and verify that they are correct.

```shell


#!/bin/bash



# Check the credentials being used for authentication and verify that they are correct.



# Set the variables for the username and password

username=${USERNAME}

password=${PASSWORD}



# Check if the credentials are correct by attempting to authenticate

if kinit $username@$REALM -kt /path/to/keytab ; then

    echo "Authentication successful"

else

    echo "Authentication failed"

fi


```


Authentication Failure in Kafka Cluster with SASL_SSL protocol.

Overview

Parameters

Debug

Check if Kafka is running

Verify that the correct credentials are being used for authentication

Check the Kafka server.properties file to ensure that SASL_SSL is enabled and configured correctly

Verify that the correct SSL/TLS certificates are being used for encryption and authentication

Repair

Check the credentials being used for authentication and verify that they are correct.

Learn more

Related Runbooks

Kubernetes CPU Availability Low

Network Partitioning Between Kafka Brokers.

Network Saturation Check for Kafka Nodes

Kafka node insufficient storage check

Support