Kafka OAuth authentication using OKTA

[Shirolkar, Anup]

Hi Team,

I am trying to setup Kafka authentication using OAuth with Okta as token 
provider.
I am following a few online blogs but it is not completely working.

There is no comprehensive documentation about this that I can use.
Can someone please list down the steps needed for this.

Thanks,
Anup Shirolkar.

Re: Kafka process fails to start when special character is present in Keystore password in SSL encryption and SASL authentication

[Deepak Jain]

Thanks Maciej for the prompt response. But we tried the Percent encoding and 
unicode encoding but it did not work either.

Please note that we are able to pass the special character via 
server.properties but not with the zookeeper config in the shell script. We 
tried putting environment variable in the server.properties and setting it's 
value with the decrypted password (containing special characters) from the 
shell script but it also didn't work.

Due to the security limitations, we cannot pass the password in the plaintext 
in the server.properties file and we found no way to pass encrypted password 
via it.

We uses our internal encryption/decryption mechanism which is running fine but 
unable to pass the decrypted password with special characters via the shell 
script.

Please help us in this regards.

Thanks,
Deepak


From: Maciej Malecki 
Sent: Tuesday, March 25, 2025 9:51 PM
To: users@kafka.apache.org 
Subject: Re: Kafka process fails to start when special character is present in 
Keystore password in SSL encryption and SASL authentication

Caution: This email originated from outside of the organization. Please call 
and confirm with the sender before opening attachments or clicking links inside 
the email.


Hej,
Look here:

https://en.m.wikipedia.org/wiki/Percent-encoding

*__*
*Regards,*

*Maciej Małecki*

wt., 25 mar 2025, 11:30 użytkownik Deepak Jain <
deepak.j...@cumulus-systems.com> napisał:

> Hi Luke,
>
>
>
> We are using Kafka 3.7.0 Broker/Client system in our prod environment with
> SASL_SSL communication between Kafka Clients and Broker.  We are starting
> the Kafka process from the shell using the below command.
>
>
> `nohup $EXEC_KAFKA_CONFIG --zookeeper 127.0.0.1:2181 --entity-type
> brokers --entity-name 0 --alter --add-config $zooKeeperConfig >>
> $KAFKA_HOME/logs/nohup_z.out 2>&1 &`
> `nohup $KAFKA_HOME/bin/kafka-server-start.sh
> $KAFKA_HOME/config/server.properties >> $KAFKA_HOME/logs/nohup_b.out 2>&1 &`
>
>
> Here, we are passing the SSL Keystore and truststore password details in
> $zooKeeperConfig as shown below:
>
>
>
> zooKeeperConfig="listener.name.sasl_ssl.ssl.truststore.password=$KAFKA_SSL_KEYSTORE_AND_TRUSTSTORE_PWD,listener.name.sasl_ssl.ssl.keystore.password=$KAFKA_SSL_KEYSTORE_AND_TRUSTSTORE_PWD,listener.name.sasl_ssl.ssl.key.password=$KAFKA_SSL_KEYSTORE_AND_TRUSTSTORE_PWD,$KAFKA_SSL_PASSWORD_ENCODER_SECRET_PROP"
>
>
> Due to the security limitations we are not passing the SSL Keystore and
> truststore password in the /config/server.properties file.
>
>
> Everything runs fine when password does not contain any special characters
> but gives below exception in kafka server.log and the Kafka fails to start
> when some special characters are provided in the passwords.
>
>
>
> --
>
> Caused by: org.apache.kafka.common.KafkaException:
> org.apache.kafka.common.KafkaException: Failed to load SSL keystore
> /xx/xx/xx/kafka/client.truststore.jks of type JKS
> at
> org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:184)
> at
> org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:192)
> at
> org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:81)
> at
> org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:119)
> at
> org.apache.kafka.clients.ClientUtils.createNetworkClient(ClientUtils.java:223)
> ... 10 more
> Caused by: org.apache.kafka.common.KafkaException: Failed to load SSL
> keystore /xx/xx/xx/kafka/client.truststore.jks of type JKS
> at
> org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedStore.load(DefaultSslEngineFactory.java:382)
> at
> org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileBasedStore.(DefaultSslEngineFactory.java:354)
> at
> org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.createTruststore(DefaultSslEngineFactory.java:327)
> at
> org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.configure(DefaultSslEngineFactory.java:171)
> at
> org.apache.kafka.common.security.ssl.SslFactory.instantiateSslEngineFactory(SslFactory.java:141)
> at
> org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:98)
> at
> org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:180)
> ... 14 more
> Caused by: java.io.IOException: Keystore was tampered with, or password
> was incorrect
> at
> java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:813)
> at
> java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
> at java.base/java.security.KeyStore.load(KeyStore.java:1473)
> at
> org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$FileB