Search code examples
javaspring-bootapache-kafkakeytab

How to fix "Key for the principal <principal user> not available in <keytab file>" in Java 18 Spring Boot

I am trying to connect to Kafka using keytab file to login but found this following exceptions and authentication failed;

Found unsupported keytype (23) for [email protected]

2023-07-17 09:56:54 Key for the principal [email protected] not available in /etc/example.keytab

2023-07-17 09:56:54 [Krb5LoginModule] authentication failed

2023-07-17 09:56:54 Unable to obtain password from user

I double-checked the jaas file that I put the right path for keytab file but it seemed not find the keytab file in that specified path.

Here's the values in my jaas file;

KafkaClient { 
        com.sun.security.auth.module.Krb5LoginModule required 
        useKeyTab=true
        storeKey=true
        debug=true
        isInitiator=true
        doNotPrompt=true

        keyTab="/etc/example.keytab"
        principal="[email protected]";
};

And krb5.conf values;

# includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log 
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
[libdefaults]
    default_realm = EXAMPLE.TH
    kdc_timesync = 1
    ticket_lifetime = 7d
    #renew_lifetime = 15d
[realms]
    EXAMPLE.TH = {
        admin_server = example.th
        kdc = example.th
        default_domain = EXAMPLE.TH
    }

In addition, this is my application.properties file

## kafka security
spring.kafka.properties.security.protocol=SASL_SSL
spring.kafka.properties.sasl.mechanism=GSSAPI
spring.kafka.properties.sasl.kerberos.service.name=bigfoot
spring.kafka.properties.ssl.truststore.location=./keyuat/godzilla.client.truststore.jks
spring.kafka.properties.ssl.truststore.password=godzilla007

## kafka consumer
spring.kafka.consumer.bootstrap-servers=godzilla01:9092,godzilla02:9092,godzilla03:9092
spring.kafka.consumer.group-id=godzilla_lookup
spring.kafka.consumer.enable-auto-commit=false
spring.kafka.consumer.auto-offset-reset=latest
spring.kafka.topic.name=prod-godz

Could anyone help me fixing this exception? I am very new to Kafka and just started working as Java Developer about 10 months. So any comments or suggestions are welcome and appreciated. And I can provide more info if needed.

Thanks in advance!

Solution

  • In my case, the issue is about Java version. My keytab encryption type is ArcFour with HMAC/md5 and Java 18 that I used for my app is not allow to read This keytab file. I've tried downgrading to Java 11 and connecting Kafka an it works fine without any additional values.

    So the solution (in case of using Java version 18 and keytab encryption type is weak type) is to set additional value in krb5.conf "allow_weak_crypto = true". By the way, it also depends on the keytab encryption type, if the algorithm is modern or strong I don't think it is a problem.