vkconfig: Is it possible to have kafka-clusters with different authentication on the same scheduler?

LauriPessi

If this is possible, I'd like to know how. This is the setup.

Cluster A: SSL

• JKS keystore+truststore defined in VKCONFIG_JVM_OPTS env

Cluster B: SASL_SSL/PLAIN

• librdkafka configuration in VERTICA_RDKAFKA_CONF_<cluster_name> env
  • security.protocol=SASL_SSL
  • sasl.mechanism=PLAIN
  • sasl.username=***
  • sasl.password=***
  • ssl.ca.location=/***/***.pem

Outcome

Option 1: When launching with configuration: enable-ssl=true

• Cluster A works, but Connections to B with SASL fail on "Local: SSL error". (issuing the same copy manually works just fine)

Option 2: When launching whithout configuration: enable-ssl=true

• Cluster B with SASL works, but connections to A using SSL fail on "Local: Broker transport failure"

Tried also importing CA:s from both clusters into same JKS truststore referred from VKCONFIG_JVM_OPTS, but outcome was the same as with Option 1.

---

Vertica Analytic Database v11.1.1-11
Enterprise Mode

SergeB

A few questions

1. Do you have different CAs for Cluster A and Cluster B?
2. Is kafka set with SSL AUthentication on either Cluster A or Cluster B?
3. Did you use the --ssl-ca-alias option? You should omit it if you have multiple CAs in your truststore. Otherwise vkconfig will only read the CA with that alias.

LauriPessi

Thanks! Removing --ssl-ca-alias option from config solved the issue (prerequisite was to import CA:s for both clusters into same truststore)