vkconfig: Is it possible to have kafka-clusters with different authentication on the same scheduler?

LauriPessiLauriPessi Vertica Customer
edited October 2023 in General Discussion

If this is possible, I'd like to know how. This is the setup.

Cluster A: SSL

  • JKS keystore+truststore defined in VKCONFIG_JVM_OPTS env


  • librdkafka configuration in VERTICA_RDKAFKA_CONF_<cluster_name> env
    • security.protocol=SASL_SSL
    • sasl.mechanism=PLAIN
    • sasl.username=***
    • sasl.password=***
    • ssl.ca.location=/***/***.pem


Option 1: When launching with configuration: enable-ssl=true

  • Cluster A works, but Connections to B with SASL fail on "Local: SSL error". (issuing the same copy manually works just fine)

Option 2: When launching whithout configuration: enable-ssl=true

  • Cluster B with SASL works, but connections to A using SSL fail on "Local: Broker transport failure"

Tried also importing CA:s from both clusters into same JKS truststore referred from VKCONFIG_JVM_OPTS, but outcome was the same as with Option 1.

Vertica Analytic Database v11.1.1-11
Enterprise Mode


Best Answer

  • Options
    SergeBSergeB - Select Field - Employee
    Answer ✓

    A few questions

    1. Do you have different CAs for Cluster A and Cluster B?
    2. Is kafka set with SSL AUthentication on either Cluster A or Cluster B?
    3. Did you use the --ssl-ca-alias option? You should omit it if you have multiple CAs in your truststore. Otherwise vkconfig will only read the CA with that alias.


  • Options
    LauriPessiLauriPessi Vertica Customer

    Thanks! Removing --ssl-ca-alias option from config solved the issue (prerequisite was to import CA:s for both clusters into same truststore)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file