Route via Kafka assertion fails due to ssl error.
Article ID: 280981
Updated On: 03-25-2024
Products
Issue/Introduction
API Gateway kafka client does not work when using SSL .
When we setup kafka to use SSL connections and use the "Route via Kafka" assertion the request fails.
the ssg logs shows the following Warning message: "Problem routing to Kafka Cluster. org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed"
We have installed the Kafka server certificate on the gateway and the gateway certificate on the kafka server.
The ssl debug logs shows the following details :
"org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names present"
Environment
10.x 11.x
Cause
The gateway does not accept the Kafka server certificate because the CN does not match the Kafka bootstrap server connection details in the Kafka Client properties ,despite the the cwp property io.httpsHostVerify is set to false to ignore the host name check .
Resolution
Solution 1 :
Make sure to make the connection to the bootstrap server by name which is matching the CN of the Kafka certificate , also make sure the Kafka advertised listener use the same server name .
Solution 2 :
Set the following advanced setting in the producer tab without any value "ssl.endpoint.identification.algorithm".
This will tell the Kafka client on the gateway to ignore the mismatch between the certificate CN and the called Kafka server
It may be needed to restart the ssg service to get it activated when updating a existing Kafka client connection.
Feedback
