Spectrum Alarms are not successfully transmitting to the NetOps Kafka data directory despite the SSL health check running successfully. Kafka server logs indicate repeated authentication failures.

Symptoms:

• Alarms are missing from the NetOps Kafka data directory.
• Kafka server logs show: INFO [SocketServer listenerType=ZK_BROKER, nodeId=1] Failed authentication with /[IP_ADDRESS] (channelId=[IP_ADDRESS]:9092-[IP_ADDRESS]:59212-1075) (SSL handshake failed) (org.apache.kafka.common.network.Selector).
• Underlying exception: javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address [IP_ADDRESS] found.

• Product: Spectrum / NetOps Integration
• Component: Kafka Connector
• Version: 25.4.2

The SSL certificate is issued to the server's hostname but does not include the IP address in the Subject Alternative Name (SAN) field. When the spring.kafka.bootstrap-servers property is configured using IP addresses, the SSL handshake fails because the client cannot verify the identity of the server against the provided IP.

To resolve this issue, update the Kafka configuration to use hostnames instead of IP addresses so they match the SSL certificate's Subject Alternative Name.

1. Locate the Kafka properties configuration (e.g., in the OneClick server's integration properties).
2. Identify the spring.kafka.bootstrap-servers entry.
3. Change the IP addresses to the corresponding Fully Qualified Domain Names (FQDNs).
   • Example Change:
     • From: spring.kafka.bootstrap-servers=1.1.1.1:9092,1.1.1.2:9092,1.1.1.3:9092
     • To: spring.kafka.bootstrap-servers=[HOSTNAME]:9092,[HOSTNAME]:9092,[HOSTNAME]:9092
4. Restart the Spectrum Tomcat service to apply the changes.

The ssl_config.sh health check may pass if it tests local connectivity or different parameters, but the runtime integration requires a strict match between the connection string and the certificate's SAN or Common Name (CN).