Hi,
We are working on externalizing Kafka and we are facing a problem with the authentication, even though we have placed the Kafka cluster certificate in the (truststore.jks) file and updated the (keystore.jks) with a valid certificate we see the following error message:
Failed authentication with internal.kafka.domain/10.0.0.x (SSL handshake failed)
Here’s a snippet of the stream service values for my environment:
stream:
enabled: true
bootstrapServer: "broker1.srv:9093, broker2.srv:9093, broker3.srv:9093, broker4.srv:9093"
securityProtocol: SSL
trustStore: "truststore.jks"
trustStorePassword: "xxxxxxx"
keyStore: "keystore.jks"
keyStorePassword: "xxxxxxx"
jaasConfig: ""
saslMechanism: PLAIN
streamNamePattern: "pega-{stream.name}"
replicationFactor: "1"
external_secret_name: ""
** It’s important to mention that our cluster expects mTLS as the authentication method.
Cheers,
Mina
@MinaA16808957
Hi,
Were you able to resolve this issue?
Thanks,
Vinay.
Pega Infinity supports mutual TLS (mTLS) for securing connections to external Kafka clusters. The error message you’re seeing typically indicates a problem with the SSL handshake process, which could be due to a variety of reasons. It could be that the certificates are not correctly configured, the truststore or keystore password is incorrect, or there could be a mismatch between the security protocol expected by your Kafka cluster and the one configured in Pega. Please double-check your configuration and ensure that the certificates, passwords, and security protocol are correctly set up.
This is a GenAI-powered tool. All generated answers require validation against the provided references.
Kafka configuration instance - properties file - error connecting to external Kafka
External Kafka in your deployment > Traffic encryption between Pega and your
Connecting a Pega Platform virtual machine deployment to use a streaming servic
If you need further help, please log a support ticket via the MSP.
@MarijeSchillern - Thank you. We are able to solve this issue.
When passing the certificate in prconfig we are observed the Node level certificate is being skipped. Created a separate JKS and uploaded both Node level cert and authentication based cert and passed in prconfig.xml.