SCRAM – Salted Challenge Response Authentication Mechanism

Reading Time: 2 minutes

The Salted Challenge Response Authentication Mechanism SCRAM is a family of modern, password-based challenge–response authentication mechanisms. Providing authentication of a user to a server. As it is specified for Simple Authentication and Security Layer (SASL). It can use for password-based login to services like SMTP and IMAP (e-mail), or XMPP (chat).  Apache Kafka supports SCRAM-SHA-256 and SCRAM-SHA-512

SCRAM Implementation

Kafka stores SCRAM credentials in ZooKeeper and is suitable for use in Kafka installations where ZooKeeper is on a private network. Because of this, you must create SCRAM credentials for users in ZooKeeper.

Configure SCRAM’s credentials :

bin/kafka-configs --bootstrap-server localhost:9092 --alter --add-config 'SCRAM-SHA-256=[iterations=8192,password=secret-api]' --entity-type users --entity-name username

bin/kafka-configs --bootstrap-server localhost:9092 --alter --add-config 'SCRAM-SHA-256=[password=admin-secret]' --entity-type users --entity-name admin

However, in cases where you want Kafka brokers to authenticate to each other using SCRAM, and you want to create its credentials before the brokers are up and running

bin/kafka-configs --zookeeper localhost:2181 --alter --add-config 'SCRAM-SHA-256=[iterations=8192,password=alice-secret]' --entity-type users --entity-name username

bin/kafka-configs --zookeeper localhost:2181 --alter --add-config 'SCRAM-SHA-256=[password=admin-secret]' --entity-type users --entity-name admin


SCRAM provides more security in two aspects:

  • It keeps the passwords in your database weakly hashed (MD5/SHA-1) and thus even if your database is stolen the attacker cannot guess the passwords.
  • During the authentication passwords are never send in clear form thus eliminating the use of man-in-the-middle attack.


To authenticate as a client you will need an instance of some of the ScramSha*SaslClientProcessor classes.

There are two parameters need to create an instance:

  • listener – use to notify your code of the authentication outcome.
  • sender – use to send messages to the server.
String username = ...
String password = ...

Listener listener = new Listener() {...};
Sender sender = new Sender() {...};

ScramSaslClientProcessor processor = new ScramSha256SaslClientProcessor(
                                          listener, sender);

processor.start(username, password); 

String message = ...


Client properties File


JAAS File required \
  username="user_name" \

You must take care on your own to interrupt the sequence with abort() after a given timeout, if there is no outcome.


If using a separate JAAS file, pass the name of the JAAS file as a JVM parameter when you start each Kafka broker:

bin/kafka-server-start etc/kafka/

Thanks for Reading !!


Written by 

I am Software Consultant at Knoldus and I am curious about learning new technologies.