SCRAM – Salted Challenge Response Authentication Mechanism

Ankit MoghaJava
Table of contents
Reading Time: 2 minutes

The Salted Challenge Response Authentication Mechanism SCRAM is a family of modern, password-based challenge–response authentication mechanisms. Providing authentication of a user to a server. As it is specified for Simple Authentication and Security Layer (SASL). It can use for password-based login to services like SMTP and IMAP (e-mail), or XMPP (chat).  Apache Kafka supports SCRAM-SHA-256 and SCRAM-SHA-512

SCRAM Implementation

Kafka stores SCRAM credentials in ZooKeeper and is suitable for use in Kafka installations where ZooKeeper is on a private network. Because of this, you must create SCRAM credentials for users in ZooKeeper.

Configure SCRAM’s credentials : 

bin/kafka-configs --bootstrap-server localhost:9092 --alter --add-config 'SCRAM-SHA-256=[iterations=8192,password=secret-api]' --entity-type users --entity-name username

bin/kafka-configs --bootstrap-server localhost:9092 --alter --add-config 'SCRAM-SHA-256=[password=admin-secret]' --entity-type users --entity-name admin

However, in cases where you want Kafka brokers to authenticate to each other using SCRAM, and you want to create its credentials before the brokers are up and running

bin/kafka-configs --zookeeper localhost:2181 --alter --add-config 'SCRAM-SHA-256=[iterations=8192,password=alice-secret]' --entity-type users --entity-name username

bin/kafka-configs --zookeeper localhost:2181 --alter --add-config 'SCRAM-SHA-256=[password=admin-secret]' --entity-type users --entity-name admin

Why SCRAM?

SCRAM provides more security in two aspects:

  • It keeps the passwords in your database weakly hashed (MD5/SHA-1) and thus even if your database is stolen the attacker cannot guess the passwords.
  • During the authentication passwords are never send in clear form thus eliminating the use of man-in-the-middle attack.

Clients

To authenticate as a client you will need an instance of some of the ScramSha*SaslClientProcessor classes.

There are two parameters need to create an instance:

  • listener – use to notify your code of the authentication outcome.
  • sender – use to send messages to the server.
String username = ...
String password = ...

Listener listener = new Listener() {...};
Sender sender = new Sender() {...};

ScramSaslClientProcessor processor = new ScramSha256SaslClientProcessor(
                                          listener, sender);

processor.start(username, password); 

String message = ...
processor.onMessage(message);

Configure

Client properties File

security.protocol=SASL_SSL
sasl.mechanism=SCRAM-SHA-256

JAAS File

sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
  username="user_name" \
  password="usern_name-secret";

You must take care on your own to interrupt the sequence with abort() after a given timeout, if there is no outcome.

Run

If using a separate JAAS file, pass the name of the JAAS file as a JVM parameter when you start each Kafka broker:

export KAFKA_OPTS=-Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf
bin/kafka-server-start etc/kafka/server.properties

Thanks for Reading !!


Knoldus-blog-footer-image

Written by 

I am Software Consultant at Knoldus and I am curious about learning new technologies.

Knoldus-logo-final
nashtech-logo-white

COMPANY

Sign up to our newsletter

    Certificates

    IOSTQB Platinum Partner-white
    cmmi5-white
    ISO 27001-white
    ISO 27002-white
    ISO 9001-white

    Partners

    knoldus-lightbend-white.png
    knoldus-databricks-white-.png
    knoldus-confluent-white.png
    knoldus-docker-white.png
    knoldus-hashiCorp-white.png
    knoldus-ibm-white.png
    knoldus-daml-white.png
    knoldus-datastax-white.png
    knoldus-kmine-white.png
    knoldus-rust-foundation-white.png
    knoldus-scala-white-1.png
    knoldus-snowflake-white-1.png
    umbraco 1
    aws-partner-logo 1
    Microsoft Gold Partner_white 1
    © 2023 Knoldus, Inc. All Rights Reserved.
    Part of NashTech
    Privacy Policy | Sitemap