Hello, I am looking for some help regarding integrating the IBM ACE [cloud pack for integration] with the IBM event streams [i.e. kafka; also on cp4i].

The problematic issue [or question] is - can it be done, with an OAUTHBEARER SASL security mechanism?

The setup:

We have a simple ACE flow, that exposes a SOAP webservice and produces a message in a kafka topic. In the local setup, we use Strimzi, secured only via SSL.

The node in the flow itself has minimal config set (basically just the client id), but it has a kafka policy set, which in turn has all the other required info:

• bootstrap servers
• sec. protocol [SSL]
• ssl protocol [tls 1.2]
• keystore location
• truststore location
• keystore/truststore type
• keystore/truststore sec. identity

We have a truststore with the server certs, we have a keystore with the created strimsi/kafka users keypair; they are available to the integration server and have the properties set

mqsisetdbparms --work-dir ...\TEST_SERVER -n truststore::kafkaTrust -u ace-user -p <password>
mqsisetdbparms --work-dir ....\TEST_SERVER -n keystore::kafkaKey -u ace-user -p <password>

This setup, locally, WORKS [in both directions; we have a similar setup where ace consumes messages from a topic and generates SOAP requests].

---

Now, for the target setup, we need it to be secured via keycloack [oauth] - using a user, pass and client id [and secret if needed]

The changes done inside the policy were the following:

• sec. protocol [SASL-SSL]
• sasl mechanism - OAUTHBEARER
• sec identity [dsn] - kafka-user
• sasl config: 

  org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required sasl.oauthbearer.token.endpoint.url="https://host/auth/realms/SA/protocol/openid-connect/token"  sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler unsecuredLoginStringClaim_sub="user" client.id="our-client-id" client.secret="secretGUID" username="user" password="password"

• additionally, we've created a setdbmparams.txt configuration with 
  

  kafka::kafka-user user password

This attempt, after some fixes along the way, gave us the generic error:

The Kafka publish operation by client 'X' failed because details for topic 'topic' could not be retrieved from the Kafka server at address 'endpoint'.
The Kafka output connector attempted to retrieve meta-data information for the topic 'topic' but no response was received. Possible reasons for this are
1) The security configuration or the security credentials are invalid.
2) The topic does not exist.
Investigate and rectify the causes of the failure using the information in the message explanation and retry the operation. Further information on the cause of the failure may be available by enabling more detailed logging from the Kafka client by modifying the log4j properties file. : writeSystemLogError.

the topic exists and is available to our user. How can we proceed? How can we enable the detailed logging on the kafka client [the log4j the error mentions], the documentation is a bit sparse.

ACE version used -  12.0.7.0-r5

mqsisetdbparms --work-dir ...\TEST_SERVER -n truststore::kafkaTrust -u ace-user -p <password>mqsisetdbparms --work-dir ....\TEST_SERVER -n keystore::kafkaKey -u ace-user -p <password>

The Kafka publish operation by client 'X' failed because details for topic 'topic' could not be retrieved from the Kafka server at address 'endpoint'.The Kafka output connector attempted to retrieve meta-data information for the topic 'topic' but no response was received. Possible reasons for this are1) The security configuration or the security credentials are invalid.2) The topic does not exist.Investigate and rectify the causes of the failure using the information in the message explanation and retry the operation. Further information on the cause of the failure may be available by enabling more detailed logging from the Kafka client by modifying the log4j properties file. : writeSystemLogError.