Blocker We’re running a Kafka cluster in KRaft mode with each node configured as broker,controller. The kafka image is built with Red Hat JDK 17.
We recently migrated the inter.broker.protocol and controller.protocol authentication mechanisms to SCRAM-SHA-512, and updated the necessary files: server.properties, kafkaJaas.conf, and kafka-storage.sh.
The new authentication works fine in non-FIPS environments, and Kafka runs without issues.
However, in the FIPS-enabled setup, the Kafka pods fail with the following error:
"[2025-08-13 19:26:36,693] ERROR [RaftManager id=0] Connection to node 1 (address:19092) failed authentication due to: Authentication failed during authentication due to invalid credentials with SASL mechanism SCRAM-SHA-512 (org.apache.kafka.clients.NetworkClient)"
Below are the configs we are using:
cd opt/kafka/milvus/
bash-5.1$ cat kafkaJaas.conf
KafkaServer {
org.apache.kafka.common.security.scram.ScramLoginModule required
username=<useername>
password=<password>
user_admin=<password>
user_lakehouse=<password>
user_user="<password>;
};
cat server.properties | tail -n 15 ssl.endpoint.identification.algorithm= ssl.keystore.type=PKCS12 ssl.keystore.password=<keystore.password> ssl.keystore.location=/opt/kafka/milvus/keystore.pkcs12 ssl.truststore.type=PKCS12 ssl.truststore.password=<truststore.password> ssl.truststore.location=/opt/kafka/milvus/truststore.pkcs12 security.inter.broker.protocol=SASL_SSL sasl.enabled.mechanisms=SCRAM-SHA-512 sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512 sasl.mechanism.controller.protocol=SCRAM-SHA-512 listener.name.controller.scram-sha-512.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username=<username> password=<password> user_admin=<password> user_user=<password> user_lakehouse=<password>; ssl.enabled.protocols=TLSv1.3 ssl.protocol=TLSv1.3
opt/kafka/bin/kafka-storage.sh format \ -t "$KAFKA_CLUSTER_ID" \ -c "$KAFKA_HOME/milvus/server.properties" \ --add-scram "SCRAM-SHA-512=[name=<username>,password=<password>]" \
