New Contributor
Posts: 5
Registered: ‎08-24-2017
Accepted Solution


From what I've read SASL_PLAINTEXT allows using Kerberos for authentication but once the client is authenticated the actual session is not encrypted.  So to use Kerberos and have the entire client/server session be encrypted you must use SASL_SSL and setup a keystore/trustore as well.  Is this correct?


Cloudera Employee
Posts: 198
Registered: ‎01-09-2014


You are correct, SASL_PLAINTEXT only provides authentication, not encryption. You'll want SASL_SSL if you need encrypted traffic as well. You can set to a different value if you'd like to only encrypt client/server traffic, but if you leave that to inferred in CM, it will use whatever your listener value is set to.