Hello @BGabor    This error "TrustManager is not specified" can be thrown due to some of the following issues -    Missing cert files or missing/wrong values for the below configs  Make sure following properties are set:- xasecure.policymgr.clientssl.keystore.credential.file=jceks://file/{{credential_file}} xasecure.policymgr.clientssl.truststore.credential.file=jceks://file/{{credential_file}} xasecure.policymgr.clientssl.truststore=/path/to/truststore   Also came across these Ranger jiras which indicates that the truststore info not specified in cacert or cacert needs to be manually configured. Note - they are fixed in Ranger 2.0.1, so you may also want to check the ranger version. https://issues.apache.org/jira/browse/RANGER-2611 https://issues.apache.org/jira/browse/RANGER-2907 ... View more

@Shelton    I can see Ambari created Headless Keytab but didn't see how this is being used or configured. Any insight on how Headless Keytab configured? Thanks! ... View more

@SKL  Ambari explicitly configures a series of Kafka settings and creates a JAAS configuration file for the Kafka server. It is not necessary to modify these settings but check the below values in Server.properties Listeners   listeners=SASL_PLAINTEXT://kafka01.example.com:6667 listeners=PLAINTEXT://your_host:9092, TRACE://:9091, SASL_PLAINTEXT://0.0.0.0:9093   Advertised.listeners A list of listeners to publish to ZooKeeper for clients to use If advertised.listeners is not set, the value for listeners will be used   advertised.listeners=SASL_PLAINTEXT://kafka01.example.com:6667   Security.inter.broker.protocol In a Kerberized cluster, brokers are required to communicate over SASL   security.inter.broker.protocol=SASL_PLAINTEXT   Principal.to.local.class Transforms the Kerberos principals to their local Unix usernames.   principal.to.local.class=kafka.security.auth.KerberosPrincipalToLocal   super.users Specifies user accounts that will acquire all cluster permissions these super users have all permissions that would otherwise need to be added through the kafka-acls.sh script   super.users=user:developer1;user:analyst1   JAAS Configuration File for the Kafka Server Enabling Kerberos sets up a JAAS login configuration file for the Kafka server to authenticate the Kafka broker against Kerberos. Usually in /usr/hdp/current/kafka-broker/config/kafka_server_jaas.conf     KafkaServer { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/home/ec2-user/kafka.service.keytab" storeKey=true useTicketCache=false serviceName="kafka" principal="kafka/<public_DNS@EXAMPLE.COM"; }; Client { // used for zookeeper connection com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/home/ec2-user/kafka.service.keytab" storeKey=true useTicketCache=false serviceName="zookeeper" principal="kafka/<public_DNS@EXAMPLE.COM"; };   Setting for the Kafka Producer   Ambari usually sets the below key-value pair in the server.properties file if nonexistent please add it:   security.protocol=SASL_PLAINTEXT   JAAS Configuration File for the Kafka Client This file will be used for any client (consumer, producer) that connects to a Kerberos-enabled Kafka cluster. The file is stored at: /usr/hdp/current/kafka-broker/config/kafka_client_jaas.conf Kafka client configuration with keytab, for producers:   KafkaClient { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/home/ec2-user/kafka.service.keytab" storeKey=true useTicketCache=false serviceName="kafka" principal=""kafka/<public DNS>@EXAMPLE.COM"; };   Kafka client configuration without keytab, for producers:   KafkaClient { com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true renewTicket=true serviceName="kafka"; };   Kafka client configuration for consumers:   KafkaClient { com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true renewTicket=true serviceName="kafka"; };   Check  and set the Ranger policy permissions for kafka and ensure that all the Kafka keytab  is executable by Kafka   Hope that helps       ... View more