Appendix - Authentication Schemes

The Kafka OCF connector exposes several authentication schemes from the underlying Kafka JDBC driver. Only a subset of these schemes is supported in Kafka OCF, as noted below; unsupported schemes are listed for reference but must not be used to connect.

Supported authentication schemes in Kafka OCF:

• Plain

• SCRAM

• SCRAM-SHA-512

• Kerberos

• AzureServicePrincipal

• AzureServicePrincipalCert

• None

• SSLCertificate (SSL handshake transport only; not full SSL client authentication)

Not supported in Kafka OCF (driver-only capabilities):

• AzureAD

• Azure MSI

• Auto

Azure MSI

Not supported. Managed Service Identity authentication is exposed by the driver but is not supported in Kafka OCF.

SCRAM-SHA-512

Specify the values in the following fields for SCRAM-SHA-512 authentication scheme:

• Set the Auth Scheme to SCRAM-SHA-512

• User

• Password

Auto

Not supported. Do not use Auto in Kafka OCF; explicitly configure one of the supported auth schemes instead.

AzureServicePrincipalCert

Use this scheme when connecting to Azure Event Hubs via a Service Principal that authenticates with a certificate instead of a client secret.

Set the Auth Scheme to AzureServicePrincipalCert and specify:

• Azure Tenant

• Azure Resource

• Certificate or key material for the Service Principal

AzureServicePrincipal

Use this scheme when connecting to Kafka instances hosted on Azure Event Hubs via the Kafka interface using an Azure Service Principal.

Set the Auth Scheme to AzureServicePrincipal and specify at least:

• User or Client ID (Service Principal application ID)

• Password or Client Secret

• Azure Tenant

• Azure Resource (resource URI for Azure Event Hubs)

Kerberos

Specify the values in the following fields for Kerberos authentication scheme:

• Auth Scheme - Set this to KERBEROS.

• Kerberos Service Name - This should match to the principal name of the Kafka brokers. For example, if the principal is kafka/kafka1.hostname.com@EXAMPLE.COM, then Kerberos Service Name must be set to kafka.

• Kerberos SPN - Set this to the service and host of the Apache Kafka Kerberos Principal. This will be the value prior to the @ symbol. For example, for kafka/kafka1.hostname.com is the principal value for kafka/kafka1.hostname.com@EXAMPLE.COM.

• Select Use Kerberos Ticket Cache checkbox in order to use a ticket cache instead of specifying the keytab file. In that case, the Kerberos Keytab File will be ignored even if it’s specified.

None

Set the Auth Scheme to None to connect to Kafka (on-premise) without setting any authentication connection properties.

SSLCertificate

SSL-based authentication is not supported in this release of the Kafka OCF connector.

You can configure SSL certificate content so the driver can perform an SSL handshake with the Kafka broker for transport security, but this does not enable SSL client certificate authentication as a supported scheme in OCF.

Plain

Specify the values in the following fields for Plain authentication scheme:

• Set the Auth Scheme to Plain

• User

• Password

AzureAD

Not supported. OAuth 2.0 code‑grant–based Azure AD authentication cannot be used in Kafka OCF because OAuth tokens cannot be persisted by the connector.

SCRAM

Specify the values in the following fields for the SCRAM authentication scheme:

• Set the Auth Scheme to SCRAM

• User

• Password