- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
3 hours ago
Before You Start
What is Stream Connect?
Stream Connect for Apache Kafka links your external Kafka environment to your ServiceNow instance, letting you stream high volumes of event data in and out in real time. It powers everything from Flow Designer triggers that consume Kafka messages to producer steps that push ServiceNow events back out to your Kafka topics.
But before a single message can flow, your ServiceNow instance and the Kafka broker need to agree on how they'll talk â that's where authentication comes in. The credential type you configure in ServiceNow determines the security.protocol, whether the connection is encrypted, and how both sides prove their identity. Choose wrong and messages won't connect; choose right and you've got a secure, production-ready pipeline.
Authentication Methods Reference
|
Credential Type |
Security Protocol |
Encryption |
Authentication/Mechanism |
|
No Authentication |
PLAINTEXT |
No |
N/A |
|
Kafka SSL (mTLS) |
SSL |
Yes (TLS) |
Client certificate (mTLS) |
|
SASL_SSL PLAIN |
SASL_SSL |
Yes (TLS) |
SASL/PLAIN (username + password) |
|
SASL_SSL SCRAM-256 |
SASL_SSL |
Yes (TLS) |
SASL/SCRAM-SHA-256 |
|
SASL_SSL SCRAM-512 |
SASL_SSL |
Yes (TLS) |
SASL/SCRAM-SHA-512 |
|
SASL_PLAINTEXT PLAIN |
SASL_PLAINTEXT |
No |
SASL/PLAIN (username + password) |
|
SASL_PLAINTEXT SCRAM-256 |
SASL_PLAINTEXT |
No |
SASL/SCRAM-SHA-256 |
|
SASL_PLAINTEXT SCRAM-512 |
SASL_PLAINTEXT |
No |
SASL/SCRAM-SHA-512 |
How to Choose the Right Method
Production environments: Always use a TLS-encrypted option (SSL or SASL_SSL). If your broker requires mutual TLS authentication with client certificates, choose Kafka SSL (mTLS). If your broker authenticates with usernames and passwords over TLS, choose one of the SASL_SSL options (PLAIN for simple credentials, SCRAM-256 or SCRAM-512 for challenge-response).
Development or internal testing: PLAINTEXT (no auth) or SASL_PLAINTEXT may be acceptable when your Kafka cluster sits inside a trusted network. These options send data unencrypted, so never expose them to the public internet.
Key Terms
- TLS (Transport Layer Security): Encrypts data between the ServiceNow instance and the Kafka broker so it cannot be read in transit.
- mTLS (Mutual TLS): Both the client and broker present certificates to prove identity to each other.
- SASL (Simple Authentication and Security Layer): A framework that supports multiple authentication mechanisms (PLAIN, SCRAM) independent of the transport encryption.
- SCRAM (Salted Challenge Response Authentication Mechanism): A password-based authentication method that never sends the raw password over the wire.
- JAAS (Java Authentication and Authorization Service): The configuration block in Kafka broker properties where you define credentials and authentication providers.
