Please continue reading if you are using Confluent Cluster Link on a Confluent Cluster which metadata are stored in Zookeeper.
Description
This article provides details about cluster linking with Zookeeper metadata that does not work in Confluent Platform (CP) 7.9.0 release. If you have upgraded to the CP 7.9.0 version from previous release, you will find the following errors in the broker logs.
Failed to re-encrypt cluster link configs for task Re-encryptCredentials, scheduling retry (kafka.server.link.ClusterLinkManager)
org.apache.kafka.common.config.ConfigException: Could not decode configs, secrets don't matchApplies To
Confluent Platform 7.9.0 only.
Cluster Linking on Zookeeper managed cluster.
Cause
The default value of broker config password.encoder.cipher.algorithm is changed from `AES/CBC/PKCS5Padding` to `AES/GCM/NoPadding` in CP 7.9 version. Due to this cluster link will not be able to decode existing secrets.
Resolution
Confluent Platform 7.9.1 will support both the old and new cipher.
The following workaround can be applied based on the scenarios listed below:
Scenario 1 - If you have already upgraded to CP 7.9.0 version
Add the following broker configuration parameter in all brokers and perform a full rolling restart
password.encoder.cipher.algorithm=AES/CBC/PKCS5Padding
Scenario 2 - If you are planning to upgrade to CP 7.9.0 version
Add broker configuration parameter in all brokers before and then perform an upgrade to CP 7.9
password.encoder.cipher.algorithm=AES/CBC/PKCS5Padding
If you encounter any issues, please contact Confluent Support for assistance.