For example, if broker.id on primary is 1 and aux server is 2, then the broker.id on external machine must be any valid positive number except 1 or 2.

For example: keytool -genkeypair -keystore pomKeyStore -dname "CN=test, OU=POM, O=Avaya" -keypass changeit -storepass changeit -keyalg RSA -alias externalkafkaserver -ext SAN=dns:test.abc.com,ip:127.0.0.1

For example: keytool -export -alias externalkafkaserver -storepass changeit -file pim.crt -keystore pomKeyStore

broker.id=3
num.network.threads=3
num.io.threads=8
socket.send.buffer.bytes=102400
socket.receive.buffer.bytes=102400
socket.request.max.bytes=104857600
log.dirs=<KAFKA_HOME>/kafka-store/kafka
num.partitions=1
num.recovery.threads.per.data.dir=1
offsets.topic.replication.factor=3
transaction.state.log.replication.factor=3
transaction.state.log.min.isr=1
log.retention.hours=72
log.segment.bytes=1073741824
log.retention.check.interval.ms=300000
zookeeper.connect=148.147.XX.XX:2182,148.147.XX.XX:2182,148.147.XX.XX:2182
zookeeper.connection.timeout.ms=30000
group.initial.rebalance.delay.ms=0
listeners=SSL://kafkaexternal:9093
advertised.listeners=SSL://kafkaexternal:9093
ssl.keystore.location=/opt/config/pomKeyStore
ssl.keystore.password=changeit
ssl.key.password=changeit
ssl.truststore.location=/opt/config/pomTrustStore
ssl.truststore.password=changeit
ssl.client.auth=required
ssl.keystore.type=JKS
ssl.truststore.type=JKS
ssl.enabled.protocols=TLSv1.2
ssl.cipher.suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_EMPTY_RENEGOTIATION_INFO_SCSVsecurity.inter.broker.protocol=SSL
default.replication.factor=3

$KAFKA_HOME/bin/kafka-server-start.sh $KAFKA_HOME/config/server.properties