[jira] [Comment Edited] (KAFKA-13293) Support client reload of JKS/PEM certificates

Thu, 03 Feb 2022 08:16:21 -0800 


    [ 
https://issues.apache.org/jira/browse/KAFKA-13293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17486563#comment-17486563
 ] 

Elliot West edited comment on KAFKA-13293 at 2/3/22, 4:15 PM:
--------------------------------------------------------------

FWIW we've implemented a custom {{SslEngineFactory}} here: 
https://github.com/apache/kafka/pull/11731

Would this be more generally useful as an interim solution? Or is there process 
on the dynamic client configuration work?


was (Author: teabot):
FWIW we've implemented a custom {{SslEngineFactory}} here: 
https://github.com/apache/kafka/pull/11731

> Support client reload of JKS/PEM certificates
> ---------------------------------------------
>
>                 Key: KAFKA-13293
>                 URL: https://issues.apache.org/jira/browse/KAFKA-13293
>             Project: Kafka
>          Issue Type: Improvement
>          Components: clients, security
>    Affects Versions: 2.7.0, 2.8.0, 2.7.1
>            Reporter: Elliot West
>            Priority: Major
>
> Producer/Consumer clients do not currently automatically reload certificates 
> when the key stores were modified, or certificates expire. Currently one 
> supplies key chains when instantiating clients only - there is no mechanism 
> available to either directly reconfigure the client, or for the client to 
> observe changes to the original properties set reference used in 
> construction. Additionally, no work-arounds are documented that might given 
> users alternative strategies for dealing with expiring certificates. 
> Given that expiration and renewal of certificates is an industry standard 
> practice, it could be argued that the current client certificate 
> implementation is not fit for purpose. A mechanism should be provided such 
> that clients can automatically detect, load, and use updated key chains from 
> some abstracted source.
> Finally, It is suggested that in the short-term Kafka documentation be 
> updated to describe any viable mechanism for updating client certs (perhaps 
> closing existing client and then recreating?).



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to