Hi Sam,
I never tested this, but I know about a feature already present since 3.5.5
/ 3.6.0 about refreshing the keystore file content automatically. See:
https://issues.apache.org/jira/browse/ZOOKEEPER-3174,
https://github.com/apache/zookeeper/pull/680
This needs to be enabled by the "sslQuorumReloadCertFiles". I'm not exactly
sure if this also affects the SSL encryption on the server-client
communication. (also: in my case at least I usually use kerberos for
authentication so I avoid using client authentication with SSL by
configuring ssl.clientAuth=none, so maybe it would be less important for me
to reload the truststore for the client SSL)
Regards,
Mate
On Fri, Mar 25, 2022 at 7:40 PM Sam Lee wrote:
> In my zoo.cfg file, I have enabled SSL both for quorum communication and
> client connections:
>
> sslQuorum=true
> serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
> ssl.quorum.keyStore.location=/path/to/keystore.jks
> ssl.quorum.keyStore.password=mypassword
> ssl.quorum.trustStore.location=/path/to/truststore.jks
> ssl.quorum.trustStore.password=mypassword
>
> ssl.keyStore.location=/path/to/keystore.jks
> ssl.keyStore.password=mypassword
> ssl.trustStore.location=/path/to/truststore.jks
> ssl.trustStore.password=mypassword
>
> If I subsequently edit the contents of the keystore or the truststore
> file, do I need to restart ZooKeeper for the change to take effect?
>
> (Apache ZooKeeper version 3.6.3)
>