[
https://issues.apache.org/jira/browse/KAFKA-8336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rajini Sivaram resolved KAFKA-8336.
-----------------------------------
Resolution: Fixed
Reviewer: Manikumar
> Enable dynamic update of client-side SSL factory in brokers
> -----------------------------------------------------------
>
> Key: KAFKA-8336
> URL: https://issues.apache.org/jira/browse/KAFKA-8336
> Project: Kafka
> Issue Type: Improvement
> Components: core
> Affects Versions: 2.2.0
> Reporter: Rajini Sivaram
> Assignee: Rajini Sivaram
> Priority: Major
> Fix For: 2.3.0
>
>
> We currently support dynamic update of server-side keystores. This allows
> expired certs to be updated on brokers without a rolling restart. When mutual
> authentication is enabled for inter-broker-communication
> (ssl.client.auth=required), we dont currently dynamically update client-side
> keystores for controller or transaction coordinator. So a broker restart (or
> controller change) is required for cert update for this case. Since
> short-lived SSL cert is a common usecase, we should enable client-side cert
> updates for all client connections initiated by the broker to ensure that SSL
> certificate expiry can be handled with dynamic config updates on brokers for
> all configurations.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
