Adding this information that supports your assumptions that it should be dynamically supportedNotice the update mode -
Dynamic Update Mode option in Broker Configurations <https://docs.confluent.io/platform/current/installation/configuration/broker-configs.html#cp-config-brokers> for the update mode of each broker configuration. - read-only: Requires a broker restart for update. - per-broker: May be updated dynamically for each broker. - cluster-wide: May be updated dynamically as a cluster-wide default. May also be updated as a per-broker value for testing ssl.client.auth <https://docs.confluent.io/platform/current/installation/configuration/broker-configs.html#brokerconfigs_ssl.client.auth> Configures kafka broker to request client authentication. The following settings are common: - ssl.client.auth=required If set to required client authentication is required. - ssl.client.auth=requested This means client authentication is optional. unlike required, if this option is set client can choose not to provide authentication information about itself - ssl.client.auth=none This means client authentication is not needed. Type: string Default: none Valid Values: [required, requested, none] Importance: medium Update Mode: per-broker בתאריך יום ו׳, 4 ביוני 2021, 08:30, מאת Anjali Sharma < sharma.anjali.2...@gmail.com>: > Dear All, > > When trying to configure mtls without restarting the brokers it is not > working. > For mutualTLS "ssl.client.auth" should be set to "required". So, if we are > trying to do the dynamic update using the below command > > *sh /opt/kafka/bin/kafka-configs.sh --bootstrap-server localhost:28104 > --entity-type brokers --entity-name 117373 **--alter --add-config > listener.name.app.ssl.client.auth=required* > *Completed updating config for broker 117373.* > > > > > *sh /opt/kafka/bin/kafka-configs.sh --bootstrap-server localhost:28104 > --entity-type brokers --entity-name 117373 --describeDynamic configs for > broker 117373 are: listener.name.app.ssl.client.auth=required > sensitive=false > synonyms={DYNAMIC_BROKER_CONFIG:listener.name.app.ssl.client.auth=required, > STATIC_BROKER_CONFIG:ssl.client.auth=none, > DEFAULT_CONFIG:ssl.client.auth=none}* > Dynamic command execution is success but in captured tcpdump(pcap) > "Certificate Request" is not sent from Server below enter image description > here. > > > But if we alter manually and restart Kafka we can see "Certificate > Request" from Server in tcpdump. > > Please help in resolving the dynamic update of altering > "ssl.client.auth=Required" > > > Pcap image is attached > >