Restarting the broker solves the problem? Do your clients fully disconnect and reconnect?
בתאריך יום ו׳, 4 ביוני 2021, 09:24, מאת Anjali Sharma < sharma.anjali.2...@gmail.com>: > Hi Ran, > > Thank you so much for the help, but had already gone through the > documentation, but despite doing the same thing it is not working , we are > not getting any client certificate request as such , is there anything that > I am missing in the executing the command or we need to restart the brokers > or anything else we need to do? > > > Thanks & Regards > Anjali > > On Fri, Jun 4, 2021 at 11:17 AM Ran Lupovich <ranlupov...@gmail.com> > wrote: > > > Adding this information that supports your assumptions that it should be > > dynamically supportedNotice the update mode - > > > > Dynamic Update Mode option in Broker Configurations > > < > > > https://docs.confluent.io/platform/current/installation/configuration/broker-configs.html#cp-config-brokers > > > > > for > > the update mode of each broker configuration. > > > > - read-only: Requires a broker restart for update. > > - per-broker: May be updated dynamically for each broker. > > - cluster-wide: May be updated dynamically as a cluster-wide default. > > May also be updated as a per-broker value for testing > > > > > > > > ssl.client.auth > > < > > > https://docs.confluent.io/platform/current/installation/configuration/broker-configs.html#brokerconfigs_ssl.client.auth > > > > > > > Configures kafka broker to request client authentication. The following > > settings are common: > > > > - ssl.client.auth=required If set to required client authentication is > > required. > > - ssl.client.auth=requested This means client authentication is > > optional. unlike required, if this option is set client can choose not > > to > > provide authentication information about itself > > - ssl.client.auth=none This means client authentication is not needed. > > > > Type: string > > Default: none > > Valid Values: [required, requested, none] > > Importance: medium > > Update Mode: per-broker > > > > בתאריך יום ו׳, 4 ביוני 2021, 08:30, מאת Anjali Sharma < > > sharma.anjali.2...@gmail.com>: > > > > > Dear All, > > > > > > When trying to configure mtls without restarting the brokers it is not > > > working. > > > For mutualTLS "ssl.client.auth" should be set to "required". So, if we > > are > > > trying to do the dynamic update using the below command > > > > > > *sh /opt/kafka/bin/kafka-configs.sh --bootstrap-server localhost:28104 > > > --entity-type brokers --entity-name 117373 **--alter --add-config > > > listener.name.app.ssl.client.auth=required* > > > *Completed updating config for broker 117373.* > > > > > > > > > > > > > > > *sh /opt/kafka/bin/kafka-configs.sh --bootstrap-server localhost:28104 > > > --entity-type brokers --entity-name 117373 --describeDynamic configs > for > > > broker 117373 are: listener.name.app.ssl.client.auth=required > > > sensitive=false > > > > > > synonyms={DYNAMIC_BROKER_CONFIG:listener.name.app.ssl.client.auth=required, > > > STATIC_BROKER_CONFIG:ssl.client.auth=none, > > > DEFAULT_CONFIG:ssl.client.auth=none}* > > > Dynamic command execution is success but in captured tcpdump(pcap) > > > "Certificate Request" is not sent from Server below enter image > > description > > > here. > > > > > > > > > But if we alter manually and restart Kafka we can see "Certificate > > > Request" from Server in tcpdump. > > > > > > Please help in resolving the dynamic update of altering > > > "ssl.client.auth=Required" > > > > > > > > > Pcap image is attached > > > > > > > > >
