According to documentation it is dynamic and should work, though it is "general" ssl.auth of the entire broker setting and to specific listener as you are trying out , but the logic says it should work the same... besides that I do not have anything smart to suggest, the only understanding we need is if specfic listener config is dynamic changeable and when it take place? New connections? Do all your client fully discconect and reconnect to that listener?
בתאריך יום ו׳, 4 ביוני 2021, 10:25, מאת Anjali Sharma < sharma.anjali.2...@gmail.com>: > Yes restarting the Kafka solves the problem but as it is dynamic there is > no need to restart the Kafka right? > > On Fri, Jun 4, 2021, 12:13 Ran Lupovich <ranlupov...@gmail.com> wrote: > > > Restarting the broker solves the problem? Do your clients fully > disconnect > > and reconnect? > > > > בתאריך יום ו׳, 4 ביוני 2021, 09:24, מאת Anjali Sharma < > > sharma.anjali.2...@gmail.com>: > > > > > Hi Ran, > > > > > > Thank you so much for the help, but had already gone through the > > > documentation, but despite doing the same thing it is not working , we > > are > > > not getting any client certificate request as such , is there anything > > that > > > I am missing in the executing the command or we need to restart the > > brokers > > > or anything else we need to do? > > > > > > > > > Thanks & Regards > > > Anjali > > > > > > On Fri, Jun 4, 2021 at 11:17 AM Ran Lupovich <ranlupov...@gmail.com> > > > wrote: > > > > > > > Adding this information that supports your assumptions that it should > > be > > > > dynamically supportedNotice the update mode - > > > > > > > > Dynamic Update Mode option in Broker Configurations > > > > < > > > > > > > > > > https://docs.confluent.io/platform/current/installation/configuration/broker-configs.html#cp-config-brokers > > > > > > > > > for > > > > the update mode of each broker configuration. > > > > > > > > - read-only: Requires a broker restart for update. > > > > - per-broker: May be updated dynamically for each broker. > > > > - cluster-wide: May be updated dynamically as a cluster-wide > > default. > > > > May also be updated as a per-broker value for testing > > > > > > > > > > > > > > > > ssl.client.auth > > > > < > > > > > > > > > > https://docs.confluent.io/platform/current/installation/configuration/broker-configs.html#brokerconfigs_ssl.client.auth > > > > > > > > > > > > > Configures kafka broker to request client authentication. The > following > > > > settings are common: > > > > > > > > - ssl.client.auth=required If set to required client > authentication > > is > > > > required. > > > > - ssl.client.auth=requested This means client authentication is > > > > optional. unlike required, if this option is set client can choose > > not > > > > to > > > > provide authentication information about itself > > > > - ssl.client.auth=none This means client authentication is not > > needed. > > > > > > > > Type: string > > > > Default: none > > > > Valid Values: [required, requested, none] > > > > Importance: medium > > > > Update Mode: per-broker > > > > > > > > בתאריך יום ו׳, 4 ביוני 2021, 08:30, מאת Anjali Sharma < > > > > sharma.anjali.2...@gmail.com>: > > > > > > > > > Dear All, > > > > > > > > > > When trying to configure mtls without restarting the brokers it is > > not > > > > > working. > > > > > For mutualTLS "ssl.client.auth" should be set to "required". So, if > > we > > > > are > > > > > trying to do the dynamic update using the below command > > > > > > > > > > *sh /opt/kafka/bin/kafka-configs.sh --bootstrap-server > > localhost:28104 > > > > > --entity-type brokers --entity-name 117373 **--alter --add-config > > > > > listener.name.app.ssl.client.auth=required* > > > > > *Completed updating config for broker 117373.* > > > > > > > > > > > > > > > > > > > > > > > > > *sh /opt/kafka/bin/kafka-configs.sh --bootstrap-server > > localhost:28104 > > > > > --entity-type brokers --entity-name 117373 --describeDynamic > configs > > > for > > > > > broker 117373 are: listener.name.app.ssl.client.auth=required > > > > > sensitive=false > > > > > > > > > > > > > > > synonyms={DYNAMIC_BROKER_CONFIG:listener.name.app.ssl.client.auth=required, > > > > > STATIC_BROKER_CONFIG:ssl.client.auth=none, > > > > > DEFAULT_CONFIG:ssl.client.auth=none}* > > > > > Dynamic command execution is success but in captured tcpdump(pcap) > > > > > "Certificate Request" is not sent from Server below enter image > > > > description > > > > > here. > > > > > > > > > > > > > > > But if we alter manually and restart Kafka we can see "Certificate > > > > > Request" from Server in tcpdump. > > > > > > > > > > Please help in resolving the dynamic update of altering > > > > > "ssl.client.auth=Required" > > > > > > > > > > > > > > > Pcap image is attached > > > > > > > > > > > > > > > > > > > >
