And not* to specific listener בתאריך יום ו׳, 4 ביוני 2021, 10:30, מאת Ran Lupovich <ranlupov...@gmail.com >:
> According to documentation it is dynamic and should work, though it is > "general" ssl.auth of the entire broker setting and to specific listener as > you are trying out , but the logic says it should work the same... besides > that I do not have anything smart to suggest, the only understanding we > need is if specfic listener config is dynamic changeable and when it take > place? New connections? Do all your client fully discconect and reconnect > to that listener? > > בתאריך יום ו׳, 4 ביוני 2021, 10:25, מאת Anjali Sharma < > sharma.anjali.2...@gmail.com>: > >> Yes restarting the Kafka solves the problem but as it is dynamic there is >> no need to restart the Kafka right? >> >> On Fri, Jun 4, 2021, 12:13 Ran Lupovich <ranlupov...@gmail.com> wrote: >> >> > Restarting the broker solves the problem? Do your clients fully >> disconnect >> > and reconnect? >> > >> > בתאריך יום ו׳, 4 ביוני 2021, 09:24, מאת Anjali Sharma < >> > sharma.anjali.2...@gmail.com>: >> > >> > > Hi Ran, >> > > >> > > Thank you so much for the help, but had already gone through the >> > > documentation, but despite doing the same thing it is not working , we >> > are >> > > not getting any client certificate request as such , is there anything >> > that >> > > I am missing in the executing the command or we need to restart the >> > brokers >> > > or anything else we need to do? >> > > >> > > >> > > Thanks & Regards >> > > Anjali >> > > >> > > On Fri, Jun 4, 2021 at 11:17 AM Ran Lupovich <ranlupov...@gmail.com> >> > > wrote: >> > > >> > > > Adding this information that supports your assumptions that it >> should >> > be >> > > > dynamically supportedNotice the update mode - >> > > > >> > > > Dynamic Update Mode option in Broker Configurations >> > > > < >> > > > >> > > >> > >> https://docs.confluent.io/platform/current/installation/configuration/broker-configs.html#cp-config-brokers >> > > > > >> > > > for >> > > > the update mode of each broker configuration. >> > > > >> > > > - read-only: Requires a broker restart for update. >> > > > - per-broker: May be updated dynamically for each broker. >> > > > - cluster-wide: May be updated dynamically as a cluster-wide >> > default. >> > > > May also be updated as a per-broker value for testing >> > > > >> > > > >> > > > >> > > > ssl.client.auth >> > > > < >> > > > >> > > >> > >> https://docs.confluent.io/platform/current/installation/configuration/broker-configs.html#brokerconfigs_ssl.client.auth >> > > > > >> > > > >> > > > Configures kafka broker to request client authentication. The >> following >> > > > settings are common: >> > > > >> > > > - ssl.client.auth=required If set to required client >> authentication >> > is >> > > > required. >> > > > - ssl.client.auth=requested This means client authentication is >> > > > optional. unlike required, if this option is set client can >> choose >> > not >> > > > to >> > > > provide authentication information about itself >> > > > - ssl.client.auth=none This means client authentication is not >> > needed. >> > > > >> > > > Type: string >> > > > Default: none >> > > > Valid Values: [required, requested, none] >> > > > Importance: medium >> > > > Update Mode: per-broker >> > > > >> > > > בתאריך יום ו׳, 4 ביוני 2021, 08:30, מאת Anjali Sharma < >> > > > sharma.anjali.2...@gmail.com>: >> > > > >> > > > > Dear All, >> > > > > >> > > > > When trying to configure mtls without restarting the brokers it is >> > not >> > > > > working. >> > > > > For mutualTLS "ssl.client.auth" should be set to "required". So, >> if >> > we >> > > > are >> > > > > trying to do the dynamic update using the below command >> > > > > >> > > > > *sh /opt/kafka/bin/kafka-configs.sh --bootstrap-server >> > localhost:28104 >> > > > > --entity-type brokers --entity-name 117373 **--alter --add-config >> > > > > listener.name.app.ssl.client.auth=required* >> > > > > *Completed updating config for broker 117373.* >> > > > > >> > > > > >> > > > > >> > > > > >> > > > > *sh /opt/kafka/bin/kafka-configs.sh --bootstrap-server >> > localhost:28104 >> > > > > --entity-type brokers --entity-name 117373 --describeDynamic >> configs >> > > for >> > > > > broker 117373 are: listener.name.app.ssl.client.auth=required >> > > > > sensitive=false >> > > > > >> > > > >> > > >> > >> synonyms={DYNAMIC_BROKER_CONFIG:listener.name.app.ssl.client.auth=required, >> > > > > STATIC_BROKER_CONFIG:ssl.client.auth=none, >> > > > > DEFAULT_CONFIG:ssl.client.auth=none}* >> > > > > Dynamic command execution is success but in captured tcpdump(pcap) >> > > > > "Certificate Request" is not sent from Server below enter image >> > > > description >> > > > > here. >> > > > > >> > > > > >> > > > > But if we alter manually and restart Kafka we can see "Certificate >> > > > > Request" from Server in tcpdump. >> > > > > >> > > > > Please help in resolving the dynamic update of altering >> > > > > "ssl.client.auth=Required" >> > > > > >> > > > > >> > > > > Pcap image is attached >> > > > > >> > > > > >> > > > >> > > >> > >> >
