You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@zookeeper.apache.org by Sam Lee <sa...@yahoo.com.INVALID> on 2022/03/25 18:40:24 UTC

Need to restart after editing the SSL keystore or truststore?

In my zoo.cfg file, I have enabled SSL both for quorum communication and
client connections:

    sslQuorum=true
    serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
    ssl.quorum.keyStore.location=/path/to/keystore.jks
    ssl.quorum.keyStore.password=mypassword
    ssl.quorum.trustStore.location=/path/to/truststore.jks
    ssl.quorum.trustStore.password=mypassword

    ssl.keyStore.location=/path/to/keystore.jks
    ssl.keyStore.password=mypassword
    ssl.trustStore.location=/path/to/truststore.jks
    ssl.trustStore.password=mypassword

If I subsequently edit the contents of the keystore or the truststore
file, do I need to restart ZooKeeper for the change to take effect?

(Apache ZooKeeper version 3.6.3)

Re: Need to restart after editing the SSL keystore or truststore?

Posted by Szalay-Bekő Máté <sz...@gmail.com>.

Hi Sam,

I never tested this, but I know about a feature already present since 3.5.5
/  3.6.0 about refreshing the keystore file content automatically. See:
https://issues.apache.org/jira/browse/ZOOKEEPER-3174,
https://github.com/apache/zookeeper/pull/680

This needs to be enabled by the "sslQuorumReloadCertFiles". I'm not exactly
sure if this also affects the SSL encryption on the server-client
communication. (also: in my case at least I usually use kerberos for
authentication so I avoid using client authentication with SSL by
configuring ssl.clientAuth=none, so maybe it would be less important for me
to reload the truststore for the client SSL)

Regards,
Mate

On Fri, Mar 25, 2022 at 7:40 PM Sam Lee <sa...@yahoo.com.invalid> wrote:

> In my zoo.cfg file, I have enabled SSL both for quorum communication and
> client connections:
>
>     sslQuorum=true
>     serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
>     ssl.quorum.keyStore.location=/path/to/keystore.jks
>     ssl.quorum.keyStore.password=mypassword
>     ssl.quorum.trustStore.location=/path/to/truststore.jks
>     ssl.quorum.trustStore.password=mypassword
>
>     ssl.keyStore.location=/path/to/keystore.jks
>     ssl.keyStore.password=mypassword
>     ssl.trustStore.location=/path/to/truststore.jks
>     ssl.trustStore.password=mypassword
>
> If I subsequently edit the contents of the keystore or the truststore
> file, do I need to restart ZooKeeper for the change to take effect?
>
> (Apache ZooKeeper version 3.6.3)
>