You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@kafka.apache.org by Anjali Sharma <sh...@gmail.com> on 2021/06/03 10:47:59 UTC

Mutual-TLS Dynamic config update not working

Dear All,

When trying to configure mtls without restarting the brokers it is not
working.
For mutualTLS "ssl.client.auth" should be set to "required". So, if we are
trying to do the dynamic update using the below command

*sh /opt/kafka/bin/kafka-configs.sh --bootstrap-server localhost:28104
--entity-type brokers --entity-name 117373 **--alter --add-config
listener.name.app.ssl.client.auth=required*
*Completed updating config for broker 117373.*




*sh /opt/kafka/bin/kafka-configs.sh --bootstrap-server localhost:28104
--entity-type brokers --entity-name 117373 --describeDynamic configs for
broker 117373 are: listener.name.app.ssl.client.auth=required
sensitive=false
synonyms={DYNAMIC_BROKER_CONFIG:listener.name.app.ssl.client.auth=required,
STATIC_BROKER_CONFIG:ssl.client.auth=none,
DEFAULT_CONFIG:ssl.client.auth=none}*
Dynamic command execution is success but in captured tcpdump(pcap)
"Certificate Request" is not sent from Server below enter image description
here
[image: image.png]

But if we alter manually and restart Kafka we can see "Certificate Request"
from Server in tcpdump.

Please help in resolving the dynamic update of altering
"ssl.client.auth=Required"