It seems that specifying the SECURE client port in the reconfig command does work, while also keeping the same port defined as "secureClientPort" in zookeeper.conf.
(I thought I had tried this, but may have missed this combination) In any case, some clarification within the documentation may be helpful! /Ryan On 11/15/22, 10:10 AM, "Ruel, Ryan" <[email protected]> wrote: In my ZooKeeper setup, I am strictly using TLS for both client and quorum communication. In zookeeper.conf, I have “secureClientPort=2281” defined, and do not have any “clientPort” option set. In the 3.8.0 documentation on dynamic reconfiguration (https://urldefense.com/v3/__https://zookeeper.apache.org/doc/r3.8.0/zookeeperReconfig.html__;!!GjvTz_vk!T5lRlM3A1syL82ZMBR5kWiVdxaCcKIlRhDY-6muCLvhez9gyJTYbbhMkWMiee0evVrX0MQc-eYwvZhl1$ ), the documentation says that the old “clientPort” configuration option should not be specified, and instead the new server keyword specification should look like this: server.<positive id> = <address1>:<port1>:<port2>[:role];[<client port address>:]<client port>** However, this specification doesn’t consider the secure client port from what I can tell. In some cases where the server keyword is used, I can just eliminate putting in the client port address and client port, such as within the quorum peer configuration (in zookeeper.conf or within the dynamic configuration file). In other cases, however, such as using the “reconfig” command in the ZK cli utility, the client port MUST be specified, or a “bad argument” type error is produced. I of course don’t want to put a dummy port number in the server specification which would then enable insecure communication. What’s the recommendation for using secure communication only while also using dynamic reconfiguration? P.S. Another interesting bit in the documentation is the example: server.1=125.23.63.23:2780:2783:participant;2791 server.2=125.23.63.24:2781:2784:participant;2792 server.3=125.23.63.25:2782:2785:participant;2793 In what use case would you want to use entirely different ports for each server? Or is this just a demonstration that this is possible? /Ryan
