I sent another email that I am looking to dynamically update SSL truststore, and not keystore. Would that be still relevant? Thanks.
On Thu, May 16, 2019 at 2:54 PM Peter Bukowinski <pmb...@gmail.com> wrote: > It’s my understanding that dynamic configuration requires you to write > znodes, e.g. /config/brokers/ssl.keystore.location. I believe you can use > the same path. Brokers should be watching that path and if a node is added > or updated the config values will be read in and loaded over existing > values. > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-226+-+Dynamic+Broker+Configuration#KIP-226-DynamicBrokerConfiguration-SSLkeystore > < > https://cwiki.apache.org/confluence/display/KAFKA/KIP-226+-+Dynamic+Broker+Configuration#KIP-226-DynamicBrokerConfiguration-SSLkeystore > > > > > > On May 16, 2019, at 2:08 PM, Darshan <purandare.dars...@gmail.com> > wrote: > > > > Hi > > > > I am testing out Kafka 2.2.0 and was hoping to test out "Enable dynamic > > reconfiguration of SSL truststores" > > https://issues.apache.org/jira/browse/KAFKA-6810. But unfortunately I > could > > not get it work. Please find the server.properties. Just wondering if we > > need an change of config. Please advise.. > > > > 1. I added a new entry in the truststore, and validated it that it is > > present. > > 2. The client (kafka writer) could not write to Kafka due to > SSLException. > > 3. I restarted Kafka broker. > > 4. The client could write messages. > > > > > > server.properties > > > ---------------------------------------------------------------------------- > > > > ############################# Server Basics ############################# > > > > # The id of the broker. This must be set to a unique integer for each > > broker. > > broker.id=1 > > auto.create.topics.enable=true > > delete.topic.enable=true > > > > #################### Upgrading from 1.1.0 to 2.2.0 #################### > > inter.broker.protocol.version=1.1 > > log.message.format.version=1.1 > > > > ############################# Socket Server Settings > > ############################# > > > > listeners=INTERNAL://1.1.1.65:9092,EXTERNAL://10.28.118.172:443 > > ,INTERNAL_PLAINTEXT://1.1.1.65:9094 > > advertised.listeners=INTERNAL://1.1.1.65:9092,EXTERNAL:// > 10.28.118.172:443 > > ,INTERNAL_PLAINTEXT://1.1.1.65:9094 > > > listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL,INTERNAL_PLAINTEXT:PLAINTEXT > > inter.broker.listener.name=INTERNAL_PLAINTEXT > > > > default.replication.factor=1 > > offsets.topic.replication.factor=1 > > > > # Hostname the broker will bind to. If not set, the server will bind to > all > > interfaces > > host.name=10.28.118.172 > > > > # The number of threads handling network requests > > num.network.threads=12 > > > > # The number of threads doing disk I/O > > num.io.threads=12 > > > > # The send buffer (SO_SNDBUF) used by the socket server > > socket.send.buffer.bytes=102400 > > > > # The receive buffer (SO_RCVBUF) used by the socket server > > socket.receive.buffer.bytes=102400 > > > > # The maximum size of a request that the socket server will accept > > (protection against OOM) > > socket.request.max.bytes=104857600 > > > > # Max message size is 10 MB > > message.max.bytes=10000120 > > > > # Consumer side largest message size is 10 MB > > fetch.message.max.bytes=10000120 > > > > # Replica max fetch size is 10MB > > replica.fetch.max.bytes=10000120 > > > > # Max request size 10MB > > max.request.size=10000120 > > > > ################ SHUTDOWN and REBALANCING ####################### > > # Both the following properties are also enabled by default as well, also > > explicitly settings here > > controlled.shutdown.enable=true > > auto.leader.rebalance.enable=true > > unclean.leader.election.enable=true > > > > > > ######################### Security Settings ########################## > > ssl.endpoint.identification.algorithm="" > > ssl.keystore.location=/dir/keystore.jks > > ssl.keystore.password=pwd > > ssl.key.password=pwd > > ssl.truststore.location=/dir/truststore.jks > > ssl.truststore.password=pwd > > ssl.keystore.type=JKS > > ssl.truststore.type=JKS > > security.protocol=SSL > > ssl.client.auth=required > > allow.everyone.if.no.acl.found=false > > authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer > > # User.ANONYMOUS is included for AMS to be able to program ACL via 9094 > port > > super.users=User:CN=KafkaBroker1;User:ANONYMOUS > >
