When changing the Apache Kafka server's trust- or keystore (located at ssl.keystore.location and ssl.truststore.location) how can I observe that the running kafka broker is using the new stores/certs ?
Do Kafka rereads the stores on each new connection ? Any links to source files ?
After reconfiguration of trust- or keystore you see this message in your broker logs.
INFO Created new CLIENT SSL engine builder with keystore ...
INFO Created new SSL SSL engine builder with keystore ...
The messages will only appear if the content of the trust- or keystore has changed.
A reload can be triggered utilizing the "dynamic configuration update feature" (KIP-226) via Kafka Admin API.
# Trigger Example
kafka-configs.sh --command-config /commando.conf --bootstrap-server $(hostname):9092 --entity-type brokers --entity-name 1 --alter --alter --add-config listener.name.internal.ssl.keystore.type=JKS
The "new" value (here JKS) can be the same as the old. So configuration actually do not change. It just triggers the code path for SSL reconfiguration for both keystore and truststore.
Remember to call the trigger for each broker (--entity-name).