Ah, I see.
SSL client-side authentication does not seem well-suited to platforms such as storm where the host names are ephemeral. You could deploy the certificates to the hosts and set the worker.childopts on each one as you suggested. The concerns I was thinking of are more about multi-tenant scenarios: a) a security issue in sharing the SSL certificates, b) configuration issues in which the setting could interfere with the operation of other topologies. Otherwise, maybe use a wildcard for the hostname, or ship each of the certificates in a mapping with the topology and have the topology code select the correct certificate when it needs it. But it might be a better fit to authenticate the clients a different way. -- Derek ----- Original Message ----- From: Ben Gould <[email protected]> To: [email protected] Cc: Sent: Monday, March 30, 2015 2:01 PM Subject: Re: SSL Context They're actually occasionally reaching out to grab remote resources hosted over https based upon the incoming tuple. The remote resource they are reaching out to requires client authentication as well, so the certificate has to be signed by a specific CA. Currently I'm just using a set of self-signed certs and a self-signed common root CA. -- Ben Gould iNovex Information Systems, Inc 7240 Parkway Drive, Suite 140 Hanover, MD 21076 (410)292-1332 http://inovexcorp.com
