Alright, thanks! I appreciate the feedback. I'll take a look at
shipping the certs in a mapping and see how that performs as well.
On 03/30/2015 03:35 PM, Derek Dagit wrote:
Ah, I see.
SSL client-side authentication does not seem well-suited to platforms such as
storm where the host names are ephemeral.
You could deploy the certificates to the hosts and set the worker.childopts on
each one as you suggested.
The concerns I was thinking of are more about multi-tenant scenarios:
a) a security issue in sharing the SSL certificates,
b) configuration issues in which the setting could interfere with the operation
of other topologies.
Otherwise, maybe use a wildcard for the hostname, or ship each of the
certificates in a mapping with the topology and have the topology code select
the correct certificate when it needs it.
But it might be a better fit to authenticate the clients a different way.
