purushah commented on PR #3678: URL: https://github.com/apache/storm/pull/3678#issuecomment-2305946573
Pushing the final patch. We have been running this on our cluster for the last two years. I have tested the patch with the following settings. SSL certs are attached. ``` nimbus.thrift.tls.port: 6067 nimbus.thrift.client.use.tls: true nimbus.thrift.tls.transport: org.apache.storm.security.auth.tls.TlsTransportPlugin nimbus.thrift.access.log.enabled: true nimbus.thrift.tls.server.keystore.path: ~/tmp/ssl/server.keystore.jks nimbus.thrift.tls.server.keystore.password: password nimbus.thrift.tls.server.truststore.path: ~/tmp/ssl/server.truststore.jks nimbus.thrift.tls.server.truststore.password: password nimbus.thrift.tls.server.only: true x509.cert.principal.to.local.regex: "([a-z_]+).*" storm.principal.tolocal: org.apache.storm.security.auth.X509CertPrincipalToLocal nimbus.thrift.tls.client.keystore.path: ~/tmp/ssl/client.keystore.jks nimbus.thrift.tls.client.keystore.password: password nimbus.thrift.tls.client.truststore.path: ~/tmp/ssl/client.truststore.jks nimbus.thrift.tls.client.truststore.password: password nimbus.thrift.client.use.tls: true nimbus.seeds: [<ip-address>] supervisor.thrift.tls.server.keystore.path: ~/tmp/ssl/server.keystore.jks supervisor.thrift.tls.server.keystore.password: password supervisor.thrift.tls.server.truststore.path: ~/tmp/ssl/server.truststore.jks supervisor.thrift.tls.server.truststore.password: password supervisor.thrift.tls.client.keystore.path: ~/tmp/ssl/client.keystore.jks supervisor.thrift.tls.client.keystore.password: password supervisor.thrift.tls.client.truststore.path: ~/tmp/ssl/client.truststore.jks supervisor.thrift.tls.client.truststore.password: password supervisor.thrift.client.use.tls: true supervisor.thrift.transport: org.apache.storm.security.auth.tls.TlsTransportPlugin storm.messaging.netty.tls.enable: true storm.messaging.netty.tls.require.open.ssl: true storm.messaging.netty.tls.keystore.path: ~/tmp/ssl/server.keystore.jks storm.messaging.netty.tls.keystore.password: password storm.messaging.netty.tls.truststore.path: ~/tmp/ssl/server.truststore.jks storm.messaging.netty.tls.truststore.password: password storm.messaging.netty.tls.client.keystore.path: ~/tmp/ssl/client.keystore.jks storm.messaging.netty.tls.client.keystore.password: password storm.messaging.netty.tls.client.truststore.path: ~/tmp/ssl/client.truststore.jks storm.messaging.netty.tls.client.truststore.password: password ``` [ssl.zip](https://github.com/user-attachments/files/16720289/ssl.zip) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@storm.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
