[ https://issues.apache.org/jira/browse/ACCUMULO-1009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13772036#comment-13772036 ]
Michael Berman commented on ACCUMULO-1009: ------------------------------------------ I'll start versioning my patches. I wasn't thinking CertUtils would be the final interface to cert provisioning; I just provided that for our MAC testing and to bootstrap other developers trying out my patch. As it is, it doesn't really do anything that keytool doesn't do, but my intention is that there would be another layer of tool on top of it that helps with the cluster management aspects. So, you run {{accumulo init-ssl}} for the first time on one machine, and it generates all the certs, and sticks the root on HDFS somewhere. Then, if you run init-ssl on another node, it copies the root to the local system, cuts a fresh private key off of it, and sticks both in the default locations. The instance secret is also used as the keystore password, and the location in hdfs for the keystore is well known given an instance name, so there doesn't need to be any human intervention to cut new private keys for each new node, apart from running the script, assuming you're using all the defaults. Of course, all of this would be optional; you can always stick in arbitrary keys from arbitrary sources. WRT MAC, not only do I feel comfortable supporting it, I think it's super valuable for others to be able to test their own apps against SSL-enabled accumulo. I'm fine getting rid of the sslEnabled constructors. I think the proxy needs to support SSL on both sides. A subticket definitely makes sense to me. > Support encryption over the wire > -------------------------------- > > Key: ACCUMULO-1009 > URL: https://issues.apache.org/jira/browse/ACCUMULO-1009 > Project: Accumulo > Issue Type: New Feature > Reporter: Keith Turner > Assignee: Michael Berman > Fix For: 1.6.0 > > Attachments: ACCUMULO-1009_thriftSsl.patch > > > Need to support encryption between ACCUMULO clients and servers. Also need > to encrypt communications between server and servers. > Basically need to make it possible for users to enable SSL+thrift. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira