SSL Configuration - Storm Streaming Server

To enable SSL layer within Storm Streaming Server, a proper jks file and a password must be provided.

                                
<Certificate>
    <path>/etc/ssl/private/mydomain.jks</path>
    <password>mypassword</password>
</Certificate>
                            

Creating JKS file

In order to create JKS (Jva Key Store), we’ll need to go through several steps. First of all, the Keytool utility is required. To obtain it, please install Java JRE first. You can check out our tutorial on how to do this here.

We’ll start with preparing a keystore file (named keystore.jks):

                                
keytool -genkey -keystore keystore.jks -alias ssl -keyalg RSA -sigalg SHA256withRSA -validity 365 -keysize 2048
                            

Once you hit enter, you’ll be asked to provide some basic information like password, organization, country, state code etc.

The next step is to create a Certificate Signing Request (CSR) from the created keystore to share with the Certificate Authority (CA) to sign and generate the primary/server certificate.

                                
keytool -certreq -alias ssl -keystore keystore.jks -file yourcertfile.csr
                            

We need to provide the correct alias name and the password which we mentioned during the creation of the keystore in order to extract the certificate request. Submit the generated CSR to any of the CA, which is supported by the SSL community.

Once the CA signed the certificate and shared it with us, we need to import the certificate to the keystore for the private key entry we created.

                                
keytool -import -alias ssl -keystore keystore.jks -file yourcertfile.crt  
                            

At the end we’ll have to import Intermediate CA Certificate to an existing Java Keystore:

                                
keytool -import -trustcacerts -alias root -file cacertificate.cer -keystore keystore.jks
                            

Nginx passthrough

For production workloads, we highly advise using SSL Nginx passthrough instead of the internal Java SSL layer. You can check it out here.