To enable SSL layer within Storm Streaming Server, a proper jks file and a password must be provided.
<Certificate>
<path>/etc/ssl/private/mydomain.jks</path>
<password>mypassword</password>
</Certificate>
In order to create JKS (Jva Key Store), we’ll need to go through several steps. First of all, the Keytool utility is required. To obtain it, please install Java JRE first. You can check out our tutorial on how to do this here.
We’ll start with preparing a keystore file (named keystore.jks):
keytool -genkey -keystore keystore.jks -alias ssl -keyalg RSA -sigalg SHA256withRSA -validity 365 -keysize 2048
Once you hit enter, you’ll be asked to provide some basic information like password, organization, country, state code etc.
The next step is to create a Certificate Signing Request (CSR) from the created keystore to share with the Certificate Authority (CA) to sign and generate the primary/server certificate.
keytool -certreq -alias ssl -keystore keystore.jks -file yourcertfile.csr
We need to provide the correct alias name and the password which we mentioned during the creation of the keystore in order to extract the certificate request. Submit the generated CSR to any of the CA, which is supported by the SSL community.
Once the CA signed the certificate and shared it with us, we need to import the certificate to the keystore for the private key entry we created.
keytool -import -alias ssl -keystore keystore.jks -file yourcertfile.crt
At the end we’ll have to import Intermediate CA Certificate to an existing Java Keystore:
keytool -import -trustcacerts -alias root -file cacertificate.cer -keystore keystore.jks
For production workloads, we highly advise using SSL Nginx passthrough instead of the internal Java SSL layer. You can check it out here.