From c03a3e5ea0075c865036cc106c608fa3beb649a6 Mon Sep 17 00:00:00 2001 From: Mrunali Kulkarni Date: Mon, 16 Mar 2026 20:52:48 +0530 Subject: [PATCH 1/5] STORM-4079: Add SSL setup documentation --- docs/SECURITY.md | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/docs/SECURITY.md b/docs/SECURITY.md index aacbff7ded4..87b3d3f66db 100644 --- a/docs/SECURITY.md +++ b/docs/SECURITY.md @@ -682,3 +682,53 @@ Also, there are several configurations for topology Zookeeper authentication: | storm.zookeeper.topology.auth.payload | A string representing the payload for topology Zookeeper authentication. | Note: If storm.zookeeper.topology.auth.payload isn't set, Storm will generate a ZooKeeper secret payload for MD5-digest with generateZookeeperDigestSecretPayload() method. + + +### SSL Setup for Apache Storm + +Apache Storm supports SSL (Secure Socket Layer) to provide encrypted communication between cluster components such as Nimbus, Supervisors, Workers, and the Storm UI. Enabling SSL helps protect sensitive data transmitted within the Storm cluster. + +#### Step 1: Generate a Keystore + +A keystore stores the server's private key and certificate. Use the Java `keytool` command to generate a keystore. + +keytool -genkeypair -alias storm -keyalg RSA -keysize 2048 -keystore keystore.jks + +This command creates a file named `keystore.jks` which contains the private key and certificate. + +#### Step 2: Export the Certificate + +Export the certificate from the keystore. + +keytool -export -alias storm -file storm.cer -keystore keystore.jks + +This generates a certificate file named `storm.cer`. + +#### Step 3: Create a Truststore + +Import the certificate into a truststore so other components can trust the server certificate. + +keytool -import -alias storm -file storm.cer -keystore truststore.jks + +#### Step 4: Configure storm.yaml + +Add the following configuration properties to the `storm.yaml` file. + +storm.ssl.keystore.path: "/path/to/keystore.jks" +storm.ssl.keystore.password: "your_keystore_password" + +storm.ssl.truststore.path: "/path/to/truststore.jks" +storm.ssl.truststore.password: "your_truststore_password" + +These settings enable SSL communication between Storm components. + +#### Step 5: Enable HTTPS for Storm UI + +To enable secure access to the Storm UI, configure the following properties. + +storm.ui.https.keystore.path: "/path/to/keystore.jks" +storm.ui.https.keystore.password: "your_keystore_password" + +#### Step 6: Restart the Storm Cluster + +After updating the configuration, restart Nimbus and Supervisor services for the SSL configuration to take effect. From 8981b714ee3d5e680a32583fb8e6b10ce882dd0e Mon Sep 17 00:00:00 2001 From: Mrunali Kulkarni Date: Mon, 16 Mar 2026 22:01:58 +0530 Subject: [PATCH 2/5] STORM-3879: Add Kafka monitor README to distribution --- .../src/main/assembly/storm-kafka-monitor.xml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/storm-dist/binary/storm-kafka-monitor-bin/src/main/assembly/storm-kafka-monitor.xml b/storm-dist/binary/storm-kafka-monitor-bin/src/main/assembly/storm-kafka-monitor.xml index 021b472c87f..bbc8a79383b 100644 --- a/storm-dist/binary/storm-kafka-monitor-bin/src/main/assembly/storm-kafka-monitor.xml +++ b/storm-dist/binary/storm-kafka-monitor-bin/src/main/assembly/storm-kafka-monitor.xml @@ -30,4 +30,12 @@ false + + + + ../../../external/storm-kafka-monitor/README.md + . + + + From c5e0d90dc9ba7762d3c7529f61144e1f864b3cfe Mon Sep 17 00:00:00 2001 From: Mrunali Kulkarni Date: Tue, 17 Mar 2026 18:27:37 +0530 Subject: [PATCH 3/5] STORM-4079: Remove incorrect SSL setup section and keep valid configuration --- docs/SECURITY.md | 52 +++--------------------------------------------- 1 file changed, 3 insertions(+), 49 deletions(-) diff --git a/docs/SECURITY.md b/docs/SECURITY.md index 87b3d3f66db..2a0a7500538 100644 --- a/docs/SECURITY.md +++ b/docs/SECURITY.md @@ -128,9 +128,11 @@ UI,DRPC and LOGVIEWER allows users to configure ssl . ### UI +These configurations enable HTTPS for the Storm UI, allowing secure communication between users and the cluster. + For UI users needs to set following config in storm.yaml. Generating keystores with proper keys and certs should be taken care by the user before this step. -1. ui.https.port +1. ui.https.port (Port for HTTPS UI access) 2. ui.https.keystore.type (example "jks") 3. ui.https.keystore.path (example "/etc/ssl/storm_keystore.jks") 4. ui.https.keystore.password (keystore password) @@ -684,51 +686,3 @@ Also, there are several configurations for topology Zookeeper authentication: Note: If storm.zookeeper.topology.auth.payload isn't set, Storm will generate a ZooKeeper secret payload for MD5-digest with generateZookeeperDigestSecretPayload() method. -### SSL Setup for Apache Storm - -Apache Storm supports SSL (Secure Socket Layer) to provide encrypted communication between cluster components such as Nimbus, Supervisors, Workers, and the Storm UI. Enabling SSL helps protect sensitive data transmitted within the Storm cluster. - -#### Step 1: Generate a Keystore - -A keystore stores the server's private key and certificate. Use the Java `keytool` command to generate a keystore. - -keytool -genkeypair -alias storm -keyalg RSA -keysize 2048 -keystore keystore.jks - -This command creates a file named `keystore.jks` which contains the private key and certificate. - -#### Step 2: Export the Certificate - -Export the certificate from the keystore. - -keytool -export -alias storm -file storm.cer -keystore keystore.jks - -This generates a certificate file named `storm.cer`. - -#### Step 3: Create a Truststore - -Import the certificate into a truststore so other components can trust the server certificate. - -keytool -import -alias storm -file storm.cer -keystore truststore.jks - -#### Step 4: Configure storm.yaml - -Add the following configuration properties to the `storm.yaml` file. - -storm.ssl.keystore.path: "/path/to/keystore.jks" -storm.ssl.keystore.password: "your_keystore_password" - -storm.ssl.truststore.path: "/path/to/truststore.jks" -storm.ssl.truststore.password: "your_truststore_password" - -These settings enable SSL communication between Storm components. - -#### Step 5: Enable HTTPS for Storm UI - -To enable secure access to the Storm UI, configure the following properties. - -storm.ui.https.keystore.path: "/path/to/keystore.jks" -storm.ui.https.keystore.password: "your_keystore_password" - -#### Step 6: Restart the Storm Cluster - -After updating the configuration, restart Nimbus and Supervisor services for the SSL configuration to take effect. From 4ab859acf1a1e96539efd4ec50b5ed8ad8b19da1 Mon Sep 17 00:00:00 2001 From: Mrunali Kulkarni Date: Wed, 18 Mar 2026 08:36:05 +0530 Subject: [PATCH 4/5] Remove incorrect SSL section and update TLS docs --- .../src/main/assembly/storm-kafka-monitor.xml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/storm-dist/binary/storm-kafka-monitor-bin/src/main/assembly/storm-kafka-monitor.xml b/storm-dist/binary/storm-kafka-monitor-bin/src/main/assembly/storm-kafka-monitor.xml index bbc8a79383b..021b472c87f 100644 --- a/storm-dist/binary/storm-kafka-monitor-bin/src/main/assembly/storm-kafka-monitor.xml +++ b/storm-dist/binary/storm-kafka-monitor-bin/src/main/assembly/storm-kafka-monitor.xml @@ -30,12 +30,4 @@ false - - - - ../../../external/storm-kafka-monitor/README.md - . - - - From d69cecf901916cdb20e9683b0cfebb57c8855e75 Mon Sep 17 00:00:00 2001 From: Mrunali Kulkarni Date: Wed, 18 Mar 2026 10:17:58 +0530 Subject: [PATCH 5/5] Improve docs: add overview for TLS configuration --- docs/SECURITY.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/SECURITY.md b/docs/SECURITY.md index 2a0a7500538..1b9ea8cbbd0 100644 --- a/docs/SECURITY.md +++ b/docs/SECURITY.md @@ -195,6 +195,14 @@ If users want to setup 2-way auth Storm now supports mutual TLS (mTLS) for internal Thrift RPC communication among Nimbus, Supervisors, and workers. Unlike one-way TLS, mTLS requires both parties to present and verify each other's certificates. This ensures full two-way certificate authentication and encryption. +### Overview of TLS Configuration + +Storm provides TLS support for securing internal communication between Nimbus, Supervisors, and workers. This is achieved using existing configuration properties for Thrift-based RPC communication and Netty-based messaging. + +The TLS setup requires configuring keystore and truststore paths along with enabling TLS flags for each component. Nimbus and Supervisors use Thrift TLS settings, while workers use Netty TLS settings. + +The following sections provide example configurations for each component. + ### Example TLS Configuration ### 1. Nimbus Settings