Provide option to specify trust store path for internode SSL


This is being suggested due possible maintenance overhead with current internode SSL function.

Currently ROR uses system’s default truststore for validating the internode SSL functionality for trusted connections. This needs the certificate to be added to system’s default location of truststore. However on windows the truststore is linked to installed path - %JAVA_HOME%/lib/security/cacerts. So lets say if the users are using JRE and have scheduled upgrades, the activity to add the certificate to truststore will need to repeated as new installation be happen in a new path (version specific path). This looks like an unnecessary overhead.

In order to avoid this additional step, ROR should provide an option to specify the path of the truststore instead of trying to use system default. This will be similar to keystore file path/alias/password option. If these are not available, then only ROR should default to system default truststore.

On additional note, for folks migrating from Searchguard SSL to ROR, this feature was already available. Even Elasticsearch’s native security via X-Pack provides similar option to set truststore path. So it would be good to have this version available in ROR as well.


Great point @askids we can definitely add this. Will add to Jira and update this later when done.

This is currently in progress, soon to be delivered. Targeting 1.19.0.

That’s great. Thanks for the update.

@sscarduzio looks like this feature is now available. I see “Custom Truststore” section added in documentation, but not updated in published features in download link. Which version will have this?

@coutoPL maybe you forgot to add it to the changelog for 1.19.0? Or is it going to be in 1.19.1?

it was done in RORDEV-171. Done in current sprint. Will be released with ROR 1.19.1

ROR 1.19.1 is released

Thanks for the update. However, there seems to be issue in the downloads page. Selecting either of ROR for ES or ROR for Kibana, both are sending email with download link to ROR for ES. I tried it for different versions and all seems to have same issue. Can you please check?

I fixed this yesterday, can you try again?

its working now. Email has proper link.

1 Like