In the current implementation all Hops superusers share the same X.509 certificate when they make an RPC request. This is problematic as we can't identify users by their certificate's CN.
The proposal is for each login user there will be a separate X.509 certificate signed by Hops CA and it's own private key. The cryptographic material will reside in a well known directory and will have the form:
HopsSSLSocketFactory depending on the login name would read the appropriate keystores, instead of reading ssl-server.xml
This requires changes in Chef cookbooks too to generate per-user certificates.