具有云驻留密钥库和信任库(秘密管理器)的相互认证(双向 TLS/SSL)-Spring 启动
[英]Mutual Authentication(Two-Way TLS/SSL) with cloud residing KeyStores and TrustStores(Secret Manager) -Spring boot
问题描述
I'm working on Mutual Authentication in spring boot and I could implement it locally and its running smooth.
我正在Spring Boot 中进行相互身份验证,我可以在本地实现它并且运行平稳。
But I wanted to get certificates/stores from Amazon/Google certificates manager or may be from s3 bucket.但我想从 Amazon/Google 证书管理器或可能来自 s3 存储桶获取证书/存储。
Previous Configuration以前的配置
As I have stores locally, this way i could get them因为我在本地有商店,这样我就可以买到
#ApplicationProperties.yaml
server.ssl.enabled=true
#KeyStore
server.ssl.key-alias=1
server.ssl.key-store=classpath:clientKeystore.p12
server.ssl.key-store-password=whatever
#TrustStore
server.ssl.trust-store=classpath:clientTrustStore.p12
server.ssl.trust-store-password=possiblyAnything
server.ssl.client-auth=need
RestTemplate Configuration休息模板配置
@Value("${server.ssl.trust-store}")
private String trustStorePath;
@Value("${server.ssl.trust-store-password}")
private String trustStorePass;
@Value("${server.ssl.key-store}")
private String keyStorePath;
@Value("${server.ssl.key-store-password}")
private String keyStorePass;
@Value("${server.ssl.key-alias}")
@Bean
public RestTemplate restTemplate()
{
SSLContext sslContext = null;
SSLConnectionSocketFactory sslSocketFactory =
new SSLConnectionSocketFactory(sslContext,NoopHostnameVerifier.INSTANCE);
sslContext = new SSLContextBuilder()
.loadKeyMaterial(keystore, keyStorePassword)
.loadTrustMaterial(trustStore,new TrustSelfSignedStrategy())
.build();
HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslSocketFactory).build();
HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
requestFactory.setHttpClient(httpClient);
return new RestTemplate(requestFactory);
}
Now the same truststores and keystores are in the cloud, and i want to fetch them at Application load/start time.
I'm really confused Why are we using stores both in config(appPropeties) and in sslContext.
我真的很困惑为什么我们在 config(appPropeties) 和 sslContext 中都使用商店。
Whats the difference ?
有什么不同 ?
Can't I just set them at sslContext alone ?
我不能单独将它们设置在 sslContext 上吗?
If i can do that, i can just fetch them from cloud, process it into keystore and truststore, set them right away.
如果我能做到这一点,我就可以从云中获取它们,将其处理到密钥库和信任库中,然后立即设置它们。
*Is there a better working approach?*
*有更好的工作方法吗?*
Pardon if this looks lame, I'm new to security so still i'm figuring out how things work.
请原谅,如果这看起来很蹩脚,我是安全新手,所以我仍在弄清楚事情是如何运作的。
**Also one more question**
**还有一个问题**
- In a typical Client Server setting(Multiple servers), what if i want to communicate with server1 on mutual TLS and server2 on http(without ssl)在典型的客户端服务器设置(多服务器)中,如果我想在相互 TLS 上与 server1 通信,在 http(没有 ssl)上与 server2 通信怎么办
2 个解决方案
解决方案1
1 2020-10-17 21:47:21
It could happen that your application have to trust certificates that are used by another applications you are communicating with, and that is managed by the same company.您的应用程序可能必须信任您与之通信的另一个应用程序使用的证书,并且该证书由同一家公司管理。 In this case you can create a truststore locally and use it.在这种情况下,您可以在本地创建一个信任库并使用它。 You don't need certificates signed by a company that are used in general for websites.您不需要通常用于网站的公司签署的证书。
You don't need to set keystore/truststore in both the places.您不需要在这两个地方都设置密钥库/信任库。 My preferred way to set the keystore and truststore:我首选的设置密钥库和信任库的方法:
@Configuration
public class SSLConfig {
@Autowired private Environment env;
@PostConstruct
private void configureSSL() {
System.setProperty("javax.net.ssl.keyStore", env.getProperty("server.ssl.key-store"));
System.setProperty("javax.net.ssl.keyStorePassword", env.getProperty("server.ssl.key-store-password"));
System.setProperty("javax.net.ssl.trustStore", env.getProperty("server.ssl.trust-store"));
System.setProperty("javax.net.ssl.trustStorePassword", env.getProperty("server.ssl.trust-store-password"));
}
}
In the application.properties :在application.properties :
server.ssl.key-store=keystores/client.jks
server.ssl.key-store-password=changeit
server.ssl.trust-store=keystores/mycustom.truststore
server.ssl.trust-store-password=changeit
解决方案2
1 2020-11-06 14:48:05
The difference is in upstream and downstream configuration.区别在于上游和下游配置。
application.properties:应用程序属性:
When you use application.properties with server.ssl.* you are actually configures your server side.当您将 application.properties 与server.ssl.*一起使用时,您实际上是在配置您的服务器端。 Ie you are creating server.port to accept https traffic with specified server.ssl.key .即您正在创建server.port以接受具有指定server.ssl.key https 流量。 server.ssl.client-auth=need specifies that client's browser (or another app) should use client certificate to pass authentication. server.ssl.client-auth=need指定客户端的浏览器(或其他应用程序)应使用客户端证书来通过身份验证。 And server.ssl.trust-store specifies trusted client's certificates. server.ssl.trust-store指定可信客户端的证书。
sslContext: ssl上下文:
When you use sslContext you are configuring your outbound connections from your java app to outside services.当您使用sslContext您正在配置从 Java 应用程序到外部服务的出站连接。 And you use loadKeyMaterial and loadTrustMaterial for use some third-party service in your app.并且您使用loadKeyMaterial和loadTrustMaterial在您的应用程序中使用某些第三方服务。 loadTrustMaterial specifies which server certificates you are trusting and loadKeyMaterial specifies which key your app should use to connect to some resource. loadTrustMaterial指定您信任的服务器证书, loadKeyMaterial指定您的应用程序应该使用哪个密钥连接到某个资源。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.