[英]Mutual Authentication(Two-Way TLS/SSL) with cloud residing KeyStores and TrustStores(Secret Manager) -Spring boot
I'm working on Mutual Authentication in spring boot and I could implement it locally and its running smooth.我正在Spring Boot 中进行相互身份验证,我可以在本地实现它并且运行平稳。
But I wanted to get certificates/stores from Amazon/Google certificates manager or may be from s3 bucket.但我想从 Amazon/Google 证书管理器或可能来自 s3 存储桶获取证书/存储。
Previous Configuration以前的配置
As I have stores locally, this way i could get them因为我在本地有商店,这样我就可以买到
#ApplicationProperties.yaml
server.ssl.enabled=true
#KeyStore
server.ssl.key-alias=1
server.ssl.key-store=classpath:clientKeystore.p12
server.ssl.key-store-password=whatever
#TrustStore
server.ssl.trust-store=classpath:clientTrustStore.p12
server.ssl.trust-store-password=possiblyAnything
server.ssl.client-auth=need
RestTemplate Configuration休息模板配置
@Value("${server.ssl.trust-store}")
private String trustStorePath;
@Value("${server.ssl.trust-store-password}")
private String trustStorePass;
@Value("${server.ssl.key-store}")
private String keyStorePath;
@Value("${server.ssl.key-store-password}")
private String keyStorePass;
@Value("${server.ssl.key-alias}")
@Bean
public RestTemplate restTemplate()
{
SSLContext sslContext = null;
SSLConnectionSocketFactory sslSocketFactory =
new SSLConnectionSocketFactory(sslContext,NoopHostnameVerifier.INSTANCE);
sslContext = new SSLContextBuilder()
.loadKeyMaterial(keystore, keyStorePassword)
.loadTrustMaterial(trustStore,new TrustSelfSignedStrategy())
.build();
HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslSocketFactory).build();
HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
requestFactory.setHttpClient(httpClient);
return new RestTemplate(requestFactory);
}
Now the same truststores and keystores are in the cloud, and i want to fetch them at Application load/start time.
现在相同的信任库和密钥库在云中,我想在应用程序加载/启动时获取它们。
It could happen that your application have to trust certificates that are used by another applications you are communicating with, and that is managed by the same company.您的应用程序可能必须信任您与之通信的另一个应用程序使用的证书,并且该证书由同一家公司管理。 In this case you can create a truststore locally and use it.
在这种情况下,您可以在本地创建一个信任库并使用它。 You don't need certificates signed by a company that are used in general for websites.
您不需要通常用于网站的公司签署的证书。
You don't need to set keystore/truststore in both the places.您不需要在这两个地方都设置密钥库/信任库。 My preferred way to set the keystore and truststore:
我首选的设置密钥库和信任库的方法:
@Configuration
public class SSLConfig {
@Autowired private Environment env;
@PostConstruct
private void configureSSL() {
System.setProperty("javax.net.ssl.keyStore", env.getProperty("server.ssl.key-store"));
System.setProperty("javax.net.ssl.keyStorePassword", env.getProperty("server.ssl.key-store-password"));
System.setProperty("javax.net.ssl.trustStore", env.getProperty("server.ssl.trust-store"));
System.setProperty("javax.net.ssl.trustStorePassword", env.getProperty("server.ssl.trust-store-password"));
}
}
In the application.properties
:在
application.properties
:
server.ssl.key-store=keystores/client.jks
server.ssl.key-store-password=changeit
server.ssl.trust-store=keystores/mycustom.truststore
server.ssl.trust-store-password=changeit
The difference is in upstream and downstream configuration.区别在于上游和下游配置。
application.properties:应用程序属性:
When you use application.properties with server.ssl.*
you are actually configures your server side.当您将 application.properties 与
server.ssl.*
一起使用时,您实际上是在配置您的服务器端。 Ie you are creating server.port
to accept https traffic with specified server.ssl.key
.即您正在创建
server.port
以接受具有指定server.ssl.key
https 流量。 server.ssl.client-auth=need
specifies that client's browser (or another app) should use client certificate to pass authentication. server.ssl.client-auth=need
指定客户端的浏览器(或其他应用程序)应使用客户端证书来通过身份验证。 And server.ssl.trust-store
specifies trusted client's certificates. server.ssl.trust-store
指定可信客户端的证书。
sslContext: ssl上下文:
When you use sslContext
you are configuring your outbound connections from your java app to outside services.当您使用
sslContext
您正在配置从 Java 应用程序到外部服务的出站连接。 And you use loadKeyMaterial
and loadTrustMaterial
for use some third-party service in your app.并且您使用
loadKeyMaterial
和loadTrustMaterial
在您的应用程序中使用某些第三方服务。 loadTrustMaterial
specifies which server certificates you are trusting and loadKeyMaterial
specifies which key your app should use to connect to some resource. loadTrustMaterial
指定您信任的服务器证书, loadKeyMaterial
指定您的应用程序应该使用哪个密钥连接到某个资源。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.