stackoom
  简体   繁体   中英

Java Client - Accessing Kubernetes cluster and MQ cluster over SSL

 原文  2019-09-02 14:04:17       java/ kubernetes/ ssl-certificate/ ibm-mq

Question

Hava a Java client application that can connect to a Kubernetes cluster over SSL using io.kubernetes.client.ApiClient okay on its own. The same Java client application can also connect to an MQ cluster over SSL on its own. The same application however cannot connect to both Kubernetes cluster over SSL and MQ cluster over SSL all at once.

I believe this may be due to the fact that only one SSL key/trust store can be configured on a JVM at any one time? But do not know what the best way forward is in order to resolve this.

What would be the simplest way to allow a Java client to connect to both a Kubernetes cluster and an MQ cluster each over SSL?

The two configurations shown in this post result in the following error being thrown when both are run together:

WARN  io.kubernetes.client.util.credentials.ClientCertificateAuthentication - Could not create key manager for Client Certificate authentication.
java.security.UnrecoverableKeyException: Cannot recover key

The Kubernetes part of the client application connects to the Kubernetes cluster by configuring as follows:

String kubeConfigPath = "~/.kube/config";
apiClient = ClientBuilder.kubeconfig(
                    KubeConfig.loadKubeConfig(new FileReader(kubeConfigPath))).build();
apiClient.getHttpClient().setReadTimeout(0, TimeUnit.SECONDS);
            Configuration.setDefaultApiClient(apiClient);

The Mq part of the client application connects to the MQ cluster by configuring as follows:

System.setProperty("javax.net.ssl.trustStore", "C:\\tmp\\ssl\\dev\\mgr_mq.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "password");
System.setProperty("javax.net.ssl.keyStore", "C:\\tmp\\ssl\\dev\\mgr_mq.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
System.setProperty("com.ibm.mq.cfg.useIBMCipherMappings", "false");

java.net.URL ccdt = new URL("file:./config/qmgrs/mgr/AMQCLCHL.TAB");
MQQueueManager mqQueueManager = new MQQueueManager("*mgr", ccdt);

1 answers

solution1
 1  2019-09-05 13:16:01

The Kubernetes java client API code seems to force adding the certificate referenced in .kube/config to a new truststore that it creates new each time before adding the certificate to it.

This seems to take place in ClientCertifiacteAuthentication.java class' provide(ApiClient client) method:

final KeyManager[] keyManagers = SSLUtils.keyManagers(certificate, key, algo, "", null, null);

Where the two null values which are keyStoreFile and keyStorePassphrase then force a new truststore to be created within.

So for now and to prove that a solution is possible I have overriden this class to be:

final KeyManager[] keyManagers = SSLUtils.keyManagers(certificate, key, algo, "password", "C:\\tmp\\ssl\\dev\\mgr_mq.jks", "password");

With this overriden code, both Kubernetes cluster and MQ cluster can be successfully connected to over SSL within the same JVM.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Java client to Artemis cluster MQ Message in a Web Cluster I want to use fabric8 kubernetes client (java) inside a pod. How do I obtain the kubernetes client for the cluster it is deployed on? Java Spring Active profile in kubernetes Cluster How to Authenticate GKE Cluster on Kubernetes API Server using its Java client library NoHostAvailableException :: Java to Cassandra SSL Cluster connection failed How to enable Client Certificate in Google Kubernetes Engine Cluster Connecting MQ7.X over SSL using java how to ues kubernetes api for java to create mysql cluster Java code manually Triggering kubernetes cronjob from the cluster
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM