In Camel's examples doesn’t have any example or documentation for mutual TLS.
How to setup the mutual tls setup in both java dsl and spring dsl ?
From the camel point of view you'll be targeting a https resource if you are acting as a client or serving it if you are the service. The mutual authentication is handled at the network layer so Camel won't have explicit hooks.
In the case of the client add the keystore/truststore (with the required certs added) to the startup commands -Djavax.net.ssl.keyStore=C:\temp\clientkeystore.jks -Djavax.net.ssl.trustStorePassword=password
-Djavax.net.ssl.trustStore=C:\temp\truststore.jks -Djavax.net.ssl.trustStorePassword=password
The additional flag -Djavax.net.debug=ssl is useful for debugging ssl handshake
For a server (assuming Spring boot) enable ssl as follows, again with the required certs added to it's keystore
server.ssl.enabled=true
server.ssl.key-store=C:\\temp\\serverkeystore.jks
server.ssl.key-store-password=password
server.ssl.trust-store=C:\\temp\\trustStore.jks
server.ssl.trust-store-password=password
server.ssl.client-auth=want
Related
I am confused on SASL_SSL. Do we need SSL certificate configured for the Kafka producer application ? Or is it just the username and password ? What is the difference between SASL_SSL and SASL_PLAINTEXT ? I am sending message from a plain java application to a topic.
SASL_SSL used TLS encryption like SSL so you will need to create a certificate, and with SASL_SSL you need to specify an authentication method.
This page should help you https://developer.confluent.io/learn-kafka/security/authentication-ssl-and-sasl-ssl/
SASL_PLAINTEXT doesn't use TLS encryption (SASL_PLAIN does and this uses the username/password authentication).
It really all depends on your security requirements. SASL_SSL is mainly used when integrating with a existing authentication server but this increases your vulnerability to attacks.
I'm able to consume HTTPS webservice with the ssl certiifcate being added to by JVM Trust store.I'm not getting any SSL Handshake error and How does connection is secure since i dont added any certificate. My tech stack is Sping boot, Spring MVC.
I am deploying Angular on Nginx & Apache http server (as reverse proxy web servers) in my UAT environment with the backend being on spring boot on Apache Tomcat (encrypted with https for the java REST apis), I have noticed that Nginx was configured as reverse proxy much easier than Apache BUT that was largely because Apache didn't trust the Java APIs certificate (as it is self signed, so this seems correct)
Can someone explain why this happened? I trust that Nginx is secure but I want to know why it allowed this self signed certificate while Apache by default blocked it (only allowed it with SSLProxyVerify none)?
Nginx config (related part):
location /api {
proxy_pass https://192.168.170.78:7002/;
}
Apache config (the related part):
# SSL proxy config
SSLProxyEngine on
# Why this must be present for the apache to connect to the backend but not for nginx?
SSLProxyCheckPeerName off
# the (proxy) redirection rules for the server
ProxyPass /api/ https://192.168.170.78:7002/
ProxyPassReverse /api/ https://192.168.170.78:7002/
I am trying to set up SSL in tomcat following the official documentation. I have some questions related to keystores involved this set up. There is a keystore at JRE/lib/security/cacerts and one configured in tomcat server.xml's connector element. Is my following assumption correct.
keystore configured in server.xml is only used for ssl connections and JRE/lib/security/cacerts is still used to trust connections made from server side code such as B2B webservice calls.
That is correct. To be more specific, the KeyStore configured in server.xml is used for inbound SSL connections.
Is there any way to configure an additional SSL listener port on an existing WebLogic server that uses a different keystore and truststore configuration from the "main" SSL port?
I don't think you can use multiple keystores for the same server - Even if you're using custom key/trust stores, you should be able to consolidate everything (using import/export for keytool/ikeyman).
Under the Server -> Protocols -> Channels tab, you can define an additional port using your SSL protocol of choice (t3s/https/iiops/ldaps) but your issue should be resolved by using the earlier suggestion alone.