I have multiple keystores and I would like the JVM to use all of them without adding extra code (the way it works with one keystore using vm options).
This JVM is going to run on Cloud Foundry and Im going to setup a number of keystore services and bind them all to my app (JVM).
Is this possible? Does cloud foundry does anything special to make this possible? I heard something about CF packing them into some zip file (maybe merges them into one keystore)
When you deploy a Java application to cloud foundry the java build pack will run and will take care of configuring the JVM JKS store. You can read more about this at https://github.com/cloudfoundry/java-buildpack
If you would like to use multiple JKS files I recommend you store these files inside your .jar or .war then read them from the classpath and configure your SSL context as you like.
If must you can modify the Java Buildpack (last resort) to automatically install your JKS files wherever you please in the container. You might want to do a cf ssh into a running container and explore the filesystem layout there to see how you can accomplish what you want.
Related
We faced problem with REST calls from GCP Dataflow (Apache Beam/ Java SDK based) to our internal service within GCP with custom Self-Signed Certificate.
We tried to put certificate in Runtime to ../java/../cacerts file and it works well, but Java reads ../cacert during start and we are forced to override SSlContext and X509TrustManager, put it to HttpClient and reload cacert file in Runtime before http call and after custom cert loaded (followed this example).
From my perspective it looks like pretty hard implementation.
So the question: Does this problem has any easy workaround like run .sh script before GCP Dataflow Worker runs and update cacert file via cli before JVM started.
We also up Dataflow via gcloud cli so we cannot just put custom cacert to the project and point JVM to it via Java Options.
Thanks for any suggestions!
We did something similar for authenticating to services which use self-signed certificates.
You could always use custom containers for your workers and copy the certificate to cacerts in the dockerfile? This way the worker will always have the certificate in cacerts. (Custom containers are only supported for pipelines using Dataflow Runner v2)
I have created a spring boot application which i want to deploy with digital ocean servers, please can anyone guide me.
Any help will be appreciated.
The easiest way to run java application in the cloud using Digital Ocean:
First, create executable jar/war file.
Second, move generated file (jar/war) file to remote server (droplet).
Third, make sure the right version of java is installed (which java). If not install it.
Fourth, run your jar as a detached process.
The better way is to package your application inside of docker container and deploy it in the orchestrated environment.
I'm running two applications on my tomcat sevrer (one is in spring boot, second is in angular which uses the first one) now I want to enable https connections to both of my applications. I have generated the following files:
MyDomain.cer
MyDomain.key
MyDomain.csr
Now I want to secure connection to my applications using TLS 1.2.
And now I'm stuck. According to Tomcat guide i should create a keystore file to store my keys, then I should generate new key. I want to use the files I have already generated, how can I archive this?
Could you describe or redirect me to a page where I can find a step-by-step guide how to configure https on tomcat with the files I have?
found solution:
generate jsk key
put it in tomcat keystore folder (if doesnt exist, create it)
configure server xml to point to key storage with your generated key
more detailed instruction on how to can be found here.
I've a tomcat instance with many webapps. Some of them require their own independent keystore to call an external Web Service over SSL. So far the only way I've found to use the provided keystore is using:
System.setProperty("javax.net.ssl.trustStore", "mykeystore.jks");
System.setProperty("javax.net.ssl.trustStorePassword","mypwd");
But the problem with this way is that the scope of the system properties is per java process, (tomcat shares the same JVM for all the webapps) and this would affect all the other webapps. Right?
How can I use a specific keystore per every webapp in my tomcat instance and keep it limited to the specific Web Service call?
It might matter that I'm using Axis(1) WS clients.
I'm not very familiar with Axis, but there should be a way to configure a keystore or truststore in Axis, for the HTTP client it is using for your web service calls.
Configuring the keystore on Tomcat level is not the way to go, as you found out already.
we are using worker roles to host java apps that are essentially Tompact and App code within an azure package.
We want to be able to setup SSL without having to bake the certs into the app package in a similar way to the .Net side, where you can refer to certs in the certificate store.
How can this be achieved?
I have read this blog post http://blogs.msdn.com/b/avkashchauhan/archive/2010/11/07/adding-ssl-https-security-with-tomcat-java-solution-in-windows-azure.aspx which states we need to create a keystore.bin file from the cert and include it in the package.
The problem is, I dont want to bake the certs into the package for ease of management when rolling out code to multiple environments with different certs etc, and also from a management point of view around cert expiry etc.
Thanks
Amit
The key is how do you want to bring the certificate in the Azure VM to be configured and and used by Tomcat. Another key question is that Tomcat/Java does not use standard Windows CertStore for certificate instead it uses keystore (extended part of your Java runtime) so if you are not using key store configuration in Windows Azure Package then you would need to create on fly during Windows Azure VM configuration.
While others may have different idea, I can propose the following solution:
You need Tomcat Installation done at this point do either you can pack tomcat with Azure
Package or you would need to download and install Tomcat through Startup task
Drop the certificate files on Windows Azure Storage (or some other location on internet)
Create a start up task to download certs either from Windows Azure Storage or your download location
After the certificate is downloaded to local machine, run the same command in Azure VM within startup task to build the key store and be sure to create keystore where your tomcat is going to look it.
This way when the Tomcat starts it knows where to look for key store and configure the endpoint properly.
There is another way is to put together whole Tomcat setup along with keystore etc at Windows Azure Storage and download through Startup task and set it up in the Azure VM. I have described this process in my this blog along with sample source.
In both of above ways whenever you would want to change the Tomcat/certificate, just update the package at your download location and then re-image/Restart the Azure VM and you will have updated VM with new code and you really don't need tore-create Windows Azure Package.