I’m using Quarkus 2.9.2 with quarkus-websocket-client extension.
Server is using mTLS authentication which requires client certificate to be provided.
How could I include SSLContext into ClientEndpointConfiguration in websocket-client implementation? Are there any special requirements for Native Build?
With much thanks
Related
Has anyone found a STOMP client implementation that works with Quarkus Native via web sockets?
I am using Quarkus 2.7.5.Final including io.quarkus:quarkus-websockets-client
I have a spring boot app deployed to Swisscom App Cloud that should to be secured with mTLS.
Obviously there's spring security... Specific to Swisscom App Cloud I read about securing traffic on https://docs.developer.swisscom.com/adminguide/securing-traffic.html.
It is unclear to me how the two play together...
If I enable mTLS via spring security, would that work as is or would I need additional configuration for the Swisscom App Cloud? (I came across HTTP routing which mentions passing client certificates for mTLS https://docs.developer.swisscom.com/concepts/http-routing.html)
Is the configuration of mTLS on Swisscom App Cloud a replacement for what I would otherwise enable with spring security or would I still need to configure something within my application?
Securing traffic mentions deployment manifest and BOSH manifest, is the latter (and maybe additional) configuration needed to enable mTLS on Swisscom App Cloud (i.e. would I need to have access to configs besides the deployment manifest) ?
Update
My use case that I have a REST API that will be consumed by a client outside of Swisscom App Cloud. It was decided that it shall be secured using mTLS.
The admin guide you're referring to is meant for platform operators (i.e. Swisscom), so it's not a resource that can be leveraged by end users.
What is your use case? If it's only a security requirement to check off a list, be aware that the platform itself will be using mTLS internally soon, so the whole path up until the app container is secured. That might be enough for your auditor.
If you really need to validate client certificates by yourself, CF's way of doing so is leveraging X-Forwarded-Client-Cert (https://docs.cloudfoundry.org/concepts/http-routing.html#-forward-client-certificate-to-applications).
However, we've currently not enabled this (there was no need for it up until now), but we can do so.
Update:
According to this explanation, insertion of X-Forwarded-Client-Cert is actually done transparently by the platform. So if you add the client application's certificate to the server application's truststore, it will verify the client certificate.
Update 2:
As you can see in the discussions below, it looks like there is currently conceptually no easy way to allow apps to do proper mTLS using X-Forwarded-Client-Cert. The only option currently is using tcp routes, which is something you can request with your Appcloud support team.
Can anybody provide me with a code sample to access rest service url secured with https using spring rest template.
I have the certificate(.pfx format) password and send cient side certificate to server. server side is used on the client side certificate and established the connection
I want to create a springboot application that work as 2 way SSL between client and server.
Thanks.
I created a sample Spring Boot application that demonstrates how to create a RestTemplate that is configured for SSL client authentication. The sample application acts as the server as well which requires SSL mutual authentication (to demonstrate usage via the test case). In practice, the RestTemplate bean would interact with an external service. Hope this helps.
https://github.com/steve-oakey/spring-boot-sample-clientauth
I should note that the most important part of the example is creating the SSLContext. There are plenty of ways to create the SSLContext, I chose a method that uses the SSLContextBuilder from the org.apache.httpcomponents:httpclient library. Other methods such as using the Java API directly, or setting the javax.net.ssl.* JVM properties would also work.
Currently I configure WSO2 Identity Server 5.3.0 and API Manager 2.1.0 in one same server. For Identity server 5.3.0 run as "9443" and API Manager run as "9444" ports.
Is there any way to make both of this WSO2 products using "HTTPS" which is run in same "443" ports?
http://xacmlinfo.org/2014/11/16/how-to-developing-identity-server-behind-proxy-or-load-balancer/
I have already try to config the proxy based on this link and also other WSO2 documentation and it unsuccessful.
If can, is there any proper configuration guide on how to config?
Kindly required a guidline.
You can refer WSO2 Documentation for this.
We are using a Jetty server along with Spring security framework. The server should accept requests from only from a known client (Which is also a server). We want to configure client certificates so that Jetty accepts only the requests with the known client certificate.
How can we configure the server?
All we need to do is set NeedClientAuth in jetty-ssl-config.xml to true. No change is needed in Spring config.