I have a spring boot(2.4.2) project where I am using spring-boot-starter-data-cassandra. I have enabled SSL through the below property.
spring.data.cassandra.ssl=true
But how can I specify the trust-store details for this version(spring-data-cassandra-3.1.3)? As I don't want to pass the details as JVM arguments.
Related
I have configured my trustsore and keystore information in the external tomcat's server.xml in the Connector tag. The certificates are stored in the tomcat's /base/lib directory.
I need to deploy a spring boot application to this external tomcat.
How can I make the information about trustsore and keystore available to the spring boot application?
Where in the spring boot application do I need to store the trsustore and keystore .jks files?
I did the same with the datasource in Resource tag in server.xml, and in spring boot application I used
spring.datasource.jndi-name=some name to jndi. How can I configure the same for trsustore and keystore?
The keystore and truststore in Tomcat's <Connector> have a single purpose:
the keystore contains the certificate (and private key) used by the server's SSL port,
the truststore contains the list of CAs, which are trusted if mutual SSL authentication is enabled.
Therefore these settings are specific to each deployment of your application. You shouldn't provide them yourself.
You should only provide system administrators a way to configure those settings. In your case Spring Boot already takes care of it (cf. server.ssl properties).
See also:
What is the difference between javax.net.ssl.keyStore and server.ssl.key-store properties when specifying keystore for a SpringBoot app
I have been using the Spring cloud Service connectors for Pivotal cloud foundry for a long time which gets the connection details from the VCAP_SERVICES env variable. Now we have a requirement to read these credentials from Vault . I am just curious , Can I still continue to use the Service binding approach with spring cloud connector ? I would assume we don't want to expose these credentials from vault to an VCAP_SERVICES variable which defeat the purpose of the vault. Has there been any enhancements in Spring cloud connectors to read the credentials directly from Vault rather than depending the VCAP_SERVICES env variable or should I resort back to the Spring boot's default Application Properties based approach instead of the service binding approach using cloud connectors ?
The Spring Cloud Connectors project is now in maintenance mode, in favor of the newer Java CFEnv project. However, Java CFEnv is also very specific to Cloud Foundry's VCAP_SERVICES model of exposing service bindings and won't help you if the service connection info is in Vault.
I would suggest that you fall back to the Spring Boot properties-based approach using Spring Cloud Vault or Spring Cloud Config Server's Vault integration to automate fetching the properties from Vault and making them available as Spring Boot properties.
I have a spring boot application running on SSL programmatically using TomcatServletWebServerFactory where we set the following from configuration file:
proto.setSSLCertificateKeyFile(classLoader.getResource(certificateKeyFile).getPath());
proto.setSSLCertificateFile(classLoader.getResource(certificateFile).getPath());
proto.setSSLCertificateChainFile(classLoader.getResource(certificateChainFile).getPath());
However, i would like to enable on SSL on the actuator endpoint too. I found online that we do this using the following in application.properties:
management.server.ssl.enabled=true
management.server.ssl.key-store=
management.server.ssl.key-password=
This is not working in my case as i need to reuse the above certificate. If i add an additional connector to TomcatServletWebServerFactory programmatically, it throws an error as already bind port as if actuator have different tomcat connector. How can i programmatically enable SSL on actuator while providing the certificate files as above?
I ended up removing my programmed configuration and used the following:
security.require-ssl=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:name.pfx
server.ssl.key-store-password=password
without using SSL of actuator: management.server.ssl.xxx configuration
I'm trying to use localhost as the mail server but getting "454 4.7.0 TLS not available due to local problem" error.
How can I disable TLS for mail?
I'm using Spring Boot.
mail.smtp.starttls.enable and mail.smtp.starttls.required are two properties defined in JavaMail. However, in order to use them in a Spring application, we need to add them to application properties using the "additional properties" method in Spring. Relevant excerpt from Spring Boot reference:
spring.mail.properties.*= # Additional JavaMail session properties.
Hence, in short, we need to add the following to our application.properties file to use mail without TLS in Spring:
spring.mail.properties.mail.smtp.starttls.enable=false
spring.mail.properties.mail.smtp.starttls.required=false
Source
I am trying to connect to Cassandra from my Spring boot application using spring-boot-data-cassandra.I have two doubts.
1) Is it recommended to use the CassandraAutoConfiguration i.e. by providing all Cassandra configurations in application.properties with prefix(spring.data.cassandra.*) so that my app will create a cluster for me or do I need to manually create cluster bean, because in CassandraAutoConfiguration cluster bean is annotated with #ConditionalOnMissingBeanso which one is more preferred to use spring cassandra auto configuration or manually creating a cluster bean.
2) My cluster is enabled with ssl at Cassandra side. So when I am auto configuring Cassandra connections with ssl enabled (by setting spring.data.cassandra.ssl=true) then Default SSL context is created for me, but i need to provide my truststore path and truststore password to initialize SSLContext. There is no properties provided at data-cassandra like the one provided for kafka(spring.kafka.ssl.truststore-location= # Location of the trust store file.
spring.kafka.ssl.truststore-password= # Store password for the trust store file.), so is there any way to provide truststore file location and password to AutoConfigure my Cassandra configuration or to override default SSLContext created.
Please help me and correct me if my understanding is wrong. Thanks.
Updates:
https://github.com/spring-projects/spring-boot/issues/8476
Using Spring Boot's Auto-Configuration is the preferred approach but Boot goes out of your way if you need to apply a more specific configuration. Most conditional beans are created if there's no other provided #Bean.
If you provide Cluster yourself, then Spring Boot's Auto-Configuration will not provide a second Cluster bean.
The preferred approach since Spring Boot 1.5, if you need a more specific configuration, is providing a ClusterBuilderCustomizer bean that gets called to customize Cluster.Builder to your needs.
You might also want to file an issue in Spring Boot's issue tracker. Specific SSL configuration is a common configuration use-case.