Add ssl trustStore to thorntail application using project-defaults yaml - spring

How to add ssl trustStore and trustStorePassword on thorntail application, using config project-defaults yaml or using wildfly standalone.xml.
This how to add keyStore and its keyStorePassword using yaml
thorntail:
management:
http:
port: 8010
security-realms:
ApplicationRealm:
jaas-authentication:
name: OSecDom
ssl-server-identity:
alias: ${private.key.alias}
keystore-provider: ${javax.net.ssl.keyStoreType}
keystore-path: ${javax.net.ssl.keyStore}
keystore-password: ${javax.net.ssl.keyStorePassword}
Is it possible with thorntail, without having to add ssl trustStore as a Java - JVM argurments like below.
RUN_ARGS="-jar -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005 -Djavax.net.ssl.trustStore=/opt/myscerts/cacerts -Djavax.net.ssl.trustStorePassword=changeit ${PROJECT_ARTIFACT} -P ${PROJECT_PROP} -s ${PROJECT_CONFIG}"
/usr/lib/java/jdk-11.0.5/bin/java $RUN_ARGS $*

Adding a truststore is possible:
thorntail:
management:
security-realms:
my-ssl-realm:
ssl-server-identity:
keystore-path: server-keystore.jks
keystore-password: server-password
alias: server-key
key-password: server-password
truststore-authentication:
keystore-path: server-truststore.jks
keystore-password: server-password
See https://github.com/rhoar-qe/thorntail-test-suite/tree/master/protocols for a couple of complete examples, using both legacy security and Elytron.

Related

spring-cloud-vault-config-databases with Spring Boot 2.4.0 Config Data API fails to bind properties

I'm using spring-cloud-vault-config-databases with Spring Boot 2.4.0 Config Data API as the prefered mode described here bootstrap.yml configuration not processed anymore with Spring Cloud 2020.0 :
When I'm using Spring Boot 2.4.0 Config Data API to import configuration from Vault (Preferred) the secret properties are not binded to the spring.datasource.username & spring.datasource.password and my postgres cnx fails.
When I'm using "Legacy Processing" with the bootstrap configuration property spring.cloud.bootstrap.enabled=true the properties spring.datasource.username & spring.datasource.password are well binded to my Vault secret.
What is the expected behaviour of the spring-cloud-vault-config-databases ?
Is expected to works with Spring Boot 2.4.0 Config Data API ?
my application.yml
spring.cloud.vault:
enabled: true
authentication: CERT
ssl:
key-store: file: ...
key-store-password: ...
trust-store: ...
trust-store: ...
trust-store-password: ...
cert-auth-path: ...
uri: https:...
namespace: ...
fail-fast: true
database:
enabled: true
role: myPostgresRole
backend: database/postgres/...
username-property: spring.datasource.username
password-property: spring.datasource.password
spring:
config:
import: vault://secret/... , vault://database/postgres/...
Versions used :
spring-boot : 2.4.11
spring-cloud : 2020.0.3
spring-cloud-vault-config-databases : 3.0.3

Spring cloud not able to resolve vault secret into .yml

I'm working with microservice architecture and have spring cloud config service and another microservice.
profiles:
active: vault
cloud:
# Configuration for a vault server running in dev mode
vault:
scheme: http
host: 127.0.0.1
port: 8200
connection-timeout: 5000
read-timeout: 15000
authentication: TOKEN
token: s.E4gdoIYAKxMvCE56MP5Etmvy
kv:
enabled: true
backend: secret
backend-version: 2
profile-separator: /
generic:
enabled: false
application-name: myapp
Config server dependency
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-vault-config</artifactId>
<version>2.1.5.RELEASE</version>
</dependency>
this is into .yml into the config service. Then into the .yml for my microservice i have db.username property which I want to resolve from Vault but I can't. Do you have any ideas?
username: db.username
password: secret/apm-transaction-service/dev/db.user
#Value("${db.username}")
this value is resolved into the java code but not into the .yml
Now for each microservice which I have I want to resolve the secrets from the configuration service without making any changes into the microservices. Currently reading native .ymls from the config service and want to add one more source :)
ApplicationStartupRunner run method Started !!root
if you are using spring-boot, for the value in .yml file to be resolved it has to be a variable. you must use ${db.username} in the yaml file

Apache Camel Global SSL Configuration with Spring-Boot

I am struggling to get the global SSL configuration to work. I am running
Apache Camel within Spring boot. It seems the configuration in
application.yml is ignored. The SSL context is not created and the
use-global-ssl-context-parameter is ignored for http component.
Versions
Spring-Boot: 2.1.9-RELEASE
Apache Camel: 2.24.2
Dependencies included in pom:
camel-spring-boot
camel-spring-boot-starter
camel-http-starter
Configs (application.yml)
camel:
# To enable global SSL in undertow
component:
http:
use-global-ssl-context-parameters: true
ssl:
config:
key-managers:
key-password: "changeit"
key-store:
resource: "/keystore.p12"
password: "changeit"
type: "PKCS12"
trust-managers:
key-store:
resource: "/cacerts"
password: "changeit"
type: "jks"
This is in a clean project created specifically to test the global SSL
context creation.
It seems I am missing a step somewhere?
Assistance appreciated.
Replacing camel-http component camel-http4 resolved the issue. My understanding is that camel-http is deprecated.

Is there anyway to use configure-server with servlet context path when register on service discovery?

I have a service-discovery which register all the services. I have configure-server which maintain all the configuration. configure-server already register in service-discovery. I know by default configure-server will register with id: configserver. I know how to change the id. But when I tried to use servlet.context.path= /config all the configure-client can not pull from configure-sever through service-discovery look like can not use /config in configure-server.
configure-server:
server:
port: 0
servlet:
context-path: /config
spring:
application:
name: configserver
cloud:
config:
server:
git:
uri: https://github.com/PheaSoy/spring-completed-microservice
search-paths: config/{application}
discovery:
enabled: true
configure-client
spring:
application:
name: song-service
cloud:
config:
uri: http://configserver/config
discovery:
enabled: true
Even I added context path /path configure-client always fetched without context path.
ConfigServicePropertySourceLocator : Fetching config from server at : http://192.168.1.34:57945/
Is there any way to configure configure-client with available configure-server context path through service-discovery?
The discovery client implementations all support some kind of metadata map (for example, we have eureka.instance.metadataMap for Eureka). Some additional properties of the Config Server may need to be configured in its service registration metadata so that clients can connect correctly. If the Config Server is secured with HTTP Basic, you can configure the credentials as user and password. Also, if the Config Server has a context path, you can set configPath. For example, the following YAML file is for a Config Server that is a Eureka client:
bootstrap.yml.
eureka:
instance:
...
metadataMap:
configPath: /config
Reference:
Spring Cloud Config with Eureka - contextPath
Discovery with bootstrap
Yes, you can define your context path for your configuration server as you have done.
But doing so, you also need to take into account the alignments you need to do.
Eureka. By default will call your management API. For example, http://BASE_URI/actuator/health. But since you are adding a context path "config", it means it should be now: http://BASE_URI/config/actuator/health. You can correct following the suggestion above on eureka.instance...metadataMap.configPath: /config
Configuration Clients. In your application (client to the config server), you can add the context path in spring.cloud.config.uri. For example, if it was "http://BASE_URI", then it should be updated as "http://BASE_URI/config" now since you added a context path.
Please try and see if it helps.

problem path for truststore inside docker with spring boot and kafka

i have technical problem trying solving when deploying my app spring boot app with docker container.
org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: Failed to load SSL keystore /tmp/tomcat-docbase.4737956707529585395.8080/deployments/app/certs/kafka.truststore.jks
/deployments is my workdir configure in dockerfile
i find it strange that it picking on tmp/tomcat docbase because when configuring for other truststore it getting in the correct place. Here what inside my application.yaml
spring:
kafka:
bootstrap-servers:localhost:9092
ssl:
truststore-location: /deployments/app/certs/kafka-truststore.jks
truststore-password: test
consumer:
group-id: consumerid
server:
ssl:
enabled: false
key-store: /deployments/app/certs/dp--dev.jks
key-store-password: changeit
trust-store: /deployments/app/certs/ol-truststore-dev.jks
trust-store-password: test
it something that i am missing or it relate to kafka springframework lib that i am using ?
The truststore-location is a Spring Resource (classpath: by default) so it looks for the file on the class path. Boot checks the file is present so I don't see how it got past boot without error and gets passed to Kafka (unless it's also on the class path). If Boot finds it ok, Kafka should too.
Try file:/deployments/app/certs/kafka-truststore.jks

Resources