Where is the ec2 trustore located?
We need the trustore.jks and password to connect to a AWS MSK cluster from a spring boot kafka app.
I am referring to SSL keystore and truststore folders with jks
Related
how to add a trusted CA for local Consul docker container?
So I have a consul running as a docker container and I am able to access it using chrome at localhost:8500 after exposing the ports, as expected. But due to company setting there is a security CA being added that chrome trusts, since it is added to MacOS keychain, but consul does not seems to trust when I try to use golang library to connect to consul
x509: “Menlo Security Intermediate CA” certificate is not trusted"
I get a certificate is not trusted error. I am able to export the CA to a RootCA.cer file from the keychain but how do I configure consul image to trust this CA file?
https://iotech.force.com/edgexpert/s/article/secure-consul-tls
I see articles like this
ca_file is used to check the authenticity of the client and server connections
cert_file is provided to clients and server to verify the agent's authenticity
key_file is used with the certificate to verify the agent's authenticity
but for me, the .cer export file will be used as cert_file?
how should I do it in docker compose?
consul:
image: dockerproxy.comp.com/consul:latest
ports:
- "9500:9500"
I m planning to use Vault Service as HA with Consul Backend with TLS using helm deployment for both consul and vault.
I have already deployed consul using helm deployment in my EKS cluster. This would deploy consul client as a daemonset and consul server as a pod
When the vault is deployed using helm, my vault server has to interact with consul client instead of consul server.
The challenge i face is that I can't provide storage consul address in below vault configuration file as 127.0.0.1:8501 because vault is running as separate pod and consul client as separate pod. so different ips.
storage "consul" {
address = "<WHAT_SHOULD_I_PROVIDE?>:8501"
path = "vault/"
scheme = "https"
tls_ca_file = ""
tls_cert_file = ""
tls_key_file = ""
token = "<CONSUL_TOKEN>""
}
I have also tweaked it by using HOST_IP:8501 but it throws below error
[WARN] storage migration check error: error="Get "https://10.15.0.7:8501/v1/kv/vault/core/migration": x509: certificate signed by unknown authority"
This is because TLS certificate should include a Subject Alternative Name (SAN) for the IP address, and of course, it should be signed by a trusted CA that you include as part of the ca_file parameter in Consul. But in my consul helm chart configuration, I'm using enableAutoEncrypt: true. So I can't able to use custom certs.
This would resolve if i deploy vault and consul in the same pod. In the vault helm chart configs, I couldn't find the consulAgent configuration in order to deploy the vault and consul agent together. Please help and let me know how to resolve this
Have you tried consul.service.consul?
My Spring Boot project works fine on https / ssl, when serving locally, using a p12 cert, but fails when uploading to AWS Elastic Beanstalk.
The following is the application.properties configuration:
security.require-ssl=true
server.use-forward-headers=true
server.port=8443
server.ssl.key-store: classpath:keystore.p12
server.ssl.key-store-password: jonathan
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
The WebSecurityConfigurerAdapter subclass, configure(HttpSecurity http) method, contains the following line, to enable HTTPS / SSL:
http.requiresChannel().antMatchers("/**").requiresSecure();
Attached is classic load configurer configuration, inside AWS elastic beanstalk console:
Here is the SSL Certificate issued with the grasshapper.net domain, under AWS Certificate Manager:
I also have settings for under .ebextensions, the file with path is, src/main/resources/.ebextensions/.config (not sure if even needed):
option_settings:
aws:elb:listener:8443:
SSLCertificateId: [keeping private]
ListenerProtocol: HTTPS
InstancePort: 80
InstanceProtocol: HTTP
aws:elb:listener:80:
ListenerEnabled: false
Note (SSLCertifcateId): the ID is taken from the ARN, my AWS Certifcate manager SSL Certificate (if you expand the SSL Certificate you will see the ARN).
Does the proxy have a trusted IP address?
By default, IP addresses in 10/8, 192.168/16, 169.254/16 and 127/8 are
trusted. You can customize the valve’s configuration by adding an
entry to application.properties, as shown in the following example:
server.tomcat.internal-proxies=192\.168\.\d{1,3}\.\d{1,3}
Reference: https://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/html/howto-embedded-web-servers.html#howto-customize-tomcat-behind-a-proxy-server
I am trying to add password authentication in my elasticsearch cluster using readonlyrest plugin. I installed the plugin successfully now i am trying to configure my configuration file(.yml file) but there In case 0 they are using a keystore see below
http.type: ssl_netty4
readonlyrest:
enable: true
ssl:
enable: true
keystore_file: "/elasticsearch/plugins/readonlyrest/keystore.jks"
keystore_pass: readonlyrest
key_pass: readonlyrest
Can anyone please tell me from where i can generate this keystore and also where is the username and password authentication parameters set in this plugin.
You can use Letsencrypt to generate a valid SSL certificate for free.
Use Letsencrypt's own tool called certbot
A Letsencrypt certificate works just fine in ReadonlyREST, but first you have to convert it into a JKS keystore.
Obtaining a JKS keystore from Letsencrypt certs is a common procedure: you would do the same if you want to use Letsencrypt with Tomcat. A very common, googleable use case.
PS: I will progressively release some detailed documentation in the following weeks on the official website.
I have registered a service using Spring Cloud Consul, but for this I had to run a Consul local agent which establishes a channel communication to Consul server node (running as bootstrap).
For example:
#Server
consul agent -server -bootstrap -bind -data-dir data -ui-dir web_ui
#Desktop
consul agent -data-dir consul -ui-dir consul/dist -join server_ip_address
Is there any way to avoid of having this local agent in my desktop, I mean from my desktop Spring Cloud Consul would register the service to server node?
An example of this is what Netflix Eureka client does with Netflix Eureka server, no external agents running in machines to bind services names.
you have to use property file or yaml file i just give sample yaml file
application.yml
# Configure this Discovery Server
spring:
cloud:
consul:
host: localhost
port: 8500
bootstrap.yml
spring:
application:
name: service-name