Conditional enabling of HTTPS in Springboot application - spring-boot

I would like to enable or disable the SSL/TLS with external configuration which can be provided during the application startup.
The application should support all crud operations for http and https.
## SSL
server.port=8081
server.ssl.key-store=file:C:\\Users\\karthik\\hnm.p12
server.ssl.key-store-password=C*GSYS
server.ssl.keyStoreType=PKCS12
These properties are defined in application.properties
#Spring Security
security.require-ssl=false
Since the above property is deprecated, how can i achieve it without using the profiles.

To disable SSL, you can use:
server.ssl.enabled = false
Have a look at the server properties documentation for details.

The properties if defined in application.yml
server:
tomcat:
accesslog:
enabled: true
ssl:
key-store-type: PKCS12
key-store: file:C:\\Users\\karthik\\hnm.p12
enabled: true
protocol: TLS
key-store-password: C*GSYS
enabling and disabling the HTTPS can be achieved without code change.
Tried and tested in Sprint boot 2.2.4.RELEASE

Related

Spring cloud config server share binary file

I am using spring configuration server.
While setting up Kafka, I came across the fact that I need to somehow specify binary certificates
spring:
kafka:
ssl:
truststore:
location: /filepath/trust_cert.jks
password: 1234
keystore:
location: /filepath/keystore_cert.jks
password: 1234
Can I somehow put them on the configuration server, and in this case, what should I write to the config, where the path to the file is expected?
I really don’t want to manually upload them to each server, I would like the configuration server to give them
Of course, these urls must be protected, just like configuration server urls

How to connect Hibernate elasticsearch use SSL with quarkus?

I connect ES without SSL is success
but when I enabled SSL then error:
file application.yml
quarkus:
ssl:
native: true
native: additional-build-args: -J-Djavax.net.ssl.trustStore=tls.crt,-J-Djavax.net.ssl.trustStorePassword=changeit
with tls.crt is file crt
Who help me or suggest keyword this problem.
Thanks.

Spring Boot HTTPS on localhost

I had this working on localhost about a month ago, but when I came back to the project, hitting the URL results in a "This site can’t provide a secure connection" error in the browser. For reference, I believe I had used this site as a guide to get it set up: https://www.thomasvitale.com/https-spring-boot-ssl-certificate/
I'm running the project with the bootRun Gradle task and the default embedded Tomcat server. The following configuration is set:
/grails-app/conf/application.yml
spring:
profiles: development
server:
port: 8092
ssl:
enabled: true
key-store: classpath:keystore.jks
key-store-password: password
key-store-type: pkcs12
key-alias: alias
key-password: password
The keystore is located at /src/main/resources/keystore.jks.
I don't see any errors in the console indicating any issues opening or accessing the keystore so I'm at a loss as to what might have changed. Is there a better guide than the one linked above that would give me other things to check for issues?
Eventually, I tried changing the password field to something I knew was not the password and the app started without errors. This led me to determine that the YAML file was not being picked up by bootRun. Removing the Spring profile config at the top of the YAML file then caused the app to error because of the incorrect password.
This led me to realize that somehow the active profile configuration in my Gradle bootRun task was reset. Adding -Dspring.profiles.active=development to the VM options fixes the problem.

Spring Boot project with SSL / HTTPS not working on AWS Elastic Beanstalk

My Spring Boot project works fine on https / ssl, when serving locally, using a p12 cert, but fails when uploading to AWS Elastic Beanstalk.
The following is the application.properties configuration:
security.require-ssl=true
server.use-forward-headers=true
server.port=8443
server.ssl.key-store: classpath:keystore.p12
server.ssl.key-store-password: jonathan
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
The WebSecurityConfigurerAdapter subclass, configure(HttpSecurity http) method, contains the following line, to enable HTTPS / SSL:
http.requiresChannel().antMatchers("/**").requiresSecure();
Attached is classic load configurer configuration, inside AWS elastic beanstalk console:
Here is the SSL Certificate issued with the grasshapper.net domain, under AWS Certificate Manager:
I also have settings for under .ebextensions, the file with path is, src/main/resources/.ebextensions/.config (not sure if even needed):
option_settings:
aws:elb:listener:8443:
SSLCertificateId: [keeping private]
ListenerProtocol: HTTPS
InstancePort: 80
InstanceProtocol: HTTP
aws:elb:listener:80:
ListenerEnabled: false
Note (SSLCertifcateId): the ID is taken from the ARN, my AWS Certifcate manager SSL Certificate (if you expand the SSL Certificate you will see the ARN).
Does the proxy have a trusted IP address?
By default, IP addresses in 10/8, 192.168/16, 169.254/16 and 127/8 are
trusted. You can customize the valve’s configuration by adding an
entry to application.properties, as shown in the following example:
server.tomcat.internal-proxies=192\.168\.\d{1,3}\.\d{1,3}
Reference: https://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/html/howto-embedded-web-servers.html#howto-customize-tomcat-behind-a-proxy-server

How to configure SSL in Grails 3.1.6+?

We recently changed from using standalone Tomcat 8 containers to using the embedded Tomcat 8 container. We are having some trouble getting SSL to work on Grails 3.1.6 with the embedded container. We had been using the certificateFile approach with APR Native Libraries with the standalone container. We would like to keep this approach with the embedded Tomcat instead of changing to the keystore approach. I tried the Grails documentation, went deep into the Spring Boot embedded container documentation, but haven't found a working solution yet.
I tried many different configuration approaches in the application.yml. Based on several different pieces of documentation, sources, etc. my latest attempt was:
environments:
test:
grails:
server:
port: 8443
ssl:
enabled: true
certificateKeyFile: '/usr/share/app/my_domain_net.key'
certificateFile: '/usr/share/app/my_domain_net.crt'
certificateChainFile: '/usr/share/app/myCA.crt'
serverURL: "https://test.mydomain.net:8443"
tomcat:
port: 8443
ssl:
enabled: true
certificateKeyFile: '/usr/share/app/my_domain_net.key'
certificateFile: '/usr/share/app/my_domain_net.crt'
certificateChainFile: '/usr/share/app/myCA.crt'
I also tried adding this to the end of the application.yml:
server:
port: 8443
ssl:
enabled: true
certificateKeyFile: '/usr/share/app/my_domain_net.key'
certificateFile: '/usr/share/app/my_domain_net.crt'
certificateChainFile: '/usr/share/app/myCA.crt'
but this gave me a 'resource location may not be null' error. Most examples and questions I see are quite dated at this point. Time to ask a fresh question on stackoverflow. Thanks in advance!
It was not possible to use the openssl certificateKeyFile approach, even with the APR native libraries loaded on LD_LIBRARY_PATH. (I think it may be possible if you edit grails-app/init/myapp/Application.groovy and follow the Spring
documentation for adding an additional connector (at paragraph 70.9 of http://docs.spring.io/spring-boot/docs/current/reference/html/howto-embedded-servlet-containers.html), but this is difficult and you need to read the org.springframework sources to figure out how to make this work with openssl certificates and APR Native.) For me, it wasn't worth it, so here is how you do it using the keystore approach.
I had to re-key the certificate using the Tomcat keytool method.
Then, the application.yml was updated to look like this:
---
---
environments:
development:
server:
port: 8080
ssl:
enabled: false
grails:
serverURL: "http://localhost:8080"
---
---
environments:
test:
server:
port: 8443
ssl:
enabled: true
key-store: classpath:my_domain_net.jks
key-store-password: mypassword
key-password: mypassword
grails:
serverURL: "https://test.mydomain.net:8443"
My process for preparing the certificate was:
1) create a directory for ssl_certificates
2) pick a Certificate Authority (I chose DigiCert)
3) use the CA's instructions for generating a csr for Tomcat:keytool
4) the CA's keytool command asks for a keystore password and key password
5) submit the csr and wait ~10 minutes for the cert to be issued
6) download the issued certificate as my_domain_net.p7b into the
ssl_certificates folder created above
7) keytool -import -trustcacerts -alias server -file my_domain_net.p7b \
-keystore my_domain_net
8) copy my_domain_net.jks into src/main/resources/ of your web project.

Resources