Spring boot application not able to connect GCP Mysql instance using SSl - spring-boot

I am trying to establish SSL connection between spring boot application and GCP MySQL instance.
For that have generated and downloaded 'client-cert.pem', 'client-key.pem' and
'server-ca .pem' from GCP.
Followed below steps:
Step 1: generated 'my-cert.p12' file
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -out my-cert.p12
Step 2 : imported 'my-cert.p12' file
keytool -importkeystore -srckeystore D:\my-cert.p12 -destkeystore ./cacerts -srcstoretype PKCS12 -deststorepass changeit
setp 3 : converted 'server-ca.pem' to 'server-ca.der'
openssl x509 -in server-ca.pem -inform pem -out server-ca.der -outform der
step 4 : imported 'server-ca.der'
keytool -importcert -alias gcp-mysql-ca -keystore ./cacerts -storepass changeit -file D:\server-ca.der
step 5: configured spring boot application.properties file:
spring.datasource.url= jdbc:mysql://xxx.xxx.xxx.xxx:3306/xxx?useUnicode=true&characterEncoding=utf8&useSSL=true&requireSSL=true
When I run spring boot application, getting below exception:
Caused by: java.sql.SQLException: Access denied for user
'root'#'XXX.XXX.XXX.XX' (using password: YES)
Can anyone suggest a good way to install GCP MySQL SSL certificate and configure it in Spring Boot application?

Have you considered using the Spring Cloud GCP SQL integration?
You could use a Google OAuth2 credential and Spring Cloud GCP would take care of the rest.
https://github.com/spring-cloud/spring-cloud-gcp
https://docs.spring.io/spring-cloud-gcp/docs/1.0.0.M2/reference/htmlsingle/#_spring_jdbc

Related

Getting Invalid keystore format when running Springboot Application

Trying to use https for my springboot application and followed the below steps:
Created the keystore for the certificate and generated Private Key:
keytool -genkey -keysize 2048 -keyalg RSA -alias tomcat -keystore keystore.jks
Generated the CSR with above keytool and private key
keytool -certreq -alias tomcat -file your.csr -keystore keystore.jks
Recived and install certificate on server succesfully
keytool -import -trustcacerts -alias tomcat -file certificate.p7b -keystore keystore.jks -storepass ******
Configured the application with the below:
server.port=8443
server.ssl.key-store-type=JKS
server.ssl.key-store=/path/certificate.p7b
server.ssl.key-store-password=******
server.ssl.key-alias=tomcat
server.ssl.enabled=true
However I keep getting java.io.IOException: Invalid keystore format when I try to run the application.
Am I using the wrong store key type?
Do I have to use PKCS12 insted of JKS as keystore type?

How to Enable SSL in Spring boot

I want to use SSL on my server, therefore I have bout an SSL certificate, however the certificate had two parts one of them is the intermediate.
Now how to create the keystore for them?
What I did is the following:
1- chained both certificates and put them in one file.
2- I have usedd the next command to generate the keystore from the (chained certificate)
keytool -import -alias tomcat -file myCertificate.crt -keystore keystore.p12 -storepass password
3- I have add this code into my spring boot:
server.ssl.key-store: C:/Program Files/Java/jdk1.8.0_231/bin/keystore.p12
server.ssl.key-store-password: password
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
But I am still having the next issue:
'Alias name [tomcat] does not identify a key entry'
From looking into google I have found out that the issu is my keystore is generating my certificate as trustedCertEntry instead of PrivateKeyEntry.
How to fix this and what am I missing?

Enabling SSL with Spring Boot restful apis for production

I want to add SSL certificate to restful web API, I had tried to by adding self signed certificate but it can not be used for production.
How to add aws public certificate to it?
Try with self signed key first.
Generate a SSL key by this Command.
keytool -genkey -alias https-example -storetype JKS -keyalg RSA -keysize 2048 -validity 365 -keystore https-example.jks
A file named https-example.jks will get generated by above command so put that inside src/main/resources along with application.properties
put below code in application.properties
server.port=8443
server.ssl.key-alias=https-example
server.ssl.key-store-type=JKS
server.ssl.key-password=password
server.ssl.key-store=classpath:https-example.jks
access api url like below.
https://localhost:8443/apiURL
For AWS by SSL certificates from one of the many vendors like GoDaddy etc. and put those certificates and update application.properties.

How do I generate X.509 certificate from key generated by openssl

I've a web server running on an ec2-instance which internally calls a REST server that is built using Spring Boot. Now, I am trying to get this REST server running under SSL. Here's what I've done so far:
1) Created a CSR & a key file using this command
openssl req -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr
2) Copied 'csr' to get SSL certificate from GoDaddy.
3) Successfully installed the certificate under Nginx on my ec2-instance.
4) When I hit the home page under https, it works. I no longer get 'Not secure' message from the browser.
5) Login fails because it makes a REST call but REST server is not running under SSL so I am trying to get it running under SSL.
6) Ran following commands:
keytool -import -alias mydomain -keystore tomcat.keystore -trustcacerts -file mydomain.com.chained.crt
keytool -import -alias mydomain-key -keystore tomcat.keystore -trustcacerts -file mydomain.key
The previous command gives me an error message:
"keytool error: java.lang.Exception: Input not an X.509 certificate"
But this was the one created in step 1 above & the same file works under Nginx. What am I missing (other than the fact that I know very little about setting up SSLs!)? I need the second command to specify the value of 'server.ssl.keyAlias' in application.properties, I believe.
Not really an answer but overflowed comment.
You don't need to 'generate' an X.509 cert; you already got that from GoDaddy. If (and only if) the SpringBoot server is accessed by the same name(s) as (external) nginx -- which is unclear to me -- you need to convert the pair of private key AND certificate CHAIN from PEM format to a format Java uses. See:
How to import an existing x509 certificate and private key in Java keystore to use in SSL?
How can I set up a letsencrypt SSL certificate and use it in a Spring Boot application?
How to use .key and .crt file in java that generated by openssl?
Importing the private-key/public-certificate pair in the Java KeyStore
maybe Import key and SSL Certificate into java keystore
Thanks #Dave_thompson_085. Following 2 commands did the trick!
openssl pkcs12 -export -in mydomain.com.chained.crt -inkey mydomain.key -out keystore.p12 -name my-alias -caname root
keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias my-alias
and then in the application.properties I specified following properties:
server.port=8443
server.ssl.enabled=true
security.require-ssl=true
server.ssl.key-store=/etc/nginx/ssl/keystore.jks
server.ssl.key-store-password=mypassword
server.ssl.keyStoreType=JKS
server.ssl.keyAlias=my-alias

SAML HTTPS connection with kennisnet staging environment

I took sample webapp from https://github.com/vdenotaris/spring-boot-security-saml-sample and it is working file. Later. I tried to connect kennisnet staging environment.
Kennisnet details here
https://developers.wiki.kennisnet.nl/index.php?title=KNF:Hoofdpagina/en
I updated metadata which is downloadable from this url https://hub-s.entree.kennisnet.nl/openaselect/profiles/saml2/
I generated smalKeyStore.jks using below commands
keytool -genkey -alias tomcat -keyalg RSA -keystore samlKeyStore.jks
keytool -importkeystore -srckeystore samlKeyStore.jks -destkeystore
samlKeyStore.jks -deststoretype pkcs12
I followed all Spring SAML https threads in stackoverflow and not able to figure it out this issue.
LOGS:
Add the certificate to your JDK so that your application can get the metadata from URL https://aselect-s.entree.kennisnet.nl/openaselect/profiles/saml2.
These are the steps you need to fillow:
Download the certificate for aselect-s.entree.kennisnet.nl
Import the certificate to your JDK/JRE using this command:
keytool -keystore #path to java_home#/lib/security/cacerts -importcert -alias #anything relevent# -file #path to certificate#
Make sure your server is using same java_home where you are importing the certificate, also verify the subjectname in the certificate before importing, it must be "CN = *.entree.kennisnet.nl"
Restart the server.

Resources