Why is cacerts ignored in Spring Saml? - spring-saml

I've made an implementation based on this with a FilesystemMetadataProvider: https://github.com/vdenotaris/spring-boot-security-saml-sample
To make the SSL handshake work for the artifact binding I had to put/trust the CA certificate for the IDP in the java keystore used by the keyManager.
I would rather have used the cacerts on the jre in case the IDP changed CA, but I haven't been able to find any property to set so that Spring SAML looks inside that instead.
Also this answer suggest that the cacert is ignored altogheter:
Spring Security SAML - HTTPS connections
Why is the cacert ignored in Spring SAML? This seems like a deficiency for me.
I have checked that the CA for the IDP is in the cacert file for my jre. If i remove the beans related to TLS/socket factory from the config it still fails.

Yes, cacerts is ignored. Spring SAML uses custom implementations for handling of trust, with an intention of providing more control over the system's security. You can always quite easily copy over all certificates from cacerts to samlKeystore.

Your custom certificate/JDK default certificate must have IDPs certicate imported as trust .
Your custom certificate used in JKS manager must have at-least one private key.
Please import your trust in JDK_PATH/jre/lib/securitycacerts and try the command wget <your_idp_descriptor_url>

Related

Use valid SSL certificate with spring boot

I have CA trusted SSL certificate in the format of .p7b, .crt, .ca-bundle and also private key file .crt.
I want to run spring boot web service application over https. It is showing "Your connection is not private" error on the browser.
I tried to import .p7b and .crt file into .jks but since I do not know the correct alias and password, it is throwing keytool error: java.lang.Exception: Input not an X.509 certificate exception.
Please give a solution to use these valid certificate with spring boot application.
Provide format of application-https.properties.

Defining trust-store and key-store information in spring boot application with external tomcat

I have configured my trustsore and keystore information in the external tomcat's server.xml in the Connector tag. The certificates are stored in the tomcat's /base/lib directory.
I need to deploy a spring boot application to this external tomcat.
How can I make the information about trustsore and keystore available to the spring boot application?
Where in the spring boot application do I need to store the trsustore and keystore .jks files?
I did the same with the datasource in Resource tag in server.xml, and in spring boot application I used
spring.datasource.jndi-name=some name to jndi. How can I configure the same for trsustore and keystore?
The keystore and truststore in Tomcat's <Connector> have a single purpose:
the keystore contains the certificate (and private key) used by the server's SSL port,
the truststore contains the list of CAs, which are trusted if mutual SSL authentication is enabled.
Therefore these settings are specific to each deployment of your application. You shouldn't provide them yourself.
You should only provide system administrators a way to configure those settings. In your case Spring Boot already takes care of it (cf. server.ssl properties).
See also:
What is the difference between javax.net.ssl.keyStore and server.ssl.key-store properties when specifying keystore for a SpringBoot app

TrustStore configuration issue in Spring feign with SSL enabled

I have two different spring boot application with SSL enabled in it and also there is an eureka discovery server and these two applications are linked to eureka server.I need to make some https call between these two SSL enabled applications. So I decided to go ahead with feign client .Eureka is able to resolve https url properly for feign client. But while making the call I'm getting "unable to find valid certification path to requested target". I can understand this error is because public key of my client application is not present in truststore of the application from which I'm making feign call. I have already added the public key in my custom truststore, But it is of no use.Property file for the same is below
server.ssl.enabled=true
server.ssl.key-store=classpath:springboot.p12
server.ssl.key-store-password= Pass#123
server.ssl.keyStoreType= PKCS12
server.ssl.keyAlias= springboot
server.ssl.trust-store=classpath:springboot.jks
server.ssl.trust-store-password=Pass#123
eureka.instance.nonSecurePortEnabled=false
eureka.instance.securePortEnabled=true
After digging more into the issue I found that "server.ssl.trust-store" property will set truststore in the embeded tomcat server of spring boot application, But some have my https call is taking default JDK truststore. When I added system properties in my application then everything is working fine. But with spring boot properties file configuration it is not working .
System.setProperty("javax.net.ssl.trustStore", trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword);
I feel setting system properties is an workaround and I'm looking for a better solution .
I even tried enabling ribbon client and added "ribbon.IsSecure=true" property also. But still getting the same issue.
Can someone please provide a suggestion for the same.
Thank you

use of samlKeystore.jks in Spring SAML extension

I am new to SSO and Sping SAML extension.
i have implemented Spring SAML extension into our application where our application acts as a SP. i have following question related to our requirement.
1) I would like to understand the use of samlKeystore.jks in Spring saml extension
2) I would like to know if we can skip the use of samlKeystore.jks in any manner.
Basically the reason for this the client can give us information on Just the meta data
and nothing apart from that.if we are using samlKeystore.jks do we need anything else
If you don't need to sign SAML protocol message or encrypt SAML assertions you don't need the keystore. However some SAML Bindings mandates or at least highly recommend to sign so that the protocol messages are not tampered with at the user agent.
The keystore is used for storage of private certificates used to digitally sign messages created by the Service Provider and decrypting of messages sent from Identity Providers.
Spring SAML currently requires you to have at least a default key available, even in case it won't get used.

Spring WS security-accessing keystore that is not on the class path

I am new to spring web services and am currently trying to implement spring-ws security for secure transport and encryption/decryption of incoming and outgoing SOAP messages. We have a keystore on our server that is installed in the conf directory under Tomcat. How do I reference that keystore in my spring web app? I'd like to avoid having to move the keystore since it will be utilized by other applications in the future. I've searched for answers most of yesterday, but all the examples I've come across put the keystore file on the class path.
I am assuming you are using WSS4J with Spring-WS, you can put any valid resource to refer to the certificate location.
eg.
<property name="keyStoreLocation" value="file://C:/tomcat/.."/>

Resources