- One front end Application (client) with /hello endpoint.
- One Backend application (server) with /hello endpoint.
- Server has a TCP routes with mutual SSL enabled
- Client use restTemplate to communicate with server through mutual SSL
- Using VAULT to store keystores
- Enable java ssl debug
- Have a tcp domain/routes enabled and point the DNS record to tcp load balancer
Shaozhen-Ding-MacBook-Pro:mutualssl sding$ cf domains
Getting domains in org test as admin...
name status type
cfapps.haas-50.pez.pivotal.io shared
mutulssl-server.shaozhenpcf.com shared tcp
-
Generate Certificates
-
This script generates client and server keystores, trust-stores and certificates.
-
Import client cert to server trust store
-
Import server cert to client trust store
-
Place them to src/main/resources folder to client and server projects
-
generate_keystore.sh [SERVER_DOMAIN] [CLIENT_DOMAIN]
E.g ./generate_keystore.sh mutulssl-server.shaozhenpcf.com mutualssl-client.cfapps.haas-50.pez.pivotal.io
- Build the project
mvn package
- Configure the backend server on manifest.yml
---
applications:
- name: mutualssl-client
memory: 512M
path: client/target/client-0.0.1-SNAPSHOT.jar
env:
BACKEND_SERVER: https://mutulssl-server.shaozhenpcf.com:5000/hello
-
Configure the client keystores
Currently there are two ways to inject the client keystores to JVM.
-
Through environment variables
applications: - name: mutualssl-client memory: 512M path: client/target/client-0.0.1-SNAPSHOT.jar env: BACKEND_SERVER: https://mutulssl-server.shaozhenpcf.com:5000/hello KEY_STORE: /home/vcap/app/BOOT-INF/classes/client.jks KEY_STORE_PASSWORD: s3cr3t TRUST_STORE: /home/vcap/app/BOOT-INF/classes/client_trust.jks TRUST_STORE_PASSWORD: s3cr3t BACK_END: ENV -
Through VAULT
Implementation Details: Load keystore files with base64 encoding to vault. Use Java to grab the keystores, decode, create a temp jks file and load to JVM
Using Vault CLI to load key stores ./import_keystore_vault.sh --- applications: - name: mutualssl-client memory: 512M path: client/target/client-0.0.1-SNAPSHOT.jar env: BACKEND_SERVER: https://mutulssl-server.shaozhenpcf.com:5000/hello KEY_STORE: jks_store/client KEY_STORE_PASSWORD: secret/client_pass TRUST_STORE: jks_store/client_trust TRUST_STORE_PASSWORD: secret/client_trust_pass BACK_END: VAULT VAULT_SERVER: http://10.193.53.7:8200 VAULT_TOKEN: 7c51e5f5-c909-2943-3657-a1c63305f11d -
-
cf push
Shaozhen-Ding-MacBook-Pro:mutualssl sding$ cf apps
Getting apps in org test / space staging as admin...
OK
name requested state instances memory disk urls
mutualssl-client started 1/1 512M 1G mutualssl-client.cfapps.haas-50.pez.pivotal.io
mutualssl-server started 1/1 512M 1G mutulssl-server.shaozhenpcf.com:5000
- Access client app through browser or curl
https://mutualssl-client.cfapps.haas-50.pez.pivotal.io/hello
-
It returns the message from the backend server
-
Watch the ssl handshake on both client and server side logs
-
If access server directly through curl or browser. It will fail (Watch logs see the client cert request failure)