I have spring boot services using spring-boot-kafka (similar config to https://www.baeldung.com/spring-boot-kafka-ssl ).
I have short lived certificates (7 days) accesible from a shared network file system to all my services that are daily updated, so the keystore file is overwritten with the new cert.
Would the kafka client connection "reload" the certificates in the truststore / keystore locations automatically after detecting the current certificate is not valid anymore? If not, how can I refresh my spring kafka client connections so it uses the more up to date certs in the keystore / truststore without restarting my apps or losing messages?
I'm using spring boot 3.0.0 with org.springframework.kafka:spring-kafka:3.0.0 (org.apache.kafka:kafka-clients:3.3.1).
This question addresses partially the problem but not from the spring kafka perspective
The brokers seem to be doing it already.
Related
I have created an image of my TWAS application and deployed it in a container inside an openshift POD. In my TWAS ND I use to go to the admin console WebSphere environment truststore on a node on a virtual machine and set up TLS certificates so my application can have communication with external API's in the secure communication channel HTTPS. These certificates are public certificates and don't have any private keys. They are .crt and .pem files. Now I am wondering how I can set up my third-party TLS certificates for my application running inside the POD as a container? I don't want to make any code changes to my J2EE application which I have migrated from on-prem VM to Openshift.
Note: I am using TWAS base runtime here and not liberty for my newly migrated J2EE app on openshift.
When you build your application image, you can add a trusted signer and a short script into /work/ prior to configure.sh
https://www.ibm.com/docs/en/was/9.0.5?topic=tool-signercertificatecommands-command-group-admintask-object#rxml_atsignercert__cmd1
AdminTask.addSignerCertificate('[-keyStoreName NodeDefaultTrustStore -certificateAlias signer1 -certificateFilePath /work/signer.pem -base64Encoded true]')
AdminConfig.save()
The root signer might not be either the pem/crt you have, those could be the issued certificate and the signers. WebSphere allows you to setup the trust at any level, but it's ideal to trust the root CA that issued the cert.
We've also used a technique of importing a trust store into a Secret and mounting that into the expected location in the pods. This might make sense if you want to isolate any certificate changes from the app build cycle.
I am using SSL self signed certificates to connect MQTT in rabbit MQ broker. Now I need to update them runtime without restarting server. Rabbit MQ trust store gives good solutions for this, but it read only CA certificate from local whitelisted folder or http endpoint. I need to take server certificate and server key from external whitelisted folder or http endpoint. Can I do this using rabbitmq-trust-store plugin or else have any other solution for this.
No need to restart server. Put the new certificate in correct place and wait for a few minutes. Certificates automatically update.
Is it possible to use Kafka with SSL encryption but with no server verification nor client authentication?
I know that by default the latter is disabled, but is it possible to also disable the former?
I encountered the similar problem. Since kafka is a java process, it will load the default jdk certs when running, which is under /usr/local/jdk/jre/lib/security/cacerts. if your server is trusted there, (in my scenario, my kakfa server is MSK, and is trusted already), then you don't have to config all the keys and certs.
So all in all, I only added kafka config of security.protocol=SSL and it worked.
I've created a Spring Boot application that I'm running as a poor man's daemon to call another Java service on another tomcat instance. I'm getting an SSL error when connecting to the other Java service but if I hit the other service with something like SoapUi(or Postman) using the same URL and headers I get an OK response. So something must be wrong with my Spring Boot configuration.
I'm using the same JKS for Spring Boot and SoapUI. I've tried using the cert in the application.properties as well as specifying it on the command line using -Djavax.net.ssl.keyStore as well as the related password parameter.
When I run the other service locally without SSL I can connect just fine via my Spring Boot application.
The SSL error I'm getting is: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server
Best I can think is that SoapUI(or Postman) identify's itself as a client application and my Spring Boot identifies itself as a server? So I think I'm asking how can I make Spring Boot identify itself as a client but I'm still not sure I understand the SSL error to begin with.
You have a multitude of problems. First off, soapui doesn't do verification of the server SSL certificate when it connects, java by default does not. You can however configure java client to also ignore server cert verification.
How to ignore depends on what client you use, apache httpclient is the most common one and you can find details on that in this thread.
Now, you should not really do that. Instead, you should have a trust store that contains the certificates that would validate the server cert. In that case you would be interested in truststore configuration, not a keystore - keystore is for other way around, when you're identifying yourself to some other party. You'd need to import the root CA and intermediate certificates to your trust store, then point to that in your configuration.
I'm using RoboMQ to build a MQ to MQ service over SSL. I've got a keystore (key.jks) and I'm setting the following system properties to configure the SSL:
javax.net.ssl.keyStore
javax.net.ssl.trustStrore
javax.net.ssl.keyStorePassword
However, our email server requires SSL and setting up SSL in this way in RoboMQ stops it from working - I guess because it overrides the default cacerts which has the certificates in that the email client needs.
How can I get these 2 things to play nicely together?
You are correct - setting the above system properties will override cacerts JVM
wide. You need to use a custom socket factory for the SSL MQ connections
The RoboMQ SDK provides support for this via:
com.am.robomq.sdk.camelSpring.RoboSSLSocketFactory
But the easiest way to build your Camel MQ endpoints is to use the MQ Connection Wizard:
http://www.robomq.com/product_manual/index.html#serviceBuilderPanel
It basically lets you to pick a connection factory from your connection palette
and then generates the Spring definitions needed by Camel.