Specifying trust store information in spring boot application properties

Question

I am using springBootVersion 1 2 0 RELEASE  I m trying to have my keystore and truststore configured through application properties   When I add the following settings  I can get the keystore to work  but not the truststore   server ssl key-store classpath foo jks server ssl key-store-password password server ssl key-password password server ssl trust-store classpath foo jks server ssl trust-store-password password   However  if I add the truststore through gradle   bootRun       jvmArgs      -Djavax net ssl trustStore c   foo jks    -Djavax net ssl trustStorePassword password       it works just fine   Has anyone used the application properties for trust stores

User · Answer

I was also having the same issue with Spring Boot and embedded Tomcat.

From what I understand these properties only set the Tomcat configuration parameters. According to the Tomcat documentation this is only used for Client authentication (i.e. for two-way SSL) and not for verifying remote certificates:

truststoreFile - The trust store file to use to validate client certificates.

https://tomcat.apache.org/tomcat-8.0-doc/config/http.html

In order to configure the trust store for HttpClient it largely depends on the HttpClient implementation you use. For instance for RestTemplate by default Spring Boot uses a SimpleClientHttpRequestFactory based on standard J2SE classes like java.net.HttpURLConnection.

I've come up with a solution based on the Apache HttpClient docs and these posts: http://vincentdevillers.blogspot.pt/2013/02/configure-best-spring-resttemplate.html http://literatejava.com/networks/ignore-ssl-certificate-errors-apache-httpclient-4-4/

Basically this allows for a RestTemplate bean that only trusts certificates signed by the root CA in the configured truststore.

@Configuration
public class RestClientConfig {

    // e.g. Add http.client.ssl.trust-store=classpath:ssl/truststore.jks to application.properties
    @Value("${http.client.ssl.trust-store}")
    private Resource trustStore;

    @Value("${http.client.ssl.trust-store-password}")
    private char[] trustStorePassword;

    @Value("${http.client.maxPoolSize}")
    private Integer maxPoolSize;


    @Bean
    public ClientHttpRequestFactory httpRequestFactory() {
        return new HttpComponentsClientHttpRequestFactory(httpClient());
    }

    @Bean
    public HttpClient httpClient() {

        // Trust own CA and all child certs
        Registry<ConnectionSocketFactory> socketFactoryRegistry = null;
        try {
            SSLContext sslContext = SSLContexts
                    .custom()
                    .loadTrustMaterial(trustStore.getFile(),
                            trustStorePassword)
                    .build();

            // Since only our own certs are trusted, hostname verification is probably safe to bypass
            SSLConnectionSocketFactory sslSocketFactory = new SSLConnectionSocketFactory(sslContext,
                    new HostnameVerifier() {

                        @Override
                        public boolean verify(final String hostname,
                                final SSLSession session) {
                            return true;
                        }
            });

            socketFactoryRegistry = RegistryBuilder.<ConnectionSocketFactory>create()
                    .register("http", PlainConnectionSocketFactory.getSocketFactory())
                    .register("https", sslSocketFactory)
                    .build();           

        } catch (Exception e) {
            //TODO: handle exceptions
            e.printStackTrace();
        }

        PoolingHttpClientConnectionManager connectionManager = new PoolingHttpClientConnectionManager(socketFactoryRegistry);
        connectionManager.setMaxTotal(maxPoolSize);
        // This client is for internal connections so only one route is expected
        connectionManager.setDefaultMaxPerRoute(maxPoolSize);
        return HttpClientBuilder.create()
                .setConnectionManager(connectionManager)
                .disableCookieManagement()
                .disableAuthCaching()
                .build();
    }

    @Bean
    public RestTemplate restTemplate() {
        RestTemplate restTemplate = new RestTemplate();
        restTemplate.setRequestFactory(httpRequestFactory());
        return restTemplate;
    }    
}

And then you can use this custom Rest client whenever you need to, e.g.:

@Autowired
private RestTemplate restTemplate;

restTemplate.getForEntity(...)

This assumes your trying to connect to a Rest endpoint, but you can also use the above HttpClient bean for whatever you want.

User · Answer

If you are in Spring  try just add properties for it  use needed properties   and it should work for total JVM  javax    net      ssl        key-store-password    KEYSTORE SECRET        key-store-type  PKCS12       trust-store-password    TRUSTSTORE SECRET        trust-store-type  PKCS12

User · Answer

Although I am commenting late  But I have used this method to do the job  Here when I am running my spring application I am providing the application yaml file via -Dspring config location file  location-to-file config-server-vault-application yml which contains all of my properties  config-server-vault-application yml                                     server    port  8888   ssl      trust-store   trust-store config-server-trust-store jks     trust-store-password  config-server     trust-store-type  pkcs12                                       Java Code                                       SpringBootApplication public class ConfigServerApplication     public static void main String   args  throws IOException       setUpTrustStoreForApplication        SpringApplication run ConfigServerApplication class  args        private static void setUpTrustStoreForApplication   throws IOException       YamlPropertySourceLoader loader   new YamlPropertySourceLoader        List lt PropertySource lt   gt  gt  applicationYamlPropertySource   loader load               config-application-properties   new UrlResource System getProperty  spring config location          Map lt String  Object gt  source     MapPropertySource  applicationYamlPropertySource get 0   getSource        System setProperty  javax net ssl trustStore   source get  server ssl trust-store   toString         System setProperty  javax net ssl trustStorePassword   source get  server ssl trust-store-password   toString

User · Answer

I had the same problem with Spring Boot  Spring Cloud  microservices  and a self-signed SSL certificate  Keystore worked out of the box from application properties  and Truststore didn t   I ended up keeping both keystore and trustore configuration in application properties  and adding a separate configuration bean for configuring truststore properties with the System    Configuration public class SSLConfig        Autowired     private Environment env        PostConstruct     private void configureSSL             set to TLSv1 1 or TLSv1 2       System setProperty  https protocols    TLSv1 1             load the  javax net ssl trustStore  and          javax net ssl trustStorePassword  from application properties       System setProperty  javax net ssl trustStore   env getProperty  server ssl trust-store            System setProperty  javax net ssl trustStorePassword  env getProperty  server ssl trust-store-password

User · Answer

I have the same problem  I ll try to explain it a bit more in detail   I m using spring-boot 1 2 2-RELEASE and tried it on both Tomcat and Undertow with the same result   Defining the trust-store in application yml like   server    ssl      trust-store  path-to-truststore        trust-store-password  my-secret-password      Doesn t work  while     java -Djavax net debug ssl -Djavax net ssl trustStore path-to-truststore    -Djavax net ssl trustStorePassword my-secret-password    -jar build libs   jar     works perfectly fine   The easiest way to see the difference at rutime is to enable ssl-debug in the client  When working  i e  using -D flags  something like the following is written to the console  during processing of the first request    trustStore is  path-to-truststore    trustStore type is   jks trustStore provider is   init truststore adding as trusted cert    Subject  C      ST      O      OU      CN       Issuer   C      ST      O      OU      CN       Algorithm  RSA  Serial number  0x4d2   Valid from Wed Oct 16 17 58 35 CEST 2013 until Tue Oct 11 17 58 35 CEST 2033   Without the -D flags I get   trustStore is   Library Java JavaVirtualMachines jdk1 8 0 11 jdk Contents Home jre lib security cacerts trustStore type is   jks trustStore provider is   init truststore adding as trusted cert       one for each CA-cert in the defult truststore       and when performing a request I get the exception   sun security validator ValidatorException  PKIX path building failed  sun security provider certpath SunCertPathBuilderException  unable to find valid certification path to requested target   Hope it helps to understand the issue better

User · Answer

Here my extended version of Oleksandr Shpota s answer  including the imports  The package org apache http   can be found in org apache httpcomponents httpclient  I ve commented the changes   import org apache http client HttpClient  import org apache http conn ssl NoopHostnameVerifier  import org apache http conn ssl SSLConnectionSocketFactory  import org apache http conn ssl TrustSelfSignedStrategy  import org apache http impl client HttpClients  import org apache http ssl SSLContexts  import org springframework beans factory annotation Autowired  import org springframework beans factory annotation Value  import org springframework core io Resource  import org springframework http client HttpComponentsClientHttpRequestFactory  import org springframework web client RestTemplate    Value    http client ssl key-store    private Resource keyStore    Value    http client ssl trust-store    private Resource trustStore      I use the same pw for both keystores   Value    http client ssl trust-store-password    private String keyStorePassword      wasn t able to provide this as a  Bean     private RestTemplate getRestTemplate       try       SSLContext sslContext   SSLContexts custom              keystore wasn t within the question s scope  yet it might be handy           loadKeyMaterial              keyStore getFile                keyStorePassword toCharArray                keyStorePassword toCharArray             loadTrustMaterial              trustStore getURL                keyStorePassword toCharArray                   use this for self-signed certificates only              new TrustSelfSignedStrategy             build         HttpClient httpClient   HttpClients custom              use NoopHostnameVerifier with caution  see https   stackoverflow com a 22901289 3890673          setSSLSocketFactory new SSLConnectionSocketFactory sslContext  new NoopHostnameVerifier              build         return new RestTemplate new HttpComponentsClientHttpRequestFactory httpClient        catch  IOException   GeneralSecurityException e        throw new RuntimeException e

User · Answer

In case if you need to make a REST call you can use the next way   This will work for outgoing calls through RestTemplate   Declare the RestTemplate bean like this    Configuration public class SslConfiguration        Value    http client ssl trust-store        private Resource keyStore       Value    http client ssl trust-store-password        private String keyStorePassword        Bean     RestTemplate restTemplate   throws Exception           SSLContext sslContext   new SSLContextBuilder                    loadTrustMaterial                          keyStore getURL                            keyStorePassword toCharArray                     build            SSLConnectionSocketFactory socketFactory                    new SSLConnectionSocketFactory sslContext           HttpClient httpClient   HttpClients custom                    setSSLSocketFactory socketFactory  build            HttpComponentsClientHttpRequestFactory factory                    new HttpComponentsClientHttpRequestFactory httpClient           return new RestTemplate factory             Where http client ssl trust-store and http client ssl trust-store-password points to truststore in JKS format and the password for the specified truststore   This will override the RestTemplate bean provided with Spring Boot and make it use the trust store you need

User · Answer

java properties  quot javax net ssl trustStore quot  and  quot javax net ssl trustStorePassword quot  do not correspond to  quot server ssl trust-store quot  and  quot server ssl trust-store-password quot  from Spring boot  quot application properties quot    quot application yml quot   so you can not set   quot javax net ssl trustStore quot  and  quot javax net ssl trustStorePassword quot  simply by setting  quot server ssl trust-store quot  and  quot server ssl trust-store-password quot  in  quot application properties quot    quot application yml quot   an alternative of setting  quot javax net ssl trustStore quot  and  quot javax net ssl trustStorePassword quot  is by Spring boot Externalized Configuration below are excerpts of my implementation   Params class holds the external settings  Component  ConfigurationProperties  quot params quot   public class Params         default values  can be override by external settings     public static String trustStorePath    quot config client-truststore jks quot       public static String trustStorePassword    quot wso2carbon quot       public static String keyStorePath    quot config wso2carbon jks quot       public static String keyStorePassword    quot wso2carbon quot       public static String defaultType    quot JKS quot            public void setTrustStorePath String trustStorePath           Params trustStorePath   trustStorePath                        public void settrustStorePassword String trustStorePassword           Params trustStorePassword trustStorePassword             public void setKeyStorePath String keyStorePath           Params keyStorePath   keyStorePath                      public void setkeyStorePassword String keyStorePassword           Params keyStorePassword   keyStorePassword                 public void setDefaultType String defaultType           Params defaultType   defaultType         KeyStoreUtil class undertakes the settings of  quot javax net ssl trustStore quot  and  quot javax net ssl trustStorePassword quot  public class KeyStoreUtil            public static void setTrustStoreParams             File filePath   new File  Params trustStorePath           String tsp   filePath getAbsolutePath            System setProperty  quot javax net ssl trustStore quot   tsp           System setProperty  quot javax net ssl trustStorePassword quot   Params trustStorePassword           System setProperty  quot javax net ssl keyStoreType quot   Params defaultType               public static void setKeyStoreParams             File filePath   new File Params keyStorePath           String ksp   filePath getAbsolutePath            System setProperty  quot Security KeyStore Location quot   ksp           System setProperty  quot Security KeyStore Password quot   Params keyStorePassword                  you get the setters executed within the startup function  SpringBootApplication  ComponentScan  quot com myapp profiles quot   public class ProfilesApplication        public static void main String   args            KeyStoreUtil setKeyStoreParams            KeyStoreUtil setTrustStoreParams            SpringApplication run ProfilesApplication class  args            Edited on 2018-10-03 you may also want to adopt the annotation  quot PostConstruct quot  as as an alternative to execute the setters import javax annotation PostConstruct   import org springframework boot SpringApplication  import org springframework boot autoconfigure SpringBootApplication    SpringBootApplication scanBasePackages   quot com xxx quot    public class GateApplication        public static void main String   args            SpringApplication run GateApplication class  args                   PostConstruct     void postConstruct            setTrustStoreParams            setKeyStoreParams                        private static void setTrustStoreParams             File filePath   new File  Params trustStorePath           String tsp   filePath getAbsolutePath            System setProperty  quot javax net ssl trustStore quot   tsp           System setProperty  quot javax net ssl trustStorePassword quot   Params trustStorePassword           System setProperty  quot javax net ssl keyStoreType quot   Params defaultType               private static void setKeyStoreParams             File filePath   new File Params keyStorePath           String ksp   filePath getAbsolutePath            System setProperty  quot Security KeyStore Location quot   ksp           System setProperty  quot Security KeyStore Password quot   Params keyStorePassword             the application yml ---  params      trustStorePath  config client-truststore jks    trustStorePassword  wso2carbon    keyStorePath  config wso2carbon jks    keyStorePassword  wso2carbon    defaultType  JKS ---  finally  within the running environment deployment server   you create a folder named  quot config quot  under the same folder where the jar archive is stored   within the  quot config quot  folder  you store  quot application yml quot    quot client-truststore jks quot   and  quot wso2carbon jks quot    done  Update on 2018-11-27 about Spring boot 2 x x starting from spring boot 2 x x  static properties are no longer supported  please see here  I personally do not think it a good move  because complex changes have to be made along the reference chain    anyway  an implementation excerpt might look like this the  Params  class     import org springframework boot context properties ConfigurationProperties      import org springframework stereotype Component           import lombok Data                      Params class represent all config parameters that can         be external set by spring xml file                   Component      ConfigurationProperties  quot params quot        Data     public class Params                 default values  can be override by external settings         public String trustStorePath    quot config client-truststore jks quot           public String trustStorePassword    quot wso2carbon quot           public String keyStorePath    quot config wso2carbon jks quot           public String keyStorePassword    quot wso2carbon quot           public String defaultType    quot JKS quot        the  Springboot application class   with  PostConstruct   import java io File  import javax annotation PostConstruct  import org springframework beans factory annotation Autowired  import org springframework boot SpringApplication  import org springframework boot autoconfigure SpringBootApplication    SpringBootApplication scanBasePackages   quot com xx xx quot    public class BillingApplication             Autowired     Params params           public static void main String   args            SpringApplication run BillingApplication class  args                   PostConstruct     void postConstruct                         set TrustStoreParams         File trustStoreFilePath   new File params trustStorePath           String tsp   trustStoreFilePath getAbsolutePath            System setProperty  quot javax net ssl trustStore quot   tsp           System setProperty  quot javax net ssl trustStorePassword quot   params trustStorePassword           System setProperty  quot javax net ssl keyStoreType quot   params defaultType              set KeyStoreParams         File keyStoreFilePath   new File params keyStorePath           String ksp   keyStoreFilePath getAbsolutePath            System setProperty  quot Security KeyStore Location quot   ksp           System setProperty  quot Security KeyStore Password quot   params keyStorePassword

User · Answer

When everything sounded so complicated  this command worked for me   keytool -genkey -alias foo -keystore cacerts -dname cn test -storepass changeit -keypass changeit   When a developer is in trouble  I believe a simple working solution snippet is more than enough for him  Later he could diagnose the root cause and basic understanding related to the issue

User · Answer

If you execute your Spring Boot application as a linux service  e g  init d script or similar   then you have the following option as well  Create a file called yourApplication conf and put it next to your executable war jar file  It s content should be something similar   JAVA OPTS   -Djavax net ssl trustStore path-to-your-trustStore-file -Djavax net ssl trustStorePassword yourCrazyPassword

User · Answer

In a microservice infrastructure  does not fit the problem  I know     you must not use   server    ssl      trust-store  path-to-truststore        trust-store-password  my-secret-password      Instead the ribbon loadbalancer can be configuered   ribbon     TrustStore  keystore jks   TrustStorePassword   example   ReadTimeout  60000   IsSecure  true   MaxAutoRetries  1   Here https   github com rajaramkushwaha https-zuul-proxy-spring-boot-app you can find a working sample  There was also a github discussion about that  but I didn t find it anymore

[ssl] Specifying trust store information in spring boot application.properties

Examples related to ssl

Examples related to properties

Examples related to spring-boot

Examples related to truststore