Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support end to end TLS: Load cert from file system. #21611

Closed
chenrujun opened this issue May 17, 2021 · 8 comments · Fixed by #21947
Closed

Support end to end TLS: Load cert from file system. #21611

chenrujun opened this issue May 17, 2021 · 8 comments · Fixed by #21947
Assignees
@gavinfish @chenrujun
Labels
azure-spring All azure-spring related issues azure-spring-keyvault Spring keyvault related issues.
Milestone
[2021] July

Comments

@chenrujun
Copy link

Currently, cert are all loaded from key-vault, we need support load cert from file system(A configurable path).

Refs: #21566
@chenrujun chenrujun added azure-spring All azure-spring related issues azure-spring-keyvault Spring keyvault related issues. labels May 17, 2021
@chenrujun chenrujun added this to the Backlog milestone May 17, 2021
@chenrujun chenrujun self-assigned this May 17, 2021
@chenrujun chenrujun mentioned this issue May 17, 2021
Closed
@chenrujun
Copy link
Author

chenrujun commented May 18, 2021
edited
Loading

Here are the steps we need to do:

  1. Download latest azure-security-keyvault-jca jar file into docker image.
  2. Modify startup command. For example: java --classpath /etc/certs/azure-security-keyvault-jca.jar -jar app.jar.
  3. Put the public cert of Azure service to well-known path: /etc/certs/well-known/.

Here is more information about cert path:

  1. well-known path.
    1.1. Default value: /etc/certs/well-known/.
    1.2. Configuration property: azure.cert-path.well-known.
  2. custom path
    2.1. Default value: /etc/certs/custom/.
    2.2. Configuration property: azure.cert-path.custom

Refs: https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/keyvault/azure-security-keyvault-jca

@chenrujun
Copy link
Author

@gavinfish FYI.

@chenrujun
Copy link
Author

@gavinfish

FYI:
When we specify -jar then the -cp parameter will be ignored.
https://stackoverflow.com/questions/18413014/run-a-jar-file-from-the-command-line-and-specify-classpath

@chenrujun chenrujun modified the milestones: Backlog, [2021] June May 19, 2021
@gavinfish
Copy link
Contributor

@chenrujun Here are some questions for you:

  1. If customer's app has already depended on azure-security-keyvault-jca to use certificates in Azure Key Vault. Will there be any conflicts when we use the startup command with jca again?
  2. If No.1 is fine, then the app will trust both Key Vault certificates and local certificates, right?
  3. Is there any difference for well-known path and customer path except the source of the certificates?

@chenrujun
Copy link
Author

@gavinfish

If customer's app has already depended on azure-security-keyvault-jca to use certificates in Azure Key Vault. Will there be any conflicts when we use the startup command with jca again?

I didn't test that. I guess there is no problem. You can have a try.

If No.1 is fine, then the app will trust both Key Vault certificates and local certificates, right?

Yes.

Is there any difference for well-known path and customer path except the source of the certificates?

  1. To keep well-known certs safe, It's better to avoid letting customer touch well-known path.
  2. Customer can add his own cert in etc/azure-certs/custom/.

@gavinfish
Copy link
Contributor

@chenrujun
Talked with Asir, two suggestions from him:

  1. For the certificate path, do not contain key word azure since it is not only for azure services, any other services can be candidates.
  2. For Configuration property, do not contain key word keyvault since this feature is not related with key vault directly.

@chenrujun
Copy link
Author

Hi, @gavinfish , I updated #21611 (comment) please take a look.

@chenrujun chenrujun modified the milestones: [2021] June, [2021] July May 27, 2021
@zhichengliu12581 zhichengliu12581 mentioned this issue May 31, 2021
Merged
@chenrujun chenrujun linked a pull request May 31, 2021 that will close this issue
Load cert from file system in key vault #21947
Merged
@chenrujun
Copy link
Author

Hi, @gavinfish , @lzc-1997-abel , I updated the #21611 (comment), please take a look.

@chenrujun chenrujun mentioned this issue Jun 25, 2021
Merged
@github-actions github-actions bot locked and limited conversation to collaborators Apr 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@gavinfish gavinfish

@chenrujun chenrujun

Labels
azure-spring All azure-spring related issues azure-spring-keyvault Spring keyvault related issues.
Projects
None yet
Milestone
[2021] July
Development

Successfully merging a pull request may close this issue.

Load cert from file system in key vault zhichengliu12581/azure-sdk-for-java
2 participants
@gavinfish @chenrujun