New Property for NATS SSL Support #427

dixonwhitmire · 2021-02-02T20:11:21Z

This PR adds a new property, lfh.connect.messaging.nats.ssl, to the application to support enabling and disabling tls connections to NATS. TLS connections are enabled by default and can be set explicitly by setting the property to "true" (case insensitive). Setting the property to any other value will disable the TLS connections from LFH to NATs.

I'm adding this in to support a project/pov that is executing within a secure enclave/environment. This setting allows us to get a baseline installation in place, prior to securing the environment.

I tested this change with the following compose configuration

version: "3.7"
services:
  nats-server:
    image: docker.io/linuxforhealth/jetstream:v0.0.19
    restart: "always"
    expose:
      - "4222"
    command: server

  zookeeper:
    image: docker.io/linuxforhealth/zookeeper-alpine:3.6.2
    expose:
      - "2181"

  kafka:
    image: docker.io/linuxforhealth/kafka-alpine:2.5.0
    restart: "always"
    expose:
      - "9092"
      - "9094"
    environment:
      KAFKA_ZOOKEEPER_CONNECT: "zookeeper:2181"
      KAFKA_LISTENERS: "INTERNAL://kafka:9092"
      KAFKA_ADVERTISED_LISTENERS: "INTERNAL://kafka:9092"
      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: "INTERNAL:PLAINTEXT"
      KAFKA_INTER_BROKER_LISTENER_NAME: "INTERNAL"
    depends_on:
      - "zookeeper"

  lfh:
    image: docker.io/linuxforhealth/connect-alpine:tdw-dev
    restart: "always"
    environment:
      LFH_CONNECT_MESSAGING_NATS_SSL: "False"
      LFH_CONNECT_DATASTORE_URI: "kafka:<topicName>?brokers=kafka:9092"
      LFH_CONNECT_MESSAGING_RESPONSE_URI: "nats:EVENTS.responses?servers=nats-server:4222"
      LFH_CONNECT_MESSAGING_ERROR_URI: "nats:EVENTS.errors?servers=nats-server:4222"
      LFH_CONNECT_MESSAGING_SUBSCRIBE_HOSTS: "nats-server:4222"
      LFH_CONNECT_ORTHANC_SERVER_URI: "http://orthanc:8042/instances"
      LFH_CONNECT_DATASTORE_BROKERS: "kafka:9092"
      LFH_CONNECT_EXTERNAL_HOST_IP: "127.0.0.1"
    ports:
      - "8080:8080"
      - "2575:2575"
    depends_on:
      - "kafka"
      - "nats-server"

ccorley · 2021-02-02T20:29:06Z

src/main/java/com/linuxforhealth/connect/support/LFHServiceManager.java

@@ -67,7 +68,7 @@ public static void startServices(Properties properties, Main camelMain) {
            producer.start(brokers);
            for (String host: hosts) {
                NATSSubscriber subscriber = new NATSSubscriber(host, subject,
-                    createOptions(host, true, true), producer, properties);
+                    createOptions(host, true, isNATSSSLEnabled), producer, properties);


This assumes you are starting NATS itself without TLS, correct? Otherwise this change shouldn't work.

actually, I see that in your docker file.

That is correct!

If isNATSSSLEnabled = false nats will need to be started without TLS so that LFH can connect using nats://

nats-server: image: docker.io/linuxforhealth/jetstream:v0.0.19 restart: "always" expose: - "4222" command: server

added property for NATS SSL support

d1a9372

dixonwhitmire requested a review from ccorley February 2, 2021 20:11

ccorley reviewed Feb 2, 2021

View reviewed changes

ccorley approved these changes Feb 2, 2021

View reviewed changes

dixonwhitmire merged commit 729c727 into master Feb 2, 2021

dixonwhitmire deleted the nats-ssl-setting branch March 18, 2021 13:12

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

New Property for NATS SSL Support #427

New Property for NATS SSL Support #427

dixonwhitmire commented Feb 2, 2021

ccorley Feb 2, 2021

ccorley Feb 2, 2021

dixonwhitmire Feb 2, 2021

New Property for NATS SSL Support #427

New Property for NATS SSL Support #427

Conversation

dixonwhitmire commented Feb 2, 2021

ccorley Feb 2, 2021

Choose a reason for hiding this comment

ccorley Feb 2, 2021

Choose a reason for hiding this comment

dixonwhitmire Feb 2, 2021

Choose a reason for hiding this comment