1

In order to use https between all spring cloud microservice instances we can generate a java keystore and configure each instance with it like this:

server.ssl.key-store=server.jks
server.ssl.key-store-password=<pw>
server.ssl.keyStoreType=jks
server.ssl.keyAlias=tomcat
server.ssl.key-password=<pw>

IIUC as far as setting up the ssl transport layer thats all we need to do? Is it OK / secure to use the same keystore in all instances of the same microservice type? For example the edge server could be using Ribbon to load balance between microserviceA - instance1, microserviceA - instance2, and microserviceA - instance3, and these would all have the same keystore baked in.

If we also have a microserviceB, could it also use the same keystore without compromising security?

From a management / devOps point of view is this the simplest way to go?

Ole
  • 41,793
  • 59
  • 191
  • 359

1 Answers1

4

SSL certs should be the same for each running instance of the same microservice and unique for each microservice (your microserviceA vs. microserviceB). If you ever move your services behind a hardware load balancer then it'll become obvious why.

When/if you come to do X.509 client certificate authentication for service-service calls you will need to authenticate and authorize services based on the certificate they present. If they're all presenting the same certificate then you cannot do that.

From a devOps point of view you can save yourself a headache later on by storing the certs centrally - we use the Spring Cloud Config Server with a website backend - and set up a job to check the expiry dates of the certs daily so you don't get an unpleasant surprise a year or so after you deploy.

We use separate keystore/truststore per service because that fits our deployment model but you might be able to use a single keystore with multiple service aliases because the private keys inside can have unique passwords. Beware though, not all java http frameworks are capable of selecting keys by alias or supporting different keystore/key passwords...

Andy Brown
  • 11,766
  • 2
  • 42
  • 61
  • Thanks Andy - Good to know - I'm also investigating just wrapping all the services in docker containers running on docker swarm - right now it almost looks as if we can create a secure overlay network with one command and allow that to manage ssl. Posted a follow up here: https://stackoverflow.com/questions/46119863/is-ssl-security-provided-by-default-in-docker-swarm-mode – Ole Sep 08 '17 at 15:42
  • 1
    question: in my architecture I have nginx as proxy to spring cloud gateway and then requests are forwarded to respective microservices , I need to install ssl on gateway only or on each of the microservice ? I am confused about this . The same nginx is also running my frontend app . – 89n3ur0n Jun 23 '18 at 18:29