gRPC: How to configure SSL in client?

Question

Its new topic for me. I'm able to connect as plaintext.

public ManagedChannel getChannel(String serviceName){
    TSServiceClientManager scm = TSServiceManagementFactory.getInstance().getServiceClientManager();
    TSServiceConnectionInfo connInfo = scm.getServiceConnectionInfo(serviceName);
    if(channel == null){
        channel = ManagedChannelBuilder.forAddress(connInfo.getHost(), connInfo.getPort())
                .usePlaintext(true) //need help here for SSL code 
                .build();
    }

    return channel;
}

I was told to enable client-side SSL. I know how to generate, keystore, truststore, pem, CA etc. I need help in :

How to enable SSL instead of .usePlaintext(true) as shown in above code?

(Kindly rewrite the code considering the cert file, keystore, truststore and .pem file exist)

And

I want to know is there anything to do with server to make SSL connection work?

Eric Anderson · Accepted Answer · 2021-11-04T23:43:09.163

10

Since grpc-java 1.37.0 it is possible for most users to configure TLS without using transport-specific APIs. This leverages the ChannelCredentials concept introduced in 1.34.0.

ChannelCredentials creds = TlsChannelCredentials.newBuilder()
    // if server's cert doesn't chain to a standard root
    .trustManager(caFile)
    .keyManager(clientCertFile, keyFile) // client cert
    .build();
channel = Grpc.newChannelBuilderForAddress(serverHost, serverPort, creds)
    .build();

TlsServerCredentials and Grpc.newServerBuilderForPort() would be used on server-side.

Advanced use cases may need to use transport-specific APIs like GrpcSslContexts and NettyChannelBuilder.sslContext().

Original answer: You need to use a transport-specific API. You're likely using Netty today. For Netty, you need to configure Netty's SslContext and pass it to gRPC. Your usage may look something like this:

SslContext sslcontext = GrpcSslContexts.forClient()
    // if server's cert doesn't chain to a standard root
    .trustManager(caFile)
    .keyManager(clientCertFile, keyFile) // client cert
    .build();
channel = NettyChannelBuilder.forAddress(serverHost, serverPort)
    .sslContext(sslContext)
    .build();

If you need server-side configuration, it would use the similar NettyServerBuilder.sslContext(). But the context itself would be different.

edited Nov 04 '21 at 23:43

answered Dec 04 '17 at 17:08

Eric Anderson

24,057
5
55
76

Thanks for the reply @Eric Anderson , I'll try tomorrow. Almost cleared my doubts. Once got it, I'll mark it as answer and I will share what changes I did. – SOWMITHRA KUMAR G M Dec 04 '17 at 19:20
"But the context itself would be different." could you please add an example of the server side configuration?Thanks – Sergei Ledvanov Mar 29 '19 at 18:59
Server-side normally looks something like `GrpcSslContexts.forServer(serverCertChainFile, keyFile).build()`. Specifying a keyManager is required on-server side, so the builder is requiring those parameters early. Specifying `trustManager(caFile)` is necessary if the client's cert chain doesn't chain to a standard root (which only applies when using client-certs). – Eric Anderson Apr 01 '19 at 15:42
Hi Eric, do we need to send the client cert to server's trust list before we establish the channel? – Drake .C Sep 28 '20 at 22:28
I just answered your SO question: https://stackoverflow.com/a/64110508/4690866 . Normally the client and server agree ahead-of-time on a CA to use, because otherwise the server can't easily trust the client is permitted to use a particular certificate. There can be schemes where that is done, but it'd normally require having some other way to authenticate that client (an older cert, a password, etc). – Eric Anderson Sep 28 '20 at 22:40

score 0 · Answer 2 · answered Mar 30 '22 at 15:05

If any one wants to use JKS files then below code might help.

InputStream is = Utils.class.getClassLoader().getResourceAsStream("truststore.jks");
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(is, "secret".toCharArray());

TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(truststore);

SslContextBuilder sslContextbuilder = GrpcSslContexts.forClient().trustManager(trustManagerFactory);
SslContext sslContext = sslContextbuilder.build();
channel = NettyChannelBuilder.forAddress("localhost", "8443").sslContext(sslContext).build();

gRPC: How to configure SSL in client?

2 Answers2