0

I am working on deploying an application that connects with a third party application via SSL connection. For that earlier I was using these certs and keeping them in the build pack and pick them from there. Now due to limited number of production release I need to externalize the SSL certs. So far I have externalized the certs which were picked from jre/lib/security/wasadm. via a SSLConnectionFactory. But there are some certs which are part of cacert and needs to be picked from the JAVA_OPTS on PCF as environment variable like -Djavax.net.ssl.trustStore=<URL to a Path on Server>

How can I use -D or JAVA_OPTS in order to retrieve the trustStore from there.

Jdk -> 1.7xx
Target Environment -> PCF
environment OS -> Linux

Would admire any help in here.

Sagar Kharab
  • 369
  • 2
  • 18

2 Answers2

2

keeping them in the build pack and pick them from there.

If at all possible, don't do this. It requires you to fork the buildpack and that is bad. It creates a maintenance burden for you and will slow down your ability to deploy updates and security patches to your apps running on Cloud Foundry.

But there are some certs which are part of cacert and needs to be picked from the JAVA_OPTS on PCF as environment variable like -Djavax.net.ssl.trustStore=

I'm not sure why you'd be forced to go this route. The -Djavax.net.ssl.trustStore option is just setting the default trust store for the JVM. It can be convenient sometimes, but has it's drawbacks.

When you need to trust certs that are not signed by a well-known CA, I would suggest that you make your own application specific trust store, rather than to add more certs to the JVM's default trust store.

Your application will be more portable if it does not depend on system specific customizations like modifying the default trust store. Changing the default trust store is also problematic, because everything running in your JVM uses it. This is generally OK if you're just adding to the default trust store, but if you are trying to remove from it you might end up breaking other code. Plus, if you're using your own trust store you can include only the minimum number of certificates which are required by your app or even by a specific service in your app (since you can use multiple trust stores this way).

I don't know what HTTP client you're using, but there's a good example of doing this with HTTPClient here. See the Custom SSL context example.

Putting that aside, if you really want to adjust the default trust store of the JVM running your app on Cloud Foundry, you just need to modify the JAVA_OPTS environment variable for your app & restage.

Ex:

cf set-env my-cool-app JAVA_OPTS '-Djavax.net.ssl.trustStore=path/to/my/new/default-truststore.jks'

I believe you can use a relative path to your trust store, like if you're bundling it with your application. If not, /home/vcap/app is the path to the root of your JAR/WAR file, so you could insert that if you need a full path. It needs to be a local path on the container though, I don't believe the JVM supports remote paths/URLs.

Jdk -> 1.7xx

You really need to upgrade :)

Daniel Mikusa
  • 13,716
  • 1
  • 22
  • 28
  • I have several restrictions which I can't help. It's a prod application which is running for almost 2-3 years for many countries. Now problem is with new build packs rolling out more frequently we can't redeploy the app with new certs every time on prod. So that's why we have a server and certs will be picked from there at the start of app. `-Djavax.net.ssl.trustStore=path/is actually/a/url/` and hence it's not working. So my main question is that if it is at all possible to give url in -D. About jdk 1.7> yep but can't scrap the old ones alone in this cruel world – Sagar Kharab May 18 '18 at 02:05
  • You're going to need to do something to download the cert before your app starts. The JVM can't do that for you. It's an ordering problem. If you put a HTTPS URL in `-Djavax.net.ssl.trustStore`, you have to initialize a truststore to attempt to fetch your truststore. It's not going to work. The only thing that comes to mind are the prestart hooks -> https://docs.cloudfoundry.org/devguide/deploy-apps/deploy-app.html#profile. This should work for Java apps, but it's tricky because you have to put the script into the root of your JAR/WAR file so it's pushed up in the right location. – Daniel Mikusa May 18 '18 at 12:09
0

I have resolved the issue by picking the file from the URL and putting that in my war at startup and hence it solved my all issues. Thanks!

Sagar Kharab
  • 369
  • 2
  • 18