0

I have a spring cloud config server running with spring bus. I want to make the calls to that server secure:

  1. When a client is asking for configurations.
  2. When calling /monitor - used by the webhook.

What is the best practice to do that? basic? encryption? Can someone provide a working example?

Thanks!

Yuval
  • 764
  • 1
  • 9
  • 23

2 Answers2

2

You can secure it by adding encrypting and decrypting properties

You need to provide jks for securely encrypting and decrypting them

Spring cloud config server supports symmetric and asymmetric keys

To configure a symmetric key, you need to set encrypt.key to a secret String (or use the ENCRYPT_KEY environment variable to keep it out of plain-text configuration files).

For asymmetric you need to provide in bootsrap.yml such properties:

server:
  port: 8888
spring:
  cloud:
    config:
      server:
        git:
          uri: your git url or your local repository on file system 
          username: username for git or bitbucket if needed
          password: password
          clone-on-start: true this property will clone all repo localy on starttup
          force-pull: true
  application:
     name: config-server
encrypt:
  key-store:
    location: jks location
    password: letmein
    alias: mytestkey
    secret: changeme

For generating jks you need to execute this command

keytool -genkeypair -alias mytestkey -keyalg RSA \
  -dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=US" \
  -keypass changeme -keystore server.jks -storepass letmein

Actually java by default has a limitation on certain key length parameters. Its 128 bit by default.

To use key more key length you just need replace existing local_policy.jar and US_export_policy.jar in <java-home>/lib/security

Here is link for download :

https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

And also you can encrypt and decrypt your properties by such endpoints :

curl config_server_host:port/encrypt-d your data to be encrypted

curl config_server_host:port/decrypt -d your data to be decrypted // this will automatically use this endpoint to decrypt values
//Both are http post requests

To use encryption by config server you need to provide such prefix in your configuration for your application which will get configs from config server:

'{cipher}your_encrypted_data'
Mykhailo Moskura
  • 2,073
  • 1
  • 9
  • 20
2

Also, you can control access to secrets in the config by the using of Spring Cloud Vault.

This solution simpler than encrypt all communication between your application and config server, but maybe this is not what you want.

I hope it helps.

Anatoliy Korovin
  • 361
  • 1
  • 8
  • The structure of the documentation seems to have changed somewhat. I guess the correct URL (with a working # part) is: https://cloud.spring.io/spring-cloud-config/reference/html/#vault-backend – Attila Csipak Jan 12 '21 at 20:46