In my Spring Boot Application I changed the default management server port in order to expose it on different port through HTTP. My main app works on HTTPS with SSL key and I don't want to expose it there.
server.ssl.enabled=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:local-ssl.p12
server.ssl.key-store-password=<password>
server.ssl.key-alias=local_ssl
server.port=8443
management.server.ssl.enabled=false
management.server.port=8081
management.endpoints.web.exposure.include=health,info,prometheus
However when I am trying to access the http://localhost:8081/actuator/prometheus, I am receiving the following picture from Postman. How can I access my endpoints through the new port?
When configured to use a custom port, the management server can also be configured with its own SSL using the various management.ssl.* properties. For example, this allows a management server to be available via HTTP while the main application uses HTTPS:
server.port=8443
server.ssl.enabled=true
server.ssl.key-store=classpath:store.jks
server.ssl.key-password=secret
management.port=8080
management.ssl.enabled=false
Alternatively, both the main server and the management server can use SSL but with different key stores:
server.port=8443
server.ssl.enabled=true
server.ssl.key-store=classpath:main.jks
server.ssl.key-password=secret
management.port=8080
management.ssl.enabled=true
management.ssl.key-store=classpath:management.jks
management.ssl.key-password=secret
for reference look here
https://docs.spring.io/spring-boot/docs/1.5.4.RELEASE/reference/html/production-ready-monitoring.html
Related
I am trying to setup SSO using Azure AD. Our aplication is a spring boot application deployed on Amazon ECS.
For this I have refered https://dummybot.medium.com/saml-integration-with-spring-boot-spring-security-microsoft-azure-ad-b9610bdb78b9, which uses Spring Security SAML2 with Spring Boot.
In our case the application exposes the port 8080 from docker container and doesn't have its own SSL configuration. We are using Amazon ELB as load balancer in which the SSL is configured and through the load balancer we can access the application https://our-domain.com
When testing application locally I am able to login successfully when https://localhost:8443/saml/sso is added as a reply Url in Azure AD.
When I add only the https://our-domain.com/saml/sso as reply URL and try logging in while executing application locally, I get this error:
correct http protocol and port in AD request
which is expected as we dont have https://localhost:8080/.. as white listed reply URL in Azure AD now.
But what I noticed here in the error message is https://localhost:8080/... doesn't match the reply URL, which is correct, but there is no change in HTTP protocol or port 8080 which I am trying to access.
But, When I try to access the application deployed on AWS ECS using https://our-domain.com, I am successfully redirected to login page, but there I get this error.
incorrect http protocol and port in AD request
Where I can see HTTP protocol has been changed from https to http and the port is passed in the request as 8443.
I could see only in our AWS ELB which has configuration for SSL certificate and has a HTTPS listener 8443, and I am suspecting it is due to this the incorrect reply URL is passed by the Spring Security in the Azure AD Authentication request.
Amazon ELB configuration
I have tried to find solution for this and found an issue reported in Spring-Security-Saml project at https://github.com/spring-projects/spring-security-saml/issues/447, which talks about SAMLContextProviderLB as the context provider bean.
More details in Spring-Security SAML Extension documentation: https://docs.spring.io/spring-security-saml/docs/1.0.x/reference/htmlsingle/#configuration-load-balancing
Although it is mentioned in the documentation for latest version of Spring-Security SAML Extension, I cant find this class, but it is available in older 1.0.x version of extension. Hence I am not able to use it.
Can someone please provide any pointers to fix this issue..
Thanks
I have hazelcast deployed in c/s mode , where I started using UserNamePassword Credentials for authentication, so during the start of server and client, I used username1, password1 as my credentials.
Now due to security aspects, I want to update the credentials, how do I achieve this without downtime on server and client side application .
Hazelcast doesn't support the client credentials rotation out-of-the-box. It could be resolved incrementally:
introduce authentication config (login module stack) which accepts both - old and new credentials;
do a rolling restart of all members to activate the new authentication configuration;
replace credentials in client configurations and restart all clients;
configure members to accept only the new credentials and do the rolling restart again.
This is a similar scenario to updating TLS certificates in the running cluster. Check it in the Hazelcast reference manual:
https://docs.hazelcast.org/docs/4.1/manual/html-single/index.html#updating-certificates-in-the-running-cluster
Hazelcast Group name/password was available until 3.12.x (it's removed since Hazelcast 4), but it was never meant to provide security and therefore does not support password rotation.
<group>
<name>dev</name>
<password>dev-pass</password>
</group>
To configure properly the security in Hazelcast you need to use SSL (which is an Enterprise feature). SSL supports key rotation.
I wanted to use vault server to store secrets and deploy it on openshift.
I wrote this dockerfile, built the image and pushed it to the openshift registry and created a deployment from this image stream:
FROM vault:1.5.0
ADD *.hcl /etc/config.hcl
ENTRYPOINT ["vault", "server", "-config=/etc/config.hcl"]
Here is the config:
storage "file" {
path = "/vault/data"
}
listener "tcp" {
address="127.0.0.1:8200"
tls_disable=1
}
disable_mlock = true
api_addr = "http://127.0.0.1:8200"
I created a route to the 8200 port. When I use the vault CLI from inside the vault-server pod it works fine, I can login, configure etc. When i use the openshift cli on my local computer to forward port 8200 to my local 8200 port I can also access the API.
The problem is I cannot access the API from anywhere outside the pod. The route fives me a 503 response and when trying via http://vault-server.namepsace.svc:8200 I get connection refused (using Spring Rest Template).
How can I configure Vault to also accept external traffic?
Your listener block means you are only listening for connections from localhost. Change the address field to 0.0.0.0:8200 to listen on all interfaces:
listener "tcp" {
address="0.0.0.0:8200"
}
And please don't forget to enable TLS as soon as you've got connectivity working.
I'm using a spring boot application like a bridge between an Angular application and a Java server. The spring booT app is at the same time a server for the angular app and a client for the java server.
I need to create a Secure Socket Layer (SSL) connection.
My problem is that I don't know how to create an SSL connection between spring-boot app (like a client) and the Java server.
I have done similar things before. You need to:
Create and make the Server side use ssl certificate (like here)
Install the public key of the ssl certificate (you can download the public key part using a browser and clicking the lock icon; to do this, just have a dummy api and call it) in a keystore (JKS).
Make spring boot application use the JKS (-D parameter in java -jar call).
I'm using Apache Axis 1.5.1 to code a web service client connecting to a service over SSL. My application is running in Tomcat with SSL configuration setup in JKS. However, when I connect to the server, the connection is failing because the cert from our client is not being sent to the server. Is this something that has to be set in the client through code? Also note that the server does not need any user name or password authentication. With SSL turned off, everything works fine.
Thanks,
Two common approaches here:
http://ws.apache.org/xmlrpc/ssl.html
WebLogic has its own stuff:
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/security/SSL_client.html#wp1029670
As long as you have the certificates configured correctly in your trust store accessible to Tomcat, there are no changes to Apache Axis HTTP code.