My app connects to Kafka topic and everything goes well in local environment when truststore and keystore are stored under classpath, but when I try to switch to Dockerized external environment and point to those files localized on a server, then the app crashes.
Snippet in a local environment where it works:
spring.kafka.ssl.trust-store-location=file:src/main/resources/keys/application.truststore.jks
spring.kafka.ssl.key-store-location=file:src/main/resources/keys/application.keystore.jks
Snippet of application.properties on a server side when the app is launched inside a docker container and does not work. Both keys are stored in /deployment/keys folder inside the container:
spring.kafka.ssl.trust-store-location=/deployment/keys/application.truststore.jks
spring.kafka.ssl.key-store-location=/deployment/keys/application.keystore.jks
The following java exception occurs:
NoSuchFileException: /tmp/tomcat-docbase.45456574985379.8080/deployment/keys/application.keystore.jks
So for an unknown reason Spring Boot inside Docker container adds the /tmp/tomcat-docbase.45456574985379.8080/ prefix to the keystore and truststore location.
I have also tried:
spring.kafka.ssl.trust-store-location=file:/deployment/keys/application.truststore.jks
spring.kafka.ssl.key-store-location=file:/deployment/keys/application.keystore.jks
and
spring.kafka.ssl.trust-store-location=file:///deployment/keys/application.truststore.jks
spring.kafka.ssl.key-store-location=file:///deployment/keys/application.keystore.jks
but none of them seem to work. I would not like to change the code but what comes to my mind is to create a Properties object and create strings with those paths. Then inject them to the KafkaTemplate as a bean. However, I have not yet checked if this could help. Would rather focus just on adjusting application.properties file than correct the code. Could you please help me find the solution?
Related
Im have a producer and consumer java code and Im trying to upgrade it to connect with the Kafka which is secured with SSL. I'm in a situation that the ssl related passwords should be given only via environmental variables.
So is it possible to directly refer to the values refered by Environmental variables in the KafkaProducer.properties and KafkaConsumer.properties files
For Example:
I declare an environmental variable in linux system SSL_KEY_PASSWORD=password
And inside the KafkaProducer/Consumer properties, I declare as,
''' ssl.key.password=${SSL_KEY_PASSWORD} '''
Sample KAFKA Consumer/Producer property file config may look like,
# For SSL
security.protocol=SSL
ssl.truststore.location=/var/private/ssl/client.truststore.jks
ssl.truststore.password=${TRUSTSTORE_PASS_ENV_VARIABLE}
# For SSL auth
ssl.keystore.location=/var/private/ssl/client.keystore.jks
ssl.keystore.password=${KEYSTORE_PASS_ENV_VARIABLE}
ssl.key.password=${KEY_PASS_ENV_VARIABLE}
No, they cannot.
Unclear how you are using the files or Kafka clients. If from the shell commands, you should create a bash wrapper around the command you're running that uses sed or other templating scripts that generates the files before running the final command.
If you are actually writing Java code, then build the Properties from the environment there, and not using files.
Don't think properties file values are interpolated but probably you can test it once. Alternatively you can also remove these lines from property file and do it from code something like below...
final Properties properties = new Properties();
final FileInputStream input = new FileInputStream(yourExistingFile);
properties.load(input);
properties.put("ssl.key.password",System.getenv("SSL_KEY_PASSWORD"));//this is additional property
Using JBoss EAP 7, I have a .properties file included in the classpath successfully.
I have also set up a vault, and inserted one value via the command line. I checked that the value exists.
I'm trying to use the vault entry in my application. So for example, in the properties file, if I put something like:
token.secret=mysecret
and then run one of my POST requests, it returns a key. I can run my JUnit test then and the assertion comes back true, that the encoding of the key did use the value "mysecret".
So if I put in "mysecret" into my vault:
vault.bat --keystore ..\vault\vault.keystore --keystore-password <password> --alias vault --vault-block mySecret --attribute myAtt --sec-attr mysecret --enc-dir ../vault --iteration 97 --salt abcdefgh
the command line gives back this to use:
${VAULT::mySecret::myAtt::1}
And then if I use this in my .properties file:
token.secret=${VAULT::mySecret::myAtt::1}
And make the same POST request, and run the JUnit test, it's saying the key returned wasn't generated from "mysecret".
How can I use the value in the vault within the properties file to get my JUnit test to pass?
I don't have an official answer of how I want it, but here is an alternative that can be used*.
Instead of referencing the vault from within the .properties file, you can put it within whichever standalone.xml (if of course you're using standalone mode) file your JBoss is using, under the system-properties node (create it if it's not there already):
<property name="token.secret" value="${VAULT::mySecret::myAtt::1}"/>
This then passes my assertion test.
*I'd still like someone to come along and tell me how to reference it from the .properties file...
Setup vault and store the vault property in a property file for e.g.
//vault.property file contents
KEYSTORE_URL=/home/userid/jboss/jbossvault.jceks
KEYSTORE_PASSWORD=MASK-0Kuitk9Sz/R./bViQcAEXY
KEYSTORE_ALIAS=appln_name_vault
SALT=12345678
ITERATION_COUNT=888
ENC_FILE_DIR=/home/userid/jboss
add in $JBOSS_HOME/standalone/configuration/standalone.xml
a. vault section
<vault>
<vault-option name="KEYSTORE_URL" value="${KEYSTORE_URL}"/>
<vault-option name="KEYSTORE_PASSWORD" value="${KEYSTORE_PASSWORD}"/>
<vault-option name="KEYSTORE_ALIAS" value="${KEYSTORE_ALIAS}"/>
<vault-option name="SALT" value="${SALT}"/>
<vault-option name="ITERATION_COUNT" value="${ITERATION_COUNT}"/>
<vault-option name="ENC_FILE_DIR" value="${ENC_FILE_DIR}"/>
</vault>
b. ssl key store section
<server-identities>
<ssl>
<keystore path="$JBOSS_HOME/keystore/Appln_Cert_KeyStore.jks" keystore-password="${VAULT::Appln_SSL_block::passphrase::1}"/>
</ssl>
</server-identities>
start jboss eap in standalone background mode
nohup $JBOSS_HOME/bin/standalone.sh -P /home/userid/jboss/vault-config.properties &
I tried to install confluence on my own ubuntu server, but always failed. The error is:
com.atlassian.util.concurrent.LazyReference$InitializationException: java.lang.IllegalStateException: Spring Application context has not been set
at com.atlassian.util.concurrent.LazyReference.getInterruptibly(LazyReference.java:149)
caused by: java.lang.IllegalStateException: Spring Application context has not been set
at com.atlassian.spring.container.SpringContainerContext.getComponent(SpringContainerContext.java:48)
I saw some solutions in the jira confluence forum saying try to fix the permission of installed directory and home directory. I tried but failed again. How can I fix the problem.
In my case the issue was corrupted confluence.cfg.xml file (contains DB connection stings and other settings). The file size was 0 bytes.
I would suggest to use a VM to create a new installation and borrow confluence.cfg.xml from that installation.
It's embarrassing that this behavior has been allowed to exist for nearly 7 years in a commercial product. This is a basic stuff...
I wish that was on instructions somewhere:
Make single backup copy of confluence.cfg.xml immediately before any writes to it by the application. Application should be able to restore from backed up copy if it gets corrupted.
Atlassian documentation lists the following causes of this problem:
The user running Confluence does not have write permissions to the home folder defined in <install>/confluence/WEB-INF/classes/confluence-init.properties or the install directory.
You are running Confluence as the root user or if you have an application firewall enabled (SeLinux or AppArmor).
The database driver is not located in the <install>/confluence/WEB-INF/lib folder or you are using a database version that is incompatible with the bundled driver.
The hostname of the server can not be resolved.
In my case I was running it as root user inside docker container.
In the Java API example they create a Datastore by using DatastoreHelper.getOptionsfromEnv
But this creates the warning
WARNING: Not using any credentials
and leads ultimately to:
DatastoreException(null): beginTransaction 401
I set my environment variables to the following:
export DATASTORE_DATASET={Project-ID}
export DATASTORE_HOST="https://www.googleapis.com/datastore/v1/datasets/{Project-ID}"
export DATASTORE_SERVICE_ACCOUNT="{email address}"
export DATASTORE_PRIVATE_KEY_FILE="{path to local p12 keyfile}"
But still when I try to see what the credentials are:
println("Datastore helper: " +DatastoreHelper.getOptionsfromEnv
.dataset(datasetId).build().getCredential)
I get null, what could be missing?
Also is there either a way to set the Credentials inside the project (instead of using the getOptionsfromEnv)?
The problem was that even though I used
source ~/.bash_profile
to refresh my environemnt variables and the echo command showed me that they were indeed updated, apperently I needed to restart my terminal (using Mac OSX) for them to be also updated for sbt and Scala.
I am not sure why this is the case and if this is Scala specific but now I managed to authenticate and communicate with the server.
I managed to figure it out by using the local installation of the Datastore Server and continuing to have the same problems.
I have a system wherein .NET clients authenticate against a Java server with Kerberos. Everything works, but I'm trying to improve the server configuration. Currently a keytab file is required in the root of C:\ because my jaas.conf looks like this:
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
isInitiator=false
keyTab="///C:/keytab"
principal="XXX";
};
I am trying to make the keyTab property a relative path, but am having no luck. What I've tried:
keyTab="///keytab"
keyTab="///./keytab"
keyTab="classpath:keytab"
All of these result in an exception, so clearly the keytab file cannot be found.
I've searched and read the docs and banged my head on a wall over this. Can anyone reveal the magical incantation I need to make this happen?
Please use keyTab="keytab"
Similar to the example:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/lab/part1.html
I tried as well putting the keytab in the same folder as the jaas.conf file (in the conf folder). Doing keytab="keytab" would not work. Fortunately, it uses the same configuration variables used elsewhere, so the solution was to set:
keyTab="${catalina.base}/conf/keytab"