Scenario
Trying to configure end to end ssl encryption from ALB to Spring boot application.
Steps Done
ACM created
created a domain name in ACM and downloaded the public certificate chain using GetCertificateRequest API.
Domain name is *.mnkartik.com
create a truststore.jks and imported the certificates and chain as trusted sources.
spring boot application on ec2
configure the ALB with the target source as EC2
created self signed certificate and keystore as keystore.jks
configured the application as below in properties
server.port=8080
server.ssl.key-store = classpath:keystore.jks
server.ssl.key-store-password = password
server.ssl.key-password = password
server.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA
server.ssl.enabled=true
server.ssl.trust-store=classpath:truststore.jks
server.ssl.trust-store-password=password
when hit using the EC2 public api to spring boot application running on 8080 with https:// its working with an unsecured error ( as obvious ) with response printed successfully.
Problem
But when hitting the alb url, its returning as 502 Bad gateway error. Could not be able to solve.
This is ec2 result
ALB result
Related
We have received crt, pfx and key file from our server team which is a Spring boot application. These are not self signed certificates.
Now, we are requested to use the certificates and change our code to our server application via HTTPs.
Can some one please advice how to load these certificates and establish the connection with Java server application.
I am trying to setup SSO using Azure AD. Our aplication is a spring boot application deployed on Amazon ECS.
For this I have refered https://dummybot.medium.com/saml-integration-with-spring-boot-spring-security-microsoft-azure-ad-b9610bdb78b9, which uses Spring Security SAML2 with Spring Boot.
In our case the application exposes the port 8080 from docker container and doesn't have its own SSL configuration. We are using Amazon ELB as load balancer in which the SSL is configured and through the load balancer we can access the application https://our-domain.com
When testing application locally I am able to login successfully when https://localhost:8443/saml/sso is added as a reply Url in Azure AD.
When I add only the https://our-domain.com/saml/sso as reply URL and try logging in while executing application locally, I get this error:
correct http protocol and port in AD request
which is expected as we dont have https://localhost:8080/.. as white listed reply URL in Azure AD now.
But what I noticed here in the error message is https://localhost:8080/... doesn't match the reply URL, which is correct, but there is no change in HTTP protocol or port 8080 which I am trying to access.
But, When I try to access the application deployed on AWS ECS using https://our-domain.com, I am successfully redirected to login page, but there I get this error.
incorrect http protocol and port in AD request
Where I can see HTTP protocol has been changed from https to http and the port is passed in the request as 8443.
I could see only in our AWS ELB which has configuration for SSL certificate and has a HTTPS listener 8443, and I am suspecting it is due to this the incorrect reply URL is passed by the Spring Security in the Azure AD Authentication request.
Amazon ELB configuration
I have tried to find solution for this and found an issue reported in Spring-Security-Saml project at https://github.com/spring-projects/spring-security-saml/issues/447, which talks about SAMLContextProviderLB as the context provider bean.
More details in Spring-Security SAML Extension documentation: https://docs.spring.io/spring-security-saml/docs/1.0.x/reference/htmlsingle/#configuration-load-balancing
Although it is mentioned in the documentation for latest version of Spring-Security SAML Extension, I cant find this class, but it is available in older 1.0.x version of extension. Hence I am not able to use it.
Can someone please provide any pointers to fix this issue..
Thanks
I'm using a spring boot application like a bridge between an Angular application and a Java server. The spring booT app is at the same time a server for the angular app and a client for the java server.
I need to create a Secure Socket Layer (SSL) connection.
My problem is that I don't know how to create an SSL connection between spring-boot app (like a client) and the Java server.
I have done similar things before. You need to:
Create and make the Server side use ssl certificate (like here)
Install the public key of the ssl certificate (you can download the public key part using a browser and clicking the lock icon; to do this, just have a dummy api and call it) in a keystore (JKS).
Make spring boot application use the JKS (-D parameter in java -jar call).
Running a Java web service with embedded Jetty web container. Would like to serve my RESTful API endpoints over HTTPS with a root CA-signed SSL cert (no OpenSSL).
Can I configure my embedded Jetty container to use a "free" AWS Certificate Manager cert cert or are those certs only for use by AWS infrastructure (ELB, CloudFormation, etc.)? If so can I assume these certs are root CA-signed?
Basically I'm trying to figure out whether I need to spend a few hundred bucks on a Thawte/GoDaddy cert or if I can get one for free via AWS.
From Mark's comment:
"AWS Certificate manager certs can only be used by ELB, CloudFront and API Gateway. You would have to place an ELB, or a CloudFront distribution in front of your Jetty application in order to use an ACM SSL certificate."
So yes you can use one of the free AWS root CA-signed certs if you put your Jetty-based services behind ELBs.
I need to create a Java based XML web service client which is deployed in IBM WAS server which calls web service hosted by external system. Here 2 way ssl authentication mechanism should be there.
Configuration team has already set up the below things in quality environment of client and web service appservers:
At WAS server in which my web service client exists:
server certificate in the trustStore
client certificate is available in the keystore
At App server in which actual WebService exists:
server certificate in the keyStore
client certificate is available in the trust store
Coding:
we Auto generated classes using WSDL file provided by WS provider.
called the WS method normally like there is no 2 way ssl authentication mechanism in place.
problem: we are getting a connection exception when calling web service method from WS Client.Seems we have trouble with the 2 way ssl mechanism.
Full StackTrace Image as requested:
Assumptions:
we assumed that the entire handshake process of 2 way SSL process happens automatically when the web service call is done normally from the client.
Queries:
Is our assumption correct that entire handshake process happens
automatically here especially client sending its certificate ?
Do we need to specify at code level in java any details of path of
trust Store or KeyStore before calling the web service method to enable client to send its certificate ?
If Yes for Qn 2 do we need to set below properties in code as mentioned in some reference links
before calling WS method in client:
System.setProperty("javax.net.ssl.keyStore", "path/to/your/key");
System.setProperty("javax.net.ssl.keyStorePassword", "your-keystore- password");
System.setProperty("javax.net.ssl.trustStore","path/to/your/trust/keystore");
System.setProperty("javax.net.ssl.trustStorePassword", "your-truststore-password");
Any suggestions/advice are highly welcome as we are stuck with this since few days.Its the first time we are working on web services which need 2 way SSL.