Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

mTLS Configuration

42 views
Skip to first unread message

Marcus Olk

unread,
Feb 2, 2024, 7:28:52 AM2/2/24
to ipf-user
Hi guys.

We are working on a proxy that shall enrich an incoming ITI-18 query
with some XML security assertion allowing RBAC security setup in the target registry.

The registry expects the proxy to present a client TLS certificate.
I am struggling to configure the IPF SpringBoot proxy application accordingly.

Could you give me a push into the right direction?

How do I confgure the application to establish a mTLS connection to the XDS registry?

Cheers,

Marcus

Marcus Olk

unread,
Apr 3, 2024, 4:13:38 AM4/3/24
to ipf-user
Quick update on this, as I figured it out myself.

Recap of the requirements:
  • IPF Springboot application
  • Expose https endpoint
  • Consume mTLS XDS registry endpoint
The only solution I found is as follows:

java \
-Djavax.net.debug=ssl \
-Djavax.net.ssl.keyStore="$KEYSTORE_LOCATION" \
-Djavax.net.ssl.keyStorePassword="$KEYSTORE_PASSWORD" \
-Djavax.net.ssl.keyStoreType=PKCS12 \
-Djavax.net.ssl.trustStore="$TRUSTSTORE_LOCATION" \
-Djavax.net.ssl.trustStorePassword="$TRUSTSTORE_PASSWORD" \
-Djavax.net.ssl.trustStoreType=PKCS12 \
-jar "$JAR_LOCATION" \
--server.ssl.key-store-type=PKCS12 \
--server.ssl.key-store="$KEYSTORE_LOCATION" \
--server.ssl.key-store-password="$KEYSTORE_PASSWORD" \
--server.ssl.trust-store-type=PKCS12 \
--server.ssl.trust-store="$TRUSTSTORE_LOCATION" \
--server.ssl.trust-store-password="$TRUSTSTORE_PASSWORD" \
--server.port=9091 \
--server.ssl.enabled=true \
--server.ssl.key-alias=xds-proxy-server \
--xds.backend.endpoint="xds-iti18://localhost:9090/services/xds-iti18?secure=true&audit=false"

So, as you can see, I needed to provide both:
  • the javax.net.ssl system properties and
  • the server.ssl properties.
fyi

Marcus

Quentin Ligier

unread,
Apr 4, 2024, 4:09:20 PM4/4/24
to ipf-user
Hi Marcus,

The documentation contains the solution to open a TLS connection with a client certificate: https://oehf.github.io/ipf-docs/docs/ihe/wsSecureTransport

You can create an instance of SSLContextParameters as a Spring bean:
@Bean
public SSLContextParameters getCustomTlsContext() {
    final var keyManagersParameters = new KeyManagersParameters();
    keyManagersParameters.setKeyPassword("PASSWORD");
    final var keyStoreParameters = new KeyStoreParameters();
    keyStoreParameters.setResource("/keystore.jks");
    keyManagersParameters.setKeyStore(keyStoreParameters);
    final var sslContextParameters = new SSLContextParameters();
    sslContextParameters.setKeyManagers(keyManagersParameters);
    // You might want to set a trust manager here too: sslContextParameters.setTrustManagers()
    return sslContextParameters;
}


and then specify it in your ITI-18 call with sslContextParameters:
.to("xds-iti18://localhost:9090/services/xds-iti18?secure=true&sslContextParameters=#customTlsContext")

Kind regards,
Quentin

Marcus Olk

unread,
Apr 5, 2024, 2:11:44 AM4/5/24
to ipf-user
Hi Quentin.

But this has the same effect as defining it via properties passed to the JVM, right?
Or am I missing something here?

Marcus

Quentin

unread,
Apr 5, 2024, 6:04:06 AM4/5/24
to ipf-user
Hi Marcus,

It probably has the same effect (I've never tried setting the global properties).
The advantage is to be able to configure the trust-store/key-store per transaction, or even per transaction instance instead of configuring the application globally, and specify it in the usual property file.

Kind regards,
Quentin

Marcus Olk

unread,
Apr 5, 2024, 9:31:43 AM4/5/24
to ipf-user
Hey Quentin.

The advantage is obvious, yes. If you set the JVM properties, those apply to the whole JVM, right.
I will try that one.

Cheers,

Marcus
Reply all
Reply to author
Forward
0 new messages