Configure MongoDB to use TLS/SSL

The following information is required to configure TLS/SSL on Mongo:

• PEMKeyFile: This file that contains the TLS/SSL certificate and key. The mongod/mongos instance presents this file to its clients to establish the instance's identity.

• CAFile: This file that contains the certificate chain for verifying client certificates. The mongod/mongos instance use this file to verify certificates presented by its clients. The certificate chain includes the certificate of the root Certificate Authority.

Here we are using .pem file to configure MongoDB Server/Client to use TLS/SSL.

Mongo TLS/SSL Server Side Configuration:   

To use TLS/SSL connections and perform client certificate validation, include the following TLS/SSL settings in your mongod/mongos instance's configuration file(mongod.cfg).

mongod.cfg file can be open from your installation directory, in my case i installed Mongo DB in C drive i.e. C:\Program Files\MongoDB\Server\4.2\bin

Add the highlighted lines in your mongod.cfg file, as given below.

# mongod.conf

storage:
  dbPath: C:\Program Files\MongoDB\Server\4.2\data
  journal:
    enabled: true

systemLog:
  destination: file
  logAppend: true
  path:  C:\Program Files\MongoDB\Server\4.2\log\mongod.log

# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1,localhost
  ssl:
    mode: requireSSL
    PEMKeyFile: C:\Program Files\MongoDB\Server\4.2\bin\application-key.pem
    CAFile: C:\Program Files\MongoDB\Server\4.2\bin\application-ca.pem

Once you add the above properties in mongod.cfg file, restart the MongoDB Server service.

Once you restart the service mongo server is now configured with ssl. 

To verify mongo server is successfully configured with ssl or not open mongod.log (C:\Program Files\MongoDB\Server\4.2\log) file, you will see below logs.

Now Mongo Server is successfully configured to take ssl connections.

Mongo TLS/SSL Client Side Configuration:   

Now RUN below openssl command to create PKCS12 file.

openssl pkcs12 -export -out application_keystore.pkcs12 -in application-key.pem -password pass:changeit

Once your PKCS12 file is created, now we have to create JKS file using below command from cmd. Open cmd from PKCS12 file location, and execute below command. 

Once you execute below command you need to enter password, in my case i use the default keystore password i.e changeit.

After entering the password 3 times JKS file will generate at same location.

keytool -importkeystore -srckeystore application_keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS

Now we need to put this JKS file path in your java code as given below, and restart your application.

System.setProperty("javax.net.ssl.trustStore", "<path>/keystore.jks");

System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

Another way if you do not want to add JKS file from your java code then add the JKS file directly in you  Java cacerts folder. Use below keytool command.

To run below command open cmd from java installation directory in my case i opened from C:\Program Files\Java\jdk1.8.0_65\jre\lib\security location.

keytool -importcert -alias <Alias Name> -file /application-key.pem -trustcacerts -keystore cacerts -storetype JKS

Once you execute above command it will ask for password, in my case i used the default keystore password i.e changeit. Once this is done then restart the application.

Read More »

Import self-signed certificate into Docker's JRE cacert

In order to import ssl certificate into Java Security cacert from Docker file use below keytool command in Docker file. 

First we need to copy the required file(.pem or .crt) into Docker with the help of below COPY commands.

To copy the .pem file in Docker image, add below command into Docker file.

COPY ./src/main/resources/application.pem application.pem

To copy the .crt file in Docker image, add below command into Docker file.

COPY ./src/main/resources/application_CA.crt application_CA.crt

Below keytool command copy the ssl certificate into Docker Java cacert folder.

<Alias Name>: Certificate Alias Name

<.crt file or .pem file Path>: Certificate file Name with path or .pem file name with path

RUN keytool -importcert -noprompt -alias <Alias Name> -file <.crt file or .pem file> -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storetype JKS -storepass changeit

Sample Docker File.

FROM openjdk:8
ADD ./target/sample_application.jar sample_application.jar
COPY ./src/main/resources/application.pem application.pem
RUN keytool -importcert -noprompt -alias sslAppCertificate -file application.pem -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storetype JKS -storepass changeit
EXPOSE 8080
ENTRYPOINT ["java", "-jar", "sample_application.jar"]

Note: This application.pem file only contains certificate.

Read More »

How to access secrets in Azure Key Vault using Java Code

   

Below is the Java code to get Azure Key Vault Secret key Value.

Azure Key Vault is a cloud service that provides secure storage for secrets, such as passwords and database connection strings.

The Azure Key Vault Secrets client library allows you to securely store and tightly control the access to tokens, passwords, API keys, and other secrets. This library offers operations to create, retrieve, update, delete, purge, backup, restore, and list the secrets and its versions.

The following information is required to access the Azure Key Vault:

1. Key Vault URL
2. Client Id
3. Client Key

Use the Azure Key Vault Secrets client library to create and manage secrets.

<dependency>
    <groupId>com.azure</groupId>
    <artifactId>azure-security-keyvault-secrets</artifactId>
    <version>4.2.7</version>
</dependency>

Other Required Dependency.

<dependency>
    <groupId>com.fasterxml.jackson.core</groupId>
    <artifactId>jackson-databind</artifactId>
    <version>2.12.3</version>
</dependency>

<dependency>
    <groupId>com.fasterxml.jackson.core</groupId>
    <artifactId>jackson-core</artifactId>
    <version>2.12.3</version>
</dependency>

<dependency>
    <groupId>io.projectreactor</groupId>
    <artifactId>reactor-core</artifactId>
    <version>3.4.5</version>
</dependency>

<dependency>
    <groupId>com.fasterxml.jackson.core</groupId>
    <artifactId>jackson-annotations</artifactId>
    <version>2.12.3</version>
</dependency>

import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;

import com.microsoft.aad.adal4j.AuthenticationContext;
import com.microsoft.aad.adal4j.AuthenticationResult;
import com.microsoft.aad.adal4j.ClientCredential;
import com.microsoft.azure.keyvault.KeyVaultClient;
import com.microsoft.azure.keyvault.authentication.KeyVaultCredentials;
import com.microsoft.azure.keyvault.models.SecretBundle;

/**
 * @author pushkarkhosla
 *
 */
public class AzureKeyVaultJavaConfigurationExample extends KeyVaultCredentials {

	private String clientId;
	private String clientKey;

	public AzureKeyVaultJavaConfigurationExample(String clientId, String clientKey) {
		this.clientId = clientId;
		this.clientKey = clientKey;
	}

	@Override
	public String doAuthenticate(String authorization, String resource, String scope) {
		AuthenticationResult token = getAccessTokenFromClientCredentials(authorization, resource, clientId, clientKey);
		return token.getAccessToken();
	}

	private static AuthenticationResult getAccessTokenFromClientCredentials(String authorization, String resource,
			String clientId, String clientKey) {
		AuthenticationContext context = null;
		AuthenticationResult result = null;
		ExecutorService service = null;
		try {
			service = Executors.newFixedThreadPool(1);
			context = new AuthenticationContext(authorization, false, service);
			ClientCredential credentials = new ClientCredential(clientId, clientKey);
			Future<AuthenticationResult> future = context.acquireToken(resource, credentials, null);
			result = future.get();
		} catch (Exception e) {
			throw new RuntimeException(e);
		} finally {
			service.shutdown();
		}

		if (result == null) {
			throw new RuntimeException("authentication result was null");
		}
		return result;
	}

	public static void main(String[] args) {
		try {
			KeyVaultClient client = new KeyVaultClient(new AzureKeyVaultJavaConfigurationExample(
					"Client Id", "Client Key"));

			SecretBundle secret = client.getSecret("Azure Key Vault Url",
					"Secret Key");

			System.out.println("------" + secret.value());

		} catch (Exception e) {
			e.printStackTrace();
		}
	}
}

Read More »