如何将SSL证书添加到Bluemix Java Cloud Foundry应用程序? [英] How to add SSL certificate to Bluemix java cloud foundry application?

问题描述

我正在使用Spring Boot，Java JDK 1.8，Java的MongoDB驱动程序和MongoDB开发微服务.我已经在Bluemix上创建了MongoDB实例，并且正在从Java微服务连接到该实例.

I am developing microservices using Spring Boot, Java JDK 1.8, MongoDB driver for Java, and MongoDB. I have created MongoDB instance on Bluemix and I am connecting to this instance from Java microservices.

Bluemix上的MongoDB实例已启用SSL，并提供SSL证书.对于本地开发，我已将Base64解码了此证书，并将此SSL证书导入了本地Java密钥库.因此，在本地，我能够毫无问题地连接到Bluemix上的MongoDB实例.

The MongoDB instance on Bluemix is SSL enabled and it provides the SSL certificate. For local development, I have Base64 decoded this certificate and I have imported this SSL certificate to the my local java keystore. So locally I am able to connect to the MongoDB instance on Bluemix without any issues.

当我使用cf CLI将Spring Boot微服务作为jar文件部署到Bluemix时，微服务无法连接到Bluemix上的MongoDB，因为我还没有上传MongoDB提供的SSL证书.

When I am deploying my spring boot microservices as jar file to Bluemix using cf CLI, the microservices are unable to connect to the MongoDB on Bluemix because I haven't uploaded the SSL certificate which was provided by MongoDB.

有人可以让我知道将SSL证书上传到Bluemix以便我的微服务可以连接到MongoDB实例的步骤吗?

Can someone please let me know the steps needed to upload the SSL certificate to Bluemix so my microservices can connect to the MongoDB instance?

推荐答案

选项1a

如果您只有一个证书，则可以使用 spring- boot-ssl-truststore-gen ，它将证书添加到buildpack内的系统truststore中:

If you have a single certificate, you can use the spring-boot-ssl-truststore-gen which adds the certificate to the system truststore inside the buildpack:

首先，您需要在pom.xml(或替代方法)中使用它:

First you need this in your pom.xml (or alternative):

<repositories>
   <repository>
      <id>jcenter</id>
      <url>http://jcenter.bintray.com </url>
      <snapshots>
        <enabled>true</enabled>
        <updatePolicy>never</updatePolicy>
        <checksumPolicy>warn</checksumPolicy>
      </snapshots>
       <releases>
         <enabled>true</enabled>
         <checksumPolicy>warn</checksumPolicy>
      </releases>
   </repository>
</repositories> 

和

<dependency>
    <groupId>com.orange.clara.cloud.boot.ssl-truststore-gen</groupId>
    <artifactId>spring-boot-ssl-truststore-gen</artifactId>
    <version>2.0.21</version>
</dependency>

如果您要创建一个Cloud Foundry应用，则接下来在manifest.yml中声明证书:

If you are creating a cloud foundry app, next declare the certificate in your manifest.yml:

env:
    TRUSTED_CA_CERTIFICATE: |-
        -----BEGIN CERTIFICATE-----
        changeme
        -----END CERTIFICATE-----

当您cf push您的应用程序时，证书将被添加到信任库中.

When you cf push your application, the certificate will get added to the truststore.

如果您不是要创建Cloud Foundry应用，请使用证书的值(例如，

If you aren't creating a cloud foundry app, set the enivonment variable TRUSTED_CA_CERTIFICATE with the value of your certificate, e.g.

$ export TRUSTED_CA_CERTIFICATE=<TRUSTED_CA_CERTIFICATE_VALUE>

选项1b

spring-boot-ssl-truststore-gen库

The spring-boot-ssl-truststore-gen library does not support loading multiple certificates from the TRUSTED_CA_CERTIFICATE environment variable. If you have multiple certificates, you can try directly calling the ssl-truststore-gen api, e.g. from a static block in one of your classes:

package helloworld;

import com.orange.clara.cloud.boot.ssl.CertificateFactory;
import com.orange.clara.cloud.boot.ssl.DefaultTrustStoreAppender;
import com.orange.clara.cloud.boot.ssl.TrustStoreInfo;

public class CertLoader {

    public static final String SSL_TRUST_STORE_SYSTEM_PROPERTY = "javax.net.ssl.trustStore";
    public static final String SSL_TRUST_STORE_PASSWORD_SYSTEM_PROPERTY = "javax.net.ssl.trustStorePassword";

    static {
        String[] certs = {
            System.getenv("CERTIFICATE_1"),
            System.getenv("CERTIFICATE_2")
        };

        for (String cert : certs) {
            DefaultTrustStoreAppender trustStoreAppender = new DefaultTrustStoreAppender();
            TrustStoreInfo trustStoreInfo = trustStoreAppender.append(CertificateFactory.newInstance(cert));
            System.setProperty(SSL_TRUST_STORE_SYSTEM_PROPERTY, trustStoreInfo.getTrustStorefFile().getAbsolutePath());
            System.setProperty(SSL_TRUST_STORE_PASSWORD_SYSTEM_PROPERTY, trustStoreInfo.getPassword());
        }
    }
}

然后您的manifest.yml中将需要以下内容:

You would then need something like the following in your manifest.yml:

env:
    CERTIFICATE_1: |-
        -----BEGIN CERTIFICATE-----
        changeme
        -----END CERTIFICATE-----

    CERTIFICATE_2: |-
        -----BEGIN CERTIFICATE-----
        changeme
        -----END CERTIFICATE-----

选项1c

将以下内容添加到pom.xml中，以便在使用 https://github.com/snowch/spring-boot-ssl-truststore-gen :

Add the following to your pom.xml to automatically load the ssl certificates when your application starts up using https://github.com/snowch/spring-boot-ssl-truststore-gen:

<repository>
   <id>jitpack.io</id>
   <url>https://jitpack.io</url>
</repository>

<dependency>
   <groupId>com.github.snowch</groupId>
   <artifactId>spring-boot-ssl-truststore-gen</artifactId>
   <version>master</version>
</dependency>

或转到您的Gradle:

or to your Gradle:

allprojects {
    repositories {
        ...
        maven { url 'https://jitpack.io' }
    }
}

compile 'com.github.snowch:spring-boot-ssl-truststore-gen:master'

选项2

如果您要创建一个Cloud Foundry应用并使用自由buildpack，请参阅以下问题以及添加ssl证书的可接受答案:

If you are creating a cloud foundry app and using the liberty buildpack see this question and the accepted answer for adding a ssl certificate: Add certificate to truststore to enable SSL communication

选项3

如果您可以访问套接字，例如您要自己实例化MongoClient()实例，而不是让诸如弹簧云连接器之类的库为您处理该实例，您可以尝试

If you have access to the socket, e.g. You are instantiating a MongoClient() instance yourself rather than letting a library such as spring cloud connectors handle this for you, you could try https://www.compose.com/articles/easier-java-connections-to-mongodb-at-compose-2/

这篇关于如何将SSL证书添加到Bluemix Java Cloud Foundry应用程序?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！