|Pivotal Cloud Foundry® (PCF)||All|
For applications running on PCF that need to access external SSL/TLS endpoints whose certs are not signed by public CA, it is required to tell applications to trust self-signed certs or a private/internal Certificate Authority (CA). As the approach is different for Java and non-Java applications, this article discusses how to implement Java applications only.
Option 1: Import the cert to Java truststore file, pack the file into Java application and specify its path via JAVA_OPTS environment variable; the truststore file can be placed under resource directory. This can be used for single applications:
- By using the 'cf set-env' command:
cf set-env <app> JAVA_OPTS '-Djavax.net.ssl.TrustStore=classpath:resources/config/truststore'
- By using manifest.yml:
--- applications: - name: java-app ... env: JAVA_OPTS: '-Djavax.net.ssl.TrustStore=classpath:resources/config/truststore'
Option 2: Create .profile.d folder under app root directory(for war, it's usually src/main/webapp, for jar, it's usually src/main/resources), add a shell script under .profile.d that calls keytool and imports a cert that is packaged with the application. This is useful for single applications, please find the script example as shown below:
$HOME/.java-buildpack/open_jdk_jre/bin/keytool -keystore $HOME/.java-buildpack/open_jdk_jre/lib/security/cacerts -storepass changeit -importcert -noprompt -alias MyCert -file $HOME/WEB-INF/ssl/MyCert.crt
Option 3: CF Certificate Truster. Similar to Option 2, but no need to write an external script.
- Upload the custom buildpack to PCF or keep it on Github
- When deploying applications to PCF, specify the custom buildpack with
- Although this requires maintaining the fork of Java build pack, it is good for use with multiple applications which means there is no need to configure each application.
Option 5: With PCF 1.7+, there is an option to add trusted certs to the platform. If you have Java build pack 3.11 or older, you then need to configure Java build pack to import contain certificates into the trust store. Starting with Java build pack version 3.12, it is configured to do this out of the box. Injecting certs into the platform using this option will also affect non-Java applications deployed on the foundation. It requires PCF admin privilege to run "Apply Change" on Ops Manager.
For applications deployed to Pivotal Web Services (PWS), please refer option 1, 2, 3, 4 (with buildpack on Github) as option 5 is only for on-premise PCF installation.