Pivotal Knowledge Base

Follow

How to tell application containers (running Java apps) to trust self-signed certs or a private/internal CA

Environment

Product Version
Pivotal Cloud Foundry® (PCF) All
Buildpack/Language Java Buildpack/Java
OS Linux

Purpose

For applications running on PCF that need to access external SSL/TLS endpoints whose certs are not signed by public CA, it is required to tell applications to trust self-signed certs or a private/internal Certificate Authority (CA). As the approach is different for Java and non-Java applications, this article discusses how to implement Java applications only. 

Procedure

Option 1: Import the cert to Java truststore file, pack the file into Java application and specify its path via JAVA_OPTS environment variable; the truststore file can be placed under resource directory. This can be used for single applications:

  • By using the 'cf set-env' command:
    cf set-env <app> JAVA_OPTS '-Djavax.net.ssl.TrustStore=classpath:resources/config/truststore'
  • By using manifest.yml:
    ---
    applications:
    - name: java-app
      ...
      env:
        JAVA_OPTS: '-Djavax.net.ssl.TrustStore=classpath:resources/config/truststore'

Option 2: Create .profile.d folder under app root directory(for war, it's usually src/main/webapp, for jar, it's usually src/main/resources), add a shell script under .profile.d that calls keytool and imports a cert that is packaged with the application. This is useful for single applications, please find the script example as shown below: 

#!/bin/bash  
$HOME/.java-buildpack/open_jdk_jre/bin/keytool -keystore $HOME/.java-buildpack/open_jdk_jre/lib/security/cacerts -storepass changeit -importcert -noprompt -alias MyCert -file $HOME/WEB-INF/ssl/MyCert.crt

Option 3: CF Certificate Truster. Similar to Option 2, but no need to write an external script. 

Option 4: In case of developing multiple applications, it is suggested to fork the Java build pack and override the keystore by adding it to resources:

  1. Upload the custom buildpack to PCF or keep it on Github
  2. When deploying applications to PCF, specify the custom buildpack with -b option,
  3. Although this requires maintaining the fork of Java build pack, it is good for use with multiple applications which means there is no need to configure each application.

Option 5: With PCF 1.7+, there is an option to add trusted certs to the platform.  If you have Java build pack 3.11 or older, you then need to configure Java build pack to import contain certificates into the trust store.  Starting with Java build pack version 3.12, it is configured to do this out of the box.  Injecting certs into the platform using this option will also affect non-Java applications deployed on the foundation.  It requires PCF admin privilege to run "Apply Change" on Ops Manager. 

Additional Information

For applications deployed to Pivotal Web Services (PWS), please refer option 1, 2, 3, 4 (with buildpack on Github) as option 5 is only for on-premise PCF installation. 

 

Comments

Powered by Zendesk