Adding CA Certificate to Java Buildpack for PCF Deployment

Others 2022-04-22 00:31:04 views: 0
jerome.dev :

I want to use the same Java Buildpack that can be found here: https://github.com/cloudfoundry/java-buildpack/ but I want to be able to add a public certificate to this package as my application will not run properly without this installed certificate. How would I go about adding this certificate and deploying the updated buildpack to PCF?

Daniel Mikusa :

I would strongly discourage you from trying to add the cert to the buildpack itself. That requires forking the buildpack and that creates a maintenance burden for you (you essentially need to maintain that fork forever).

Instead, I would suggest you either bundle the cert with your app or use Bosh trusted certs to deploy the cert to all application containers by default.

If you need the cert for just a couple apps, it's easier to bundle it with the apps. If you need it site wide, like a company/internal certificate authority then you should deploy it as a Bosh trusted cert.

To bundle with the app, there are a couple options:

  • You can set JAVA_OPTS to include -Djavax.net.ssl.Truststore and point that to the truststore you bundle with the app. Keep in mind this completely overrides the default truststore, so you need to have all the usual defaults plus your custom trusted certs. It's easiest to start with the default truststore and add to it.

    Ex:

    cf set-env <app> JAVA_OPTS '-Djavax.net.ssl.TrustStore=classpath:resources/config/truststore'

  • You can add a .profile script that runs and imports your custom trusted certs into the default keystore. The contents of your .profile script would look like this.

    #!/bin/bash  
$HOME/.java-buildpack/open_jdk_jre/bin/keytool -keystore $HOME/.java-buildpack/open_jdk_jre/lib/security/cacerts -storepass changeit -importcert -noprompt -alias MyCert -file $HOME/WEB-INF/ssl/MyCert.crt

    It is tricky to get the .profile script in just the right location. It needs to end up in the root of the WAR or JAR file that you generate. If you run jar tf <jar-or-war-file>, you should see .profile listed without any leading path. If there's a path in front of the file, then it's in the wrong place.

Hope that helps!

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=132344&siteId=1
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com