About Me

My photo
Rohit leads the Pivotal Labs App Modernization Practice in engineering, delivery training & cross-functional enablement, tooling, scoping, selling, recruiting, marketing, blog posts, webinars and conference sessions. Rohit has led multiple enterprise engagements including ones featured in the Wall Street Journal. Rohit focuses on designing, implementing and consulting with enterprise software solutions for Fortune 500 companies on application migration and modernization.

Saturday, May 13, 2017

Application TLS, SSL, Mutual SSL with Cloud Foundry

_ With Significant Contributions from the Pivotal Services Team (Caleb, Anwar, Biju, Shaozhen, Zac, Mark)  _

It is critical that applications encrypt data in motion. To get a refresher on WHY this is important read Justin Smith's post on a more practical approach on encrypting data in motion. In cloud foundry TLS inbound to an app in CF is terminated either at the load balancer or at the goRouter. Outbound mutual two-way TLS to a remote endpoint from the application in pivotal cloud foundry (PCF) requires that the app in PCF trusts the server certificate and the remote endpoint needs to trust the client cert presented by the PCF app.  A two way trust needs to be established. In Java this is done using Keystore's and Truststore's. 

KeyStore : A Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption.

TrustStore : A Truststore is used to store certificates from trusted Certificate authorities(CA) which are used to verify certificate presented by Server in SSL Connection. There are no private keys in the truststore. 
  
Typically JVM  Keystores and Truststores are manipulated using the keytool. In cloud foundry these keystore cannot be manipulated directly within the JVM since the JVM is provisioned by the buildpack. You can supply the JVM Keystores and Truststores 1. within the app. 2. using environment variables or 3. with a third party trusted intermediary like Vault. So how does one achieve this ? Here are some projects that will enable you to achieve mutual two-way SSL also know as client authentication between client and Server with apps in Cloud Foundry.

Spring Boot Client authentication demo : Packages the keystore(certs  and private key) and truststore within the app and loads them with getClassLoader().getResource
https://github.com/viniciusccarvalho/boot-two-way-ssl-example 

Fork of Spring Boot Client Auth Demo: Packages keystores(certs and private key) and truststores within the app and specifies the location using environment variables.

Cloud Foundry Certificate Truster: When certificates are to be downloaded from a remote location and not available at startup CloudFoundryCertificateTruster will download certificates and add them to the JVM truststore at the earliest possible time. This can be forked to load certs from any 3rd party trusted store like Vault.  Override L160.
https://github.com/pivotal-cf/cloudfoundry-certificate-truster

MutualAuthAutoConfiguration: _coming soon_ The pivotal services team (@zacbergquist, @biju) have written a spring boot starter  to automatically append Certs to the internal trust store. We intend to make this repo public soon, MutualAuthAutoConfiguration modifies the app SSL context based on base64 encoded Keystore and password specified as properties.