-
Notifications
You must be signed in to change notification settings - Fork 28
HTTPS SSL TLS support
The operators now support HTTPS using Java keystores for the server certificate and client certificates.
This page generically covers setting up Jetty: http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
-
- Up to the Configuring SslContextFactory section is applicable for the operators, namely one must create a certificate for the Jetty server to use, and then put into a Java key store.
-
- For testing, the section Generating Keys and Certificates with JDK's keytool describes how to create a self-signed certificate using this command from your Java install:
keytool -keystore keystore -alias jetty -genkey -keyalg RSA
Configuring the Jetty server for HTTPS is through operator configuration. The operators are configured to use a certificate from a Java key store. Specifying a certificate enables HTTPS, using TLSv1.2, TLSv1.1 or TLSv1.0. A certificate is specified using these parameters:
-
port- Port for HTTPS, defaults to 8080. -
keyStore- URL to the key store containing the certificate. If a relative file path then it is taken as relative to the application directory. -
keyStorePassword- Password to the key store. -
certificateAlias- Alias of the server certificate to use in the key store. -
keyPassword- Password to the certificate. If not provided, defaults to the value ofkeyStorePassword.
All password parameters accept the Jetty obfuscated password style, which provides protection from casual viewing only. If the password values starts with OBF: then it is assumed to be already obfuscated, otherwise it is obfuscated before being passed to Jetty. The Jetty utility org.eclipse.jetty.util.security.Password may be
used to obfuscate passwords, for example when passing them as submission time values. In addition the SPL function com.ibm.streamsx.inet.rest.obfuscate(rstring) is provided as an option to obfuscate values.
Note that a single Jetty instance (potentially shared by multiple operators) either uses HTTPS or HTTP, not both. When multiple operators are fused to use the same HTTPS port, then they must all be configured identically using the operator parameters.
Once HTTPS is enabled, then certificate client authentication is enabled by using a trust store containing trusted client certificates.
The operators are configured to use client authentication by these parameters:
-
trustStore- URL to the key store containing trusted client certificates. If a relative file path then it is taken as relative to the application directory. -
trustStorePassword- Password to the trust store.
This is how I generated a self-signed client certificate for testing the operators.
Create a client key store with a client certificate
keytool -keystore client.jks -alias client -genkey -keyalg RSA
Export the certificate to client_test.crt
keytool -export -alias client -file client_test.crt -keystore client.jks
Import client_test.crt into a trust store, this makes the Jetty server trust any client that can present the certificate. truststore.jks is the trust store the operator will use, through the trustStore parameter.
keytool -import -alias client1 -file client_test.crt -keystore truststore.jks
For testing export the certificate as PKCS12 to allow a browser (e.g. Chrome or Firefox) to use it for client authentication
keytool -importkeystore -srckeystore client.jks -alias client -destkeystore dan.p12 -deststoretype PKCS12 -destkeypass PASSWORD
Use the settings/options -> advanced -> certificates in your browser to add the .p12 file.
Then when connecting to the Jetty server running in the operators, your browser should ask you which certificate you want to use to authenticate.
HTTPJSONInjection that feeds into HTTPTupleView. application/json content that is POSTed to the inject URL is visible on the viewing URLS.
composite Main {
graph
stream<rstring jsonString> JS = com.ibm.streamsx.inet.rest::HTTPJSONInjection() {
param
// matches the alias passed to keytool
certificateAlias: "jetty";
// Path to your trust store
keyStore: "/home/streamsadmin/keys/keystore";
keyStorePassword: "dan1234";
// Remove these two parameters if client authentication is not required
// Path to your trust store
trustStore: "/home/streamsadmin/keys/truststore.jks";
trustStorePassword: "dan5678";
}
() as TV = com.ibm.streamsx.inet.rest::HTTPTupleView(JS) {
window JS: sliding, count(10);
param
// matches the alias passed to keytool
certificateAlias: "jetty";
// Path to your key store
keyStore: "/home/streamsadmin/keys/keystore";
keyStorePassword: "dan1234";
// Remove these two parameters if client authentication is not required
// Path to your trust store
trustStore: "/home/streamsadmin/keys/truststore.jks";
trustStorePassword: "dan5678";
}
}