I'm trying to get a keystore working to back the encryption capability of Spring Cloud Configuration Server. STS gives an error and encrypt/status continues to complain. I get an error in my application.yml file
server:
port: 8888
spring:
cloud:
config:
server:
git:
uri: ${GIT_CONFIG_URI}
username: ${GIT_USERNAME}
password: ${GIT_PASSWORD}
encrypt:
keyStore:
location: ${ENCRYPT_KEY_STORE_URL}
password: ${ENCRYPT_KEY_STORE_PASSWORD}
alias: ${ENCRYPT_KEY_STORE_ALIAS}
secret: ${ENCRYPT_KEY_STORE_SECRET}
IN STS: Unknown property 'spring.cloud.config.server.encrypt.keyStore'
The verbatim example from the documentation http://cloud.spring.io/spring-cloud-static/spring-cloud-config/1.3.1.RELEASE/#_security
encrypt:
keyStore:
location: classpath:/server.jks
password: letmein
alias: mytestkey
secret: changeme
Related
In my fresh Jhipster Registry 7.0.4 launch with jar application from github (with dev profile), I can see the logs menu (and all other).
I apply the default configuration files.
Application-dev.yml:
spring:
devtools:
restart:
enabled: false
livereload:
enabled: false
mail:
host: localhost
port: 25
username:
password:
security:
user:
name: admin
password: admin
role: USER,ADMIN
server:
port: 9762
compression:
enabled: true
mime-types: text/html,text/xml,text/plain,text/css, application/javascript, application/json
min-response-size: 1024
eureka:
client:
service-url:
defaultZone: http://admin:admin#localhost:9762/eureka
logging:
file: logs/jhipster-registry.log
level:
ROOT: INFO
io.github.jhipster: INFO
io.github.jhipster.registry: INFO
jhipster:
http:
cache: # Used by the CachingHttpHeadersFilter
timeToLiveInDays: 1461
security:
authentication:
jwt:
token-validity-in-seconds: 86400
token-validity-in-seconds-for-remember-me: 2592000
mail: # specific JHipster mail property, for standard properties see MailProperties
from: JHipsterRegistry#localhost
base-url: http://my-server-url-to-change # Modify according to your server's URL
logging:
logstash: # Forward logs to logstash over a socket, used by LoggingConfiguration
enabled: false
host: localhost
port: 5000
queue-size: 512
cache:
hazelcast:
# application:
registry is OK I can use it but I can't see and configure log level of jhipster of any module registered. How can I see them ?
I am using spring config server with 2 backends : git and vault (for secrets), and i have a clients apps that connect to the config server to get distant configuration (git and vault).
I have this configuration:
config server
server:
port: 8888
spring:
profiles:
active: git, vault
cloud:
config:
server:
vault:
host: hostName
kvVersion: 1
order: 1
backend: secret/cad
scheme: https
port: 443
git:
order: 2
uri: git#gitlab.git_repo
ignoreLocalSshSettings: true
force-pull: true
deleteUntrackedBranches: true
privateKey: key
and client side
spring:
application:
name: my_app_name
cloud:
vault:
config:
uri: http://localhost:8888
token: s.token
fail-fast: true
With this way I have to change the token for every client every day (token expire 24h). Is there a way to renew the token with this configuration or there is another way to authenticate to the vault?
spring.cloud.vault:
config.lifecycle:
enabled: true
min-renewal: 10s
expiry-threshold: 1440m
lease-endpoints: Legacy
1440 minutes = 24h
Reference: https://cloud.spring.io/spring-cloud-vault/reference/html/#vault-lease-renewal
I am trying to set up a micronaut project with multiple consumers each with different bootstrap server and ssl certs. I am not setting global bootstrap server and certs. This does not work. Any suggestion is appreciated.
One another option is to combine the certs into one jks file and set global bootstrap and ssl configuration.
kafka:
consumers:
group1:
bootstrap:
servers: $someserver1
ssl:
keystore:
location: /keystore.jks
password: password
truststore:
location: /truststore.jks
password: password
type: PKCS12
security:
protocol: ssl
group2:
bootstrap:
servers: $someserver2
ssl:
keystore:
location: /keystore-1.jks
password: password
truststore:
location: /truststore-1.jks
password: password
type: PKCS12
security:
protocol: ssl
The above config does work fine but u need to disable the kafka health check or provide a combined ssl certs otherwise micronaut kafka health check fails. This is true with 1.2.7 version of micronaut.
kafka:
health.enabled: false
consumers:
group1:
bootstrap:
servers: $someserver1
ssl:
keystore:
location: /keystore.jks
password: password
truststore:
location: /truststore.jks
password: password
type: PKCS12
security:
protocol: ssl
group2:
bootstrap:
servers: $someserver2
ssl:
keystore:
location: /keystore-1.jks
password: password
truststore:
location: /truststore-1.jks
password: password
type: PKCS12
security:
protocol: ssl
The issue is that consumer classes are not annotated quite correctly. Here is what worked for me:
In application.yml (note that both servers use the same SSL certs):
kafka:
consumers:
group1:
topic: some-topic-1
bootstrap:
servers: server-1:9092
group2:
topic: some-topic-2
bootstrap:
servers: server-2:9092
ssl:
keystore:
location: /keystore.jks
password: "password1"
truststore:
location: /truststore.jks
password: "password2"
security:
protocol: ssl
Then, annotate your classes to set consumer specific properties. Example in Kotlin:
#KafkaListener(
properties = [Property(name = ConsumerConfig.BOOTSTRAP_SERVERS_CONFIG, value = "\${kafka.consumers.group1.bootstrap.servers}")],
)
class TestConsumer1() {
#Topic("\${kafka.consumers.group1.topic}")
fun receiveMessage(record: ConsumerRecord<String, String>, acknowledgement: Acknowledgement) {
TODO("Handle events from server-1:9092 and some-topic-1 :)")
}
}
More information on the #KafkaListener and properties can be found here: https://micronaut-projects.github.io/micronaut-kafka/latest/guide/#kafkaListenerConfiguration
When i launch my server with prod profile, I can connect with admin admin in my JHipster application, but I can't save any data when I want to create a new object (I have an InternalServerError). However in dev profile with the same database (PostgreSQL) it's working well.
Moreover I don't know how to get logs when using prod profile to understand the problem.
I can add the configuration file for the prod profile
# ===================================================================
# Spring Boot configuration for the "prod" profile.
#
# This configuration overrides the application.yml file.
# ===================================================================
# ===================================================================
# Standard Spring Boot properties.
# Full reference is available at:
# http://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html
# ===================================================================
spring:
devtools:
restart:
enabled: false
livereload:
enabled: false
datasource:
url: jdbc:postgresql://localhost:5432/vraiJhipster
name:
username: vraiJhipster
password:
jpa:
database-platform: com.mycompany.myapp.domain.util.FixedPostgreSQL82Dialect
database: POSTGRESQL
show_sql: false
properties:
hibernate.cache.use_second_level_cache: true
hibernate.cache.use_query_cache: false
hibernate.generate_statistics: false
hibernate.cache.region.factory_class: org.hibernate.cache.ehcache.SingletonEhCacheRegionFactory
data:
elasticsearch:
cluster-name:
cluster-nodes: localhost:9300
mail:
host: localhost
port: 25
username:
password:
thymeleaf:
cache: true
liquibase:
contexts: prod
server:
port: 8080
compression:
enabled: true
mime-types: text/html,text/xml,text/plain,text/css, application/javascript, application/json
min-response-size: 1024
# ===================================================================
# JHipster specific properties
# ===================================================================
jhipster:
http:
cache: # Used by the CachingHttpHeadersFilter
timeToLiveInDays: 1461
cache: # Hibernate 2nd level cache, used by CacheConfiguration
timeToLiveSeconds: 3600
ehcache:
maxBytesLocalHeap: 256M
security:
rememberMe:
# security key (this key should be unique for your application, and kept secret)
key: *****************************************
mail: # specific JHipster mail property, for standard properties see MailProperties
from: vraiJhipster#localhost
metrics: # DropWizard Metrics configuration, used by MetricsConfiguration
jmx.enabled: true
spark:
enabled: false
host: localhost
port: 9999
graphite:
enabled: false
host: localhost
port: 2003
prefix: vraiJhipster
logs: # Reports Dropwizard metrics in the logs
enabled: false
reportFrequency: 60 # in seconds
logging:
logstash: # Forward logs to logstash over a socket, used by LoggingConfiguration
enabled: false
host: localhost
port: 5000
queueSize: 512
swagger: # swagger is disabled. It can be disabled by pasing 'no-swagger' profile at run time as well
enabled: false
Thank you.
If you need something about my configuration you can ask it.
I found the problem it was actually elasticSearch. When I use JHipster in production mode, the default configuration use elasticSearch on port 9300. But I hadn't any elasticSearch running on my computer. So I copy pasted the elasticSearch configuration from dev profile to prod profile.
data:
elasticsearch:
cluster-name:
cluster-nodes:
properties:
path:
logs: target/elasticsearch/log
data: target/elasticsearch/data
I am now trying to set up using spring config server / spring config client and eureka server to do service discovery together. when I was using local file system to save configuration, everything is fine, but as soon as I change to gitHub to save configuration, I can not start spring config client, and I got this error message:
com.netflix.discovery.DiscoveryClient : Can't get a response from http://user:{cipher}AQBdTe9vjgOqANyfi+Ke5HYmhFJnuvsGJ+8FOqLgdMdFInJkVRzy9XngylNp9KlX2lwPI13jT7ceDjBs9w4B6A15akQTHHP1q9rWwMcLtVCCKGFgvXSgQF+WWIItxBmIDGG4bSgDYZ6XQWl66T84PxjTBygErpmAjn+X2BWdtWtVmjXzpMQMaHGpiyLPoGIQYF4j9ZGpl16Jx79+j6et6LStksrT3WxQuanhZwIkqZ827+2mlUB3kd5ocW7R0vC3JMGVZlGNfqYQwJIhSJ19lrq4gxm/zbGroYonW3QSHTiRlhlvOdovEua/0dCl6+s0iEHYZCBllr7jikEWmS5Px7U2TG8/eQkjR8pUbSN6OE+OI2ZZUCNOT+mi75ZeeN1OtdQ=#localhost:8761/eureka/null
Can't contact any eureka nodes - possibly a security group issue?
java.lang.IllegalArgumentException: Illegal character in authority at index 7: http://user:{cipher}AQBdTe9vjgOqANyfi+Ke5HYmhFJnuvsGJ+8FOqLgdMdFInJkVRzy9XngylNp9KlX2lwPI13jT7ceDjBs9w4B6A15akQTHHP1q9rWwMcLtVCCKGFgvXSgQF+WWIItxBmIDGG4bSgDYZ6XQWl66T84PxjTBygErpmAjn+X2BWdtWtVmjXzpMQMaHGpiyLPoGIQYF4j9ZGpl16Jx79+j6et6LStksrT3WxQuanhZwIkqZ827+2mlUB3kd5ocW7R0vC3JMGVZlGNfqYQwJIhSJ19lrq4gxm/zbGroYonW3QSHTiRlhlvOdovEua/0dCl6+s0iEHYZCBllr7jikEWmS5Px7U2TG8/eQkjR8pUbSN6OE+OI2ZZUCNOT+mi75ZeeN1OtdQ=#localhost:8761/eureka/
at java.net.URI.create(URI.java:852)
This is what I have:
In cofig server application.yml:
spring:
application:
name: spirent-config-server
cloud:
config:
server:
git:
uri: https://github.com/spring-cloud-samples/config-repo
#searchPaths: foo,bar*
server:
port: 8888
in config client:
bootstrap.properties:
spring.application.name= foo
spring.profiles.active= development
spring.cloud.config.uri= http://localhost:8888
and application.yml
eureka:
instance:
hostname: ${host.instance.name:frank1}
nonSecurePort: ${host.instance.port:8080}
metadataMap:
instanceId: ${host.instance.instanceid:frank_123}
client:
serviceUrl:
defaultZone: http://localhost:8761/eureka/
server:
port: ${host.instance.port:8080}
Eureka Server:
application.yml
server:
port: 8761
eureka:
client:
registerWithEureka: false
fetchRegistry: false
server:
waitTimeInMsWhenSyncEmpty: 0
bootstrap.yml:
spring:
application:
name: eureka
cloud:
config:
uri: ${CONFIG_SERVER_URL:http://localhost:8888}
From the exception, it seemed it is because discoverClient is not working, anything special for the configuration?
But if I change from gitHub to local file storage for configuration, everything is fine.
Thanks for your suggestion in advance.
Based on the spring cloud document, I am doing like this:
In application.yml of config server:
spring:
application:
name: spirent-config-server
cloud:
config:
server:
git:
uri: https://github.com/spring-cloud-samples/config-repo
#searchPaths: foo,bar*
encrypt:
key: abc
server:
port: 8888
In application.yml of Eureka Server:
server:
port: 8761
eureka:
instance:
hostname: localhost
client:
registerWithEureka: false
fetchRegistry: false
serviceUrl:
defaultZone: http://${eureka.instance.hostname}:${server.port}/eureka/
server:
waitTimeInMsWhenSyncEmpty: 0
encrypt:
key: abc
And in application.yml of config client:
eureka:
instance:
hostname: ${host.instance.name:frank1}
nonSecurePort: ${host.instance.port:8080}
leaseRenewalIntervalInSeconds: 5 #default is 30, recommended to keep default
metadataMap:
#instanceId: ${host.instance.instanceid:frank_123}
instanceId: ${spring.application.name}:${spring.application.instance_id:${random.value}}
client:
serviceUrl:
defaultZone: http://localhost:8761/eureka/
server:
port: ${host.instance.port:8080}
encrypt:
key: abc
But, the problem is after I started Eureka an config server, it is fine, no exception, but after I started config client, I got this same exception:
Can't contact any eureka nodes - possibly a security group issue?
java.lang.IllegalArgumentException: Illegal character in authority at index 7: http://user:{cipher}AQBdTe9vjgOqANyfi+Ke5HYmhFJnuvsGJ+8FOqLgdMdFInJkVRzy9XngylNp9KlX2lwPI13jT7ceDjBs9w4B6A15akQTHHP1q9rWwMcLtVCCKGFgvXSgQF+WWIItxBmIDGG4bSgDYZ6XQWl66T84PxjTBygErpmAjn+X2BWdtWtVmjXzpMQMaHGpiyLPoGIQYF4j9ZGpl16Jx79+j6et6LStksrT3WxQuanhZwIkqZ827+2mlUB3kd5ocW7R0vC3JMGVZlGNfqYQwJIhSJ19lrq4gxm/zbGroYonW3QSHTiRlhlvOdovEua/0dCl6+s0iEHYZCBllr7jikEWmS5Px7U2TG8/eQkjR8pUbSN6OE+OI2ZZUCNOT+mi75ZeeN1OtdQ=#localhost:8761/eureka/
at java.net.URI.create(URI.java:852)
at com.sun.jersey.api.client.Client.resource(Client.java:433)
at com.netflix.discovery.DiscoveryClient.makeRemoteCall(DiscoveryClient.java:1091)
at com.netflix.discovery.DiscoveryClient.makeRemoteCall(DiscoveryClient.java:1060)
at com.netflix.discovery.DiscoveryClient.getAndStoreFullRegistry(DiscoveryClient.java:835)
Can anyone tell me where is my error? This only happened in using GIT as config server data source, but in local file data source, no error happened.
Thanks
These are my steps to try to resolve the key issues, but failed again:
download the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" from Oracle, and follow instructions for installation (essentially replace the 2 policy files in the JRE lib/security directory with the ones that you downloaded).
Now if I run spring encrypt mysecret --key foo, it is successful, this means the JCE is installed correctly;
Creating a Key Store for Testing: using this:
https://github.com/spring-cloud/spring-cloud-config/blob/master/docs/src/main/asciidoc/spring-cloud-config.adoc#creating-a-key-store-for-testing
after updating the application.yml in my config server, the application.yml is this:
spring:
application:
name: spirent-config-server
cloud:
config:
server:
git:
uri: https://github.com/spring-cloud-samples/config-repo
#searchPaths: foo,bar*
encrypt:
keyStore:
location: classpath:/server.jks
password: letmein
alias: abc
secret: changeme
key: abc
server:
port: 8888
adding this to both eureka server and config client application.yml:
encrypt:
key: abc
Run everything:
Result is same nasty error
So what is wrong is my testing? Thanks for your help
It is my fault:
Changing application.yml to this:
spring:
application:
name: configserver
encrypt:
failOnError: false
keyStore:
#location: classpath:keystore.jks
#password: ${KEYSTORE_PASSWORD:foobar} # don't use a default in production
#alias: test
location: classpath:server.jks
password: letmein
alias: mytestkey
secret: changeme
And then using this command to generate the file resolving the issue completely:
keytool -genkeypair -alias mytestkey -keyalg RSA \
-dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=US" \
-keypass changeme -keystore server.jks -storepass letmein
Thanks