SSL Certificate in Spring Boot

Question

I have certificate files xx.crt and xx.pfx. I also have password for xx.pfx. How do I configure this spring boot embedded tomcat?

    Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
    Http11NioProtocol protocol = (Http11NioProtocol) connector.getProtocolHandler();
    connector.setScheme("https");
    connector.setSecure(true);
    protocol.setSSLEnabled(true);
    protocol.setKeystoreFile(??);
    protocol.setKeyPass(??);
    protocol.setTruststoreFile(??);
    return connector;

Answer 1

The easiest way to use .pfx file with spring boot.
Follow the below steps to make it work.
1) Get the pfx file from service provider.
2) Install the certificate.Refer this link for how to install certificate.

application.properties

server.port= 9091
server.ssl.trust-store= classpath:jks/Test_Certificate.pfx
server.ssl.trust-store-password= XXXXXX
server.ssl.enabled= false
server.ssl.trust-store-type= PKCS12
soap.url=https://localost:8080/test/Calculator.wsdl

TestClientConfiguration.java

import java.io.IOException;
import java.security.KeyStore;

import javax.net.ssl.SSLContext;

import org.apache.http.HttpException;
import org.apache.http.HttpRequest;
import org.apache.http.HttpRequestInterceptor;
import org.apache.http.client.HttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.protocol.HTTP;
import org.apache.http.protocol.HttpContext;
import org.apache.http.ssl.SSLContexts;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.Resource;
import org.springframework.oxm.jaxb.Jaxb2Marshaller;
import org.springframework.ws.transport.http.HttpComponentsMessageSender;

@Configuration
public class TestClientConfiguration {

    private final String SOAP_URI = "https://localost:8080/test/Calculator.wsdl";

    @Value("${server.ssl.trust-store}")
    private Resource trustStore;

    @Value("${server.ssl.trust-store-password}")
    private String trustStorePassword;

    @Value("${server.ssl.trust-store-type}")
    private String trustStoreType;

    @Bean
    public TestServiceClient processMessage(Jaxb2Marshaller marshaller) throws Exception {
        TestServiceClient client = new TestServiceClient();
        client.setDefaultUri(SOAP_URI);
        client.setMarshaller(marshaller);
        client.setUnmarshaller(marshaller);
        client.setMessageSender(httpComponentsMessageSender());
        return client;
    }

    @Bean
    Jaxb2Marshaller jaxb2Marshaller() {
        Jaxb2Marshaller jaxb2Marshaller = new Jaxb2Marshaller();
        jaxb2Marshaller.setContextPath("com.test.soap.types");

        return jaxb2Marshaller;
    }

    @Bean
    public HttpComponentsMessageSender httpComponentsMessageSender() throws Exception {
        HttpComponentsMessageSender httpComponentsMessageSender = new HttpComponentsMessageSender();
        httpComponentsMessageSender.setHttpClient(httpClient());
        return httpComponentsMessageSender;
    }

    public HttpClient httpClient() throws Exception {
        KeyStore keyStore = KeyStore.getInstance(trustStoreType);
        keyStore.load(trustStore.getInputStream(), trustStorePassword.toCharArray());

        SSLContext sslContext = SSLContexts.custom().loadKeyMaterial(keyStore, trustStorePassword.toCharArray())
                .build();

        HttpClient httpClient = HttpClients.custom().setSSLContext(sslContext)
                .addInterceptorFirst(new ContentLengthHeaderRemover()).build();
        return httpClient;
    }

}

TestServiceClient.java

import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;

import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBElement;
import javax.xml.bind.Marshaller;
import javax.xml.transform.TransformerException;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;

import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.ws.WebServiceMessage;
import org.springframework.ws.client.core.WebServiceMessageCallback;
import org.springframework.ws.client.core.support.WebServiceGatewaySupport;
import org.springframework.ws.soap.SoapHeader;
import org.springframework.ws.soap.SoapMessage;

@Qualifier("testSoapServiceClient")
public class TestServiceClient extends WebServiceGatewaySupport {
    @Value("${soap.url}")
    private String testsoapurl;

    public String processMessage(String mgRequest, Message reqHeader) {

        StreamSource source = new StreamSource(new StringReader(mgRequest));
        StringWriter stringWriter = new StringWriter();
        StreamResult result = new StreamResult(stringWriter);
        getWebServiceTemplate().sendSourceAndReceiveToResult(testsoapurl, source, new WebServiceMessageCallback() {

            @Override
            public void doWithMessage(WebServiceMessage message) throws IOException, TransformerException {
                try {
                    SoapMessage soapMessage = (SoapMessage) message;

                    //Soap Actio
                    soapMessage.setSoapAction("urn:test/ProcessMessage");

                    // get the header from the SOAP message
                    SoapHeader soapHeader = soapMessage.getSoapHeader();

                    // create the header element
                    ObjectFactory factory = new ObjectFactory();
                    JAXBElement<Message> headerMessage = factory.createMessage(reqHeader);

                    // create a marshaller
                    JAXBContext context = JAXBContext.newInstance(Message.class);
                    Marshaller marshaller = context.createMarshaller();

                    // marshal the headers into the specified result
                    marshaller.marshal(headerMessage, soapHeader.getResult());
                } catch (Exception e) {
                    /////
                }
            }

        }, result);
        return stringWriter.toString();
    }

}

Answer 2

The easiest way to solve this problem is to convert the PFX file to JKS using the keytool (keytool.exe on Windows):

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore newkeystore.jks -deststoretype JKS

and use protocol.setKeystoreFile() and protocol.setKeyPass() to load it.

Answer 3

If you look at Http11NioProtocol those methods take string parameters... Anyways here is a related question/answer How can I specify my .keystore file with Spring Boot and Tomcat?