Reputation: 1520
gRPC: How to configure SSL in client?
Its new topic for me. I'm able to connect as plaintext.
public ManagedChannel getChannel(String serviceName){
TSServiceClientManager scm = TSServiceManagementFactory.getInstance().getServiceClientManager();
TSServiceConnectionInfo connInfo = scm.getServiceConnectionInfo(serviceName);
if(channel == null){
channel = ManagedChannelBuilder.forAddress(connInfo.getHost(), connInfo.getPort())
.usePlaintext(true) //need help here for SSL code
.build();
}
return channel;
}
I was told to enable client-side SSL. I know how to generate, keystore, truststore, pem, CA etc. I need help in :
How to enable SSL instead of .usePlaintext(true) as shown in above code?
(Kindly rewrite the code considering the cert file, keystore, truststore and .pem file exist)
And
I want to know is there anything to do with server to make SSL connection work?
Upvotes: 7
Views: 12603
Answers (2)
Reputation: 43
If any one wants to use JKS files then below code might help.
InputStream is = Utils.class.getClassLoader().getResourceAsStream("truststore.jks");
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(is, "secret".toCharArray());
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(truststore);
SslContextBuilder sslContextbuilder = GrpcSslContexts.forClient().trustManager(trustManagerFactory);
SslContext sslContext = sslContextbuilder.build();
channel = NettyChannelBuilder.forAddress("localhost", "8443").sslContext(sslContext).build();
Upvotes: 2
Reputation: 26394
Since grpc-java 1.37.0 it is possible for most users to configure TLS without using transport-specific APIs. This leverages the ChannelCredentials concept introduced in 1.34.0.
ChannelCredentials creds = TlsChannelCredentials.newBuilder()
// if server's cert doesn't chain to a standard root
.trustManager(caFile)
.keyManager(clientCertFile, keyFile) // client cert
.build();
channel = Grpc.newChannelBuilderForAddress(serverHost, serverPort, creds)
.build();
TlsServerCredentials and Grpc.newServerBuilderForPort() would be used on server-side.
Advanced use cases may need to use transport-specific APIs like GrpcSslContexts and NettyChannelBuilder.sslContext().
Original answer: You need to use a transport-specific API. You're likely using Netty today. For Netty, you need to configure Netty's SslContext and pass it to gRPC. Your usage may look something like this:
SslContext sslcontext = GrpcSslContexts.forClient()
// if server's cert doesn't chain to a standard root
.trustManager(caFile)
.keyManager(clientCertFile, keyFile) // client cert
.build();
channel = NettyChannelBuilder.forAddress(serverHost, serverPort)
.sslContext(sslContext)
.build();
If you need server-side configuration, it would use the similar NettyServerBuilder.sslContext(). But the context itself would be different.
Upvotes: 11
Related Questions
- Use SSL in gRPC client server communication
- How to instantiate a grpc server using ssl in java using java keystore instead of certficate and key file?
- How do I connect to GRPC using TLS?
- gRPC sslcontext config
- How to enable ssl in grpc with java using keystore
- Java gRPC - TLS - how to set up mutual TLS on the client side?
- How do I get the Clientcertificate with GRPC Java?
- How to create Insecure Java grpc cilent for secure go grpc service
- Dealing with TLS on gRPC
- gRPC-Java ssl server side authentication certificate generation