How to instantiate a grpc server using ssl in java using java keystore instead of certficate and key file?

Question

I have seen examples on how to do this for the client side, but the ServerBuilder class seems to only take a certificate and key file when configuring for ssl. I don't see anyway to set the sslContext or channel. Only a useTransportSecurity(File certChain, File privateKey) method that requires the certChain and a private key. Can I extract those from the keystore programmatically? Currently I instantiate the server as follows:

server = ServerBuilder.forPort(port). useTransportSecurity(certFile, keyFile).addService(this).build().start();

Other pieces of the application are using jks trust/keystores and we would prefer not to store the keys in two locations.

Answer 1

The default ServerBuilder is limited as you already have discovered. I would advice to use NettyServerBuilder which is capable of handling different kinds of input such as KeyStore, KeyManager etc.

Add the following dependency to your project:

<dependency>
    <groupId>io.grpc</groupId>
    <artifactId>grpc-netty</artifactId>
</dependency>

SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(keyManager).trustManager(trustManager);
SslContext sslContext = GrpcSslContexts.configure(sslContextBuilder).build();

Server server = NettyServerBuilder.forPort(8443)
        .addService(new HelloServiceImpl())
        .sslContext(sslContext)
        .build()
        .start();

The KeyManager/TrustManager can be built with the factory classes:

• KeyManagerFactory
• TrustManagerFactory

See also here for other configurations: DZone - Secure Your gRPC Services With SSL/TLS