Suppose our Java
application is hosted on the Heroku platform and needs to connect to an HTTP server that requires the provision of a Client Certificate.
In this article, we will address the issues of securely storing client keystores in
, using
.
- Keeping passwords and other sensitive data in
is a common practice for applications hosted on
.
Usually
contained in password-protected files - key containers, such as .p12
or jks
on the file system.
But the problem becomes obvious as soon as it becomes necessary to place a similar application in
:
Even password protected ones
cannot be placed in the repository together with the source code.
The same goes for Docker images and any other similar artifacts available to several persons.
Fortunately, this is easy to fix in apps on Java
!
Consider the proposed process in terms of safety theory:
- Security Officer (OB) exports
as encoded stringBase64
- ..
( Heroku Dashboard) - ..
Base64
- ,
:
- :
Java
- :
Heroku
- :
Gradle
- :
PKCS12
.p12
, , :
Heroku
Heroku
Settings
- "Reveal the config vars"
- :
keyStoreFileName
β , "private_key.p12"keyStoreBase64
β Base64
, " .p12"keyStorePassword
β , .p12keyStoreType
β pkcs12
trustStoreType
β jks
.p12 Gradle
guild.gradle
stage
:
task initKeyStore() {
doLast {
println("Creating keystore file from environment variables.")
String keyStoreFileName = System.getenv("keyStoreFileName")
if (keyStoreFileName != null) {
String keyStoreBase64 = System.getenv("keyStoreBase64")
new File(keyStoreFileName).withOutputStream {
it.write(Base64.decoder.decode(keyStoreBase64))
}
}
}
}
stage.dependsOn(initKeyStore)
"procfile" Heroku
"procfile" Heroku
.
, shell
β runApp.sh
.
runApp.sh:
java \
-Dserver.port=$PORT \
...
-Djavax.net.ssl.keyStoreType=$keyStoreType \
-Djavax.net.ssl.trustStoreType=$trustStoreType \
-Djavax.net.ssl.keyStore=$keyStoreFileName \
-Djavax.net.ssl.keyStorePassword=$keyStorePassword \
$JAVA_OPTS \
...
git
(push) (commit):
git update-index --chmod=+x runApp.sh
git commit -m ' runApp.sh'
git push origin master
Heroku
32
.
, .
- ,
Heroku
, Gradle
P12
. - ,
procfile
, Heroku
.
,
.p12
Java
- .
!