Suppose our Javaapplication is hosted on the Heroku platform and needs to connect to an HTTP server that requires the provision of a Client Certificate.
In this article, we will address the issues of securely storing client keystores in
- Keeping passwords and other sensitive data in
Usually .p12or jkson the file system.
But the problem becomes obvious as soon as it becomes necessary to place a similar application in
Even password protected ones
The same goes for Docker images and any other similar artifacts available to several persons.
Fortunately, this is easy to fix in apps on Java!
Consider the proposed process in terms of safety theory:
- Security Officer (OB) exports
Base64 - ..
- ..
Base64 - ,
:
- :
Java - :
Heroku - :
Gradle - :
PKCS12
.p12
, , :
Heroku
HerokuSettings- "Reveal the config vars"
- :
keyStoreFileName β , "private_key.p12"keyStoreBase64 β Base64, " .p12"keyStorePassword β , .p12keyStoreType β pkcs12trustStoreType β jks
.p12 Gradle
guild.gradle stage:
task initKeyStore() {
doLast {
println("Creating keystore file from environment variables.")
String keyStoreFileName = System.getenv("keyStoreFileName")
if (keyStoreFileName != null) {
String keyStoreBase64 = System.getenv("keyStoreBase64")
new File(keyStoreFileName).withOutputStream {
it.write(Base64.decoder.decode(keyStoreBase64))
}
}
}
}
stage.dependsOn(initKeyStore)
"procfile" Heroku
"procfile" Heroku .
, shell β runApp.sh.
runApp.sh:
java \
-Dserver.port=$PORT \
...
-Djavax.net.ssl.keyStoreType=$keyStoreType \
-Djavax.net.ssl.trustStoreType=$trustStoreType \
-Djavax.net.ssl.keyStore=$keyStoreFileName \
-Djavax.net.ssl.keyStorePassword=$keyStorePassword \
$JAVA_OPTS \
...
git (push) (commit):
git update-index --chmod=+x runApp.sh
git commit -m ' runApp.sh'
git push origin master
Heroku 32
, .
- ,
Heroku, Gradle P12 - ,
procfile, Heroku . .p12 Java- .
!