Login/Register
Automatic Reload of Java Trust Store without needing Restart of Web Server process
Asked Answered
refreshreloadx509truststore
C

1

6

I have a web app whose rest endpoints I have secured using X.509 Public Key Authentication mechanism. To explain it in bit detail, I had to add my sample clients' public certificates into my server web apps' java trust store. Off course my server also have one java key store containing a server key pair. So all good here and any server calls which pass valid client certificates get authenticated seamlessly. no issues.

In future, I will need to add new client certificates into same server trust store as per need. Addition of new client certificates into server trust store is an offline process and would be taken care through some tool like java keytool.

But I don't want to restart my server process in order to refresh with the additional client certificates in the trust store. I want my server process to automatically reload its trust store whenever any new client certificate gets added to the trust store.

I am even open to sending a trigger event through some http hook to my server process for initiating the trust store reload. But nothing like automatic reload. Any pointers ?

Clownery answered 15/6, 2017 at 10:4 Comment(0)
G
0

This is possible as long as you have a way to provide a sslcontext or keymanager/trustmanager to your server configuration. As this option is not available in the JDK, I created a library to enable this option. See here also for a detailed answer to a similar question to yours: Reloading a java.net.http.HttpClient's SSLContext

In the above link the OP asks for reloading the client ssl configuration, however the same is possible for the server. It contains also links to configuring spring with tomcat/jetty, vertx, quarkus etc

You can configure it like the following snippet:

SSLFactory baseSslFactory = SSLFactory.builder()
          .withDummyIdentityMaterial()
          .withDummyTrustMaterial()
          .withSwappableIdentityMaterial()
          .withSwappableTrustMaterial()
          .build();

Runnable sslUpdater = () -> {
   SSLFactory updatedSslFactory = SSLFactory.builder()
          .withIdentityMaterial(Paths.get("/path/to/your/identity.jks"), "password".toCharArray())
          .withTrustMaterial(Paths.get("/path/to/your/truststore.jks"), "password".toCharArray())
          .build();
    
   SSLFactoryUtils.reload(baseSslFactory, updatedSslFactory)
};

// initial update of ssl material to replace the dummies
sslUpdater.run();

// update ssl material every hour    
Executors.newSingleThreadScheduledExecutor().scheduleAtFixedRate(sslUpdater, 1, 1, TimeUnit.HOURS);

You can call either the ssl updated on a trigger at a rest endpoint, schedule it for a given time or any other kind of logic which you prefer.

Giese answered 4/9 at 13:40 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.