Configure Moderne DX service with client SSL certificates
If you are configuring the Moderne DX service to connect to a service that requires a self-signed certificate to perform an HTTPS request (e.g., Maven or Artifactory) you will need to:
- Supply a KeyStore for the service to use in the
PKCS12format at the following location:${JAVA_HOME}/lib/security/client_keystore.p12 - Configure the service to
skipSSLfor this service (See the Artifactory or Maven service documentation)
Below are a few examples of creating the KeyStore in some common scenarios:
- Certificate without key
- Certificate and key files
- Certificate and key in one file
RUN openssl pkcs12 -export \
-in <pathtocertfolder>/cert.pem \
-out ${JAVA_HOME}/lib/security/client_keystore.p12 \
-name ssl_cert \
-passout pass:changeit \
-nokeys
openssl pkcs12 -export \
-in <pathtocertfolder>/cert.pem \
-inkey <pathtocertfolder>/cert.key \
-out ${JAVA_HOME}/lib/security/client_keystore.p12 \
-name ssl_cert \
-passout pass:changeit
RUN openssl pkcs12 -export \
-in ${JAVA_HOME}/lib/security/s2s-cert.pem \
-out ${JAVA_HOME}/lib/security/client_keystore.p12 \
-name ssl_cert \
-passout pass:changeit
- OCI Container
- Executable JAR
If you are running the service in an OCI container, you will need to create a new Dockerfile based on the Moderne DX service and supply the image with the KeyStore.
Example:
FROM moderne.azurecr.io/moderne-dev/moderne/moderne-dx:latest
USER root
COPY s2s-cert.pem ${JAVA_HOME}/lib/security/s2s-cert.pem
#Certifcate without keys
RUN openssl pkcs12 -export \
-in ${JAVA_HOME}/lib/security/s2s-cert.pem \
-out ${JAVA_HOME}/lib/security/client_keystore.p12 \
-name ssl_cert \
-passout pass:changeit \
-nokeys
Nothing else needs to happen for the executable JAR flow other than ensuring the KeyStore has been added to the following location: ${JAVA_HOME}/lib/security/client_keystore.p12
java -jar moderne-dx-{version}.jar \
# ... Existing arguments