Introducing Spring Cloud Azure Starter Key Vault JCA: Streamlined TLS and mTLS for Spring Boot

We’re excited to unveil Spring Cloud Azure Starter Key Vault Java Crypto Structure (JCA), a brand new addition to the Spring Cloud Azure household, arriving with model 5.21.0. Designed for Spring Boot 3.1+, this starter applies the Spring SSL Bundles abstraction and the JCA Supplier for Azure Key Vault to simplify safe communication in your Spring Boot functions. Whether or not you’re enabling TLS to your server or organising mutual TLS (mTLS) for client-server authentication, this starter integrates Azure Key Vault’s certificates administration with Spring’s trendy safety framework.

On this weblog submit, we dive into the starter’s capabilities and exhibit its utilization with sensible examples for enabling embedded server TLS, securing RestTemplate, securing WebClient, and configuring mTLS communication. Let’s get began!

What’s Spring Cloud Azure Starter Key Vault JCA?

The Spring Cloud Azure Starter Key Vault JCA combines the ability of Spring Boot’s SSL Bundles (launched in Spring Boot 3.1) with Azure Key Vault’s JCA supplier. This integration permits builders to make use of certificates saved in Key Vault instantly inside Spring functions, eliminating the complexity of conventional keystore administration seen in older configurations. For instance, Securing Spring Boot functions based mostly on older model. For a deeper dive into Spring SSL Bundles, see Spring SSL Bundles.

Get began

Add the next dependency to your pom.xml file:

    com.azure.spring
    spring-cloud-azure-starter-keyvault-jca
    5.21.0

Full the next steps to arrange the Azure assets:

1. Create two self-signed certificates in two Key Vault assets by following the steps at Add a self-signed certificates to Key Vault. The certificates names are server and shopper, respectively. Assume that keyvault1 shops the server certificates and keyvault2 shops the shopper certificates.
2. Create a Service Principal for accessing Key Vault by following the steps at Create a Service Principal.
3. Grant function Key Vault Certificates Person to the Service Principal for every Key Vault occasion by following the steps at Position project.

Be aware:
Atmosphere variables prefixed with KEY_VAULT_SSL_BUNDLES symbolize the connection data to your Key Vault cases and Service Principal.

Allow embedded server TLS

Safe inbound HTTP requires the embedded server. The embedded server applies the Key Vault SSL Bundle to allow Server TLS and that applies to all internet servers supported by Spring Boot.

Replace your utility.yml file:

spring:
  utility:
    title: ssl-bundles-server
  ssl:
    bundle:
      keyvault:
        tlsServerBundle:
          key:
            alias: server
          keystore:
            keyvault-ref: keyvault1
  cloud:
    azure:
      keyvault:
        jca:
          vaults:
            keyvault1:
              endpoint: ${KEY_VAULT_SSL_BUNDLES_KEYVAULT_URI_01}
              profile:
                tenant-id: ${KEY_VAULT_SSL_BUNDLES_TENANT_ID}
              credential:
                client-id: ${KEY_VAULT_SSL_BUNDLES_CLIENT_ID}
                client-secret: ${KEY_VAULT_SSL_BUNDLES_CLIENT_SECRET}
server:
  ssl:
    bundle: tlsServerBundle

Safe RestTemplate

Safe outbound HTTP calls with RestTemplate utilizing a Key Vault SSL Bundle.

1. Replace your utility.yml file:

   spring:
   ssl:
     bundle:
       keyvault:
         tlsClientBundle:
           truststore:
             keyvault-ref: keyvault1
   cloud:
     azure:
       keyvault:
         jca:
           vaults:
             keyvault1:
               endpoint: ${KEY_VAULT_SSL_BUNDLES_KEYVAULT_URI_01}
               profile:
                 tenant-id: ${KEY_VAULT_SSL_BUNDLES_TENANT_ID}
               credential:
                 client-id: ${KEY_VAULT_SSL_BUNDLES_CLIENT_ID}
                 client-secret: ${KEY_VAULT_SSL_BUNDLES_CLIENT_SECRET}

2. Replace your RestTemplate configuration to set the Key Vault SSL Bundle:

   @Bean
   RestTemplate restTemplateWithTLS(RestTemplateBuilder restTemplateBuilder, SslBundles sslBundles) {
     return restTemplateBuilder.sslBundle(sslBundles.getBundle("tlsClientBundle")).construct();
   }

Then you should utilize bean restTemplateWithTLS to entry the HTTPS useful resource owned by app ssl-bundles-server.

Safe WebClient

Safe outbound HTTP calls with WebClient utilizing a Key Vault SSL Bundle.

1. Replace your utility.yml file based on the configuration of the Safe RestTemplate situation.
2. Replace your WebClient bean configuration to use the Key Vault SSL Bundle:

   @Bean
   WebClient webClientWithTLS(WebClientSsl ssl) {
     return WebClient.builder().apply(ssl.fromBundle("tlsClientBundle")).construct();
   }

Then you should utilize bean webClientWithTLS to entry the HTTPS useful resource owned by app ssl-bundles-server.

Allow mTLS communication

Arrange mTLS for two-way authentication between shopper and server.

Server facet

Replace your utility.yml file to belief the shopper certificates in Key Vault keyvault2, and allow the shopper authentication:

spring:
  utility:
    title: ssl-bundles-server
  ssl:
    bundle:
      keyvault:
        tlsServerBundle:
          key:
            alias: server
          keystore:
            keyvault-ref: keyvault1
          truststore:
            keyvault-ref: keyvault2
  cloud:
    azure:
      keyvault:
        jca:
          vaults:
            keyvault1:
              endpoint: ${KEY_VAULT_SSL_BUNDLES_KEYVAULT_URI_01}
              profile:
                tenant-id: ${KEY_VAULT_SSL_BUNDLES_TENANT_ID}
              credential:
                client-id: ${KEY_VAULT_SSL_BUNDLES_CLIENT_ID}
                client-secret: ${KEY_VAULT_SSL_BUNDLES_CLIENT_SECRET}
            keyvault2:
              endpoint: ${KEY_VAULT_SSL_BUNDLES_KEYVAULT_URI_02}
              profile:
                tenant-id: ${KEY_VAULT_SSL_BUNDLES_TENANT_ID}
              credential:
                client-id: ${KEY_VAULT_SSL_BUNDLES_CLIENT_ID}
                client-secret: ${KEY_VAULT_SSL_BUNDLES_CLIENT_SECRET}
server:
  ssl:
    bundle: tlsServerBundle
    client-auth: NEED

Consumer facet

Full the next steps:

1. Replace your utility.yml file to supply keystore for shopper authentication in Key Vault keyvault2:

   spring:
   ssl:
     bundle:
       keyvault:
         mtlsClientBundle:
           key:
             alias: shopper
           for-client-auth: true
           keystore:
             keyvault-ref: keyvault2
           truststore:
             keyvault-ref: keyvault1
   cloud:
     azure:
       keyvault:
         jca:
           vaults:
             keyvault1:
               endpoint: ${KEY_VAULT_SSL_BUNDLES_KEYVAULT_URI_01}
               profile:
                 tenant-id: ${KEY_VAULT_SSL_BUNDLES_TENANT_ID}
               credential:
                 client-id: ${KEY_VAULT_SSL_BUNDLES_CLIENT_ID}
                 client-secret: ${KEY_VAULT_SSL_BUNDLES_CLIENT_SECRET}
             keyvault2:
               endpoint: ${KEY_VAULT_SSL_BUNDLES_KEYVAULT_URI_02}
               profile:
                 tenant-id: ${KEY_VAULT_SSL_BUNDLES_TENANT_ID}
               credential:
                 client-id: ${KEY_VAULT_SSL_BUNDLES_CLIENT_ID}
                 client-secret: ${KEY_VAULT_SSL_BUNDLES_CLIENT_SECRET}

2. Register one other RestTemplate bean for mTLS connection, and the identical in the event you use WebClient:

   @Bean
   RestTemplate restTemplateWithMTLS(RestTemplateBuilder restTemplateBuilder, SslBundles sslBundles) {
     return restTemplateBuilder.sslBundle(sslBundles.getBundle("mtlsClientBundle")).construct();
   }
   
   // or you should utilize WebClient as a substitute
   @Bean
   WebClient webClientWithMTLS(WebClientSsl ssl) {
     return WebClient.builder().apply(ssl.fromBundle("mtlsClientBundle")).construct();
   }

Now you should utilize beans restTemplateWithMTLS or webClientWithMTLS to entry the HTTPS useful resource owned by app ssl-bundles-server.

Suggestions

Your suggestions and contributions are at all times welcome on StackOverflow or GitHub.

Assets

To study extra about Spring Cloud Azure, go to the next hyperlinks: