LDAPs Certificate in Spring Boot Application and its Docker Image
Thanks for being here. I just purchased a beach house at South Padre Island (SPI), TX, and used it as a short term rental property (Airbnb or Vrbo). SPI has the US top 10 beach, and is 7 miles away from SpaceX’s Mars Launch Base. OK, 7-mile is the point to point distance. You can check this house out from my property management’s website: https://spirentals.com/property-info/468183.html . You can also visit my website https://firststr.com for the details about this house and amenities.
When I worked on the implementation of ingesting LDAP user information (full name, title, department, manager), I was facing an issue where to find the LDAPs certificate. The background information is that, our service, `YOUR-job` will work as a client application to query our LDAPs server. our Ldaps server needs to trust this is a legit request.
So the first question is: where I can find the certificate? and the second question is how I can use this certificate in my Spring Boot application; and the third question is, how about I deploy my Spring Boot application as a Docker Image? I use this blog to share my understanding and implementation.
1.1. Where can I find this certificate?
I am definitely not the first person who has this question. In your working computer, try this command
openssl s_client -connect YOUR-LDAP-SERVER-URI:636You will see some result like this
CONNECTED(00000005)….verify return:1— -Certificate chain….— -Server certificate— — -BEGIN CERTIFICATE — — -00932–0JDFJADIDHF……..
Copy the — — -BEGIN CERTIFICATE — — — and — — -END CERTIFICATE — — -, and content in between, save them as a text file as your new cert file.
Then you can use
sudo keytool -import -alias Root -keystore $JAVA_HOME/jre/lib/security/cacerts -file YOUR-NAME.crtTry with SSLPoke, you should be connected.
1.2. How I can use this certificate in my Spring Boot application
If you have imported the certificate into the default keystore: cacerts, and you have not changed anything about your IntelliJ settings, your Spring Boot application should be working. If you are not sure, you can set where it is in VM args. Something like this:
-Djavax.net.ssl.trustStore=C:\xx\java.cacerts -Djavax.net.ssl.trustStorePassword=xxxxxxx1.3. Deploy my Spring Boot application as a Docker Image
As you can see, we get our local Spring Boot application working by importing the certificate into our local Java environment. The similar ideas applied that we will copy this certificate from local computer or somewhere with code base to the docker image. I choose to put the certificate with code base because the CI/CD pipeline will be able to find this certificate in other environment such as test, stage and production. and I don’t think this certificate is a private key.
We will need to pay attention on when you want to write your `keytool import`.
In our case, when building the base image, we copy the certificate from code base to somewhere in the image, and when we build our application image, we import the certificate into the keystore. Here is an example it will work
FROM openjdk:8 as builderCOPY . YOUR-SOURCE-srcRUN cd YOUR-SOURCE-src \&& cp YOUR-jobs/YOUR-JOB-job/src/main/resources/certs/YOUR-NAME.cert ../YOUR-CERT.cert \&& ./gradlew :YOUR-jobs:YOUR-JOB-job:build \&& cp YOUR-jobs/YOUR-JOB-job/build/libs/YOUR-JOB-job.jar ../YOUR-JOB-job.jar \&& cd .. && rm -rf YOUR-SOURCE-srcFROM openjdk:8-jre-alpineCOPY — from=builder /YOUR-JOB-job.jar /YOUR-JOB-job.jarCOPY — from=builder /YOUR-NAME.cert /YOUR-NAME.certRUN keytool -importcert -keypass changeit -alias eg-ldap-cert -file YOUR-NAME.cert \-keystore $JAVA_HOME/lib/security/cacerts -noprompt -storepass changeitEXPOSE 9090ENTRYPOINT [“java”, “-jar”, “YOUR-JOB-job.jar”]
