1 changed files with 45 additions and 0 deletions
@ -0,0 +1,45 @@ |
|||
--- |
|||
title: "Configure the TLS trust store in Apicurio Studio" |
|||
date: 2019-10-25T00:00:00+02:00 |
|||
opensource: |
|||
- Apicurio |
|||
- Microcks |
|||
--- |
|||
|
|||
[Microcks](http://microcks.github.io) and [Apicurio](https://www.apicur.io/) are nice Open Source projects that can even talk to each other to deliver greater value than the sum of their parts. |
|||
|
|||
Unfortunately, sometimes TLS certificates can get in the way of proper communication between the two projects. |
|||
This post explains how to configure the trust store in Apicurio to overcome TLS communication issues between Apicurio and Microcks. |
|||
|
|||
Start by gathering the CA certificates used in your company. There can be several ones. |
|||
|
|||
You can then create a trust store by running this command for each CA certificate to import: |
|||
|
|||
```sh |
|||
keytool -import -file root-ca-certificate.crt -alias root-ca -keystore truststore.jks -storepass secret -trustcacerts -noprompt |
|||
``` |
|||
|
|||
Once your trust store is created, you can import it as a secret in the OpenShift project in which you deployed Apicurio. |
|||
|
|||
```sh |
|||
oc create secret generic apicurio-truststore --from-file=truststore.jks |
|||
``` |
|||
|
|||
Then, update the *apicurio-studio-api* Deployment Config to mount this secret in */trust*: |
|||
|
|||
```sh |
|||
oc set volume dc/apicurio-studio-api --add -m /trust --name truststore -t secret --secret-name=apicurio-truststore |
|||
``` |
|||
|
|||
Finally, patch the *apicurio-studio-api* Deployment Config to load this truststore: |
|||
|
|||
```sh |
|||
oc patch dc/apicurio-studio-api -p '{"spec":{"template":{"spec":{"containers":[{"name":"apicurio-studio-api","args":["/bin/sh","-c","java -jar /opt/apicurio/apicurio-studio-api-thorntail.jar -Xms${APICURIO_MIN_HEAP} -Xmx${APICURIO_MAX_HEAP} -Dthorntail.port.offset=${APICURIO_PORT_OFFSET} -Dthorntail.datasources.data-sources.ApicurioDS.driver-name=${APICURIO_DB_DRIVER_NAME} -Dthorntail.datasources.data-sources.ApicurioDS.connection-url=${APICURIO_DB_CONNECTION_URL} -Dthorntail.datasources.data-sources.ApicurioDS.user-name=${APICURIO_DB_USER_NAME} -Dthorntail.datasources.data-sources.ApicurioDS.password=${APICURIO_DB_PASSWORD} -Dthorntail.datasources.data-sources.ApicurioDS.valid-connection-checker-class-name=${APICURIO_DB_VALID_CONNECTION_CHECKER_CLASS_NAME} -Dthorntail.datasources.data-sources.ApicurioDS.validate-on-match=${APICURIO_DB_VALID_ON_MATCH} -Dthorntail.datasources.data-sources.ApicurioDS.background-validation=${APICURIO_DB_BACKGROUND_VALIDATION} -Dthorntail.datasources.data-sources.ApicurioDS.exception-sorter-class-name=${APICURIO_DB_EXCEPTION_SORTER_CLASS_NAME} -Dapicurio.hub.storage.jdbc.init=${APICURIO_DB_INITIALIZE} -Dapicurio.hub.storage.jdbc.type=${APICURIO_DB_TYPE} -Dapicurio.kc.auth.rootUrl=${APICURIO_KC_AUTH_URL} -Dapicurio.kc.auth.realm=${APICURIO_KC_REALM} -Dthorntail.logging=${APICURIO_LOGGING_LEVEL} -Djavax.net.ssl.trustStore=/trust/truststore.jks -Djavax.net.ssl.trustStorePassword=secret"]}]}}}}' |
|||
``` |
|||
|
|||
The important part of this command line is at the end: |
|||
|
|||
- `-Djavax.net.ssl.trustStore=/trust/truststore.jks` |
|||
- `-Djavax.net.ssl.trustStorePassword=secret` |
|||
|
|||
Of course, if you are using a different password or a different filename, you will have to update the patch command accordingly. |
|||
Loading…
Reference in new issue