Client migration to Java sdk 3.0, sslKeystoreFie and password

ashernave · March 8, 2020, 2:13pm

Hi,
I’m trying to migrate our existing cb client from v2 to 3. (our server is 6.0.1)
For security configuration we use ssl keystore file and ssl keystore password.
How are these params translated to the new v3 security config? I’m not able to find any reference to keystore in the code.
The docs hint that this is moved to CertificateAuthenticator but this is not clear how.

Thanks,
Asher

david.nault · March 12, 2020, 8:22pm

Hi Asher,

Are you just enabling SSL/TLS, or are you also authenticating the client using a certificate instead of a username & password?

Thanks,
David

ashernave · March 19, 2020, 2:38pm

Hi David,

Previously we used sslKeystoreFile and password for ssl, user/password for authentication

daschl · March 19, 2020, 2:59pm

@ashernave in the next release we brought those APIs back for convenience: https://github.com/couchbase/couchbase-jvm-clients/commit/ecf78c141354bbfca2c4ca8c5eec0fe58a1ecc03

If you don’t want to wait for that you can use the same code that we use internally to build up the factory and supply it.

daschl · March 19, 2020, 3:01pm

Something along the lines of

final KeyStore store = KeyStore.getInstance(trustStoreType.orElse(KeyStore.getDefaultType()));
        store.load(
          Files.newInputStream(trustStorePath),
          trustStorePassword != null ? trustStorePassword.toCharArray() : null
        );

final TrustManagerFactory tmf = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        tmf.init(trustStore);

and then pass the tmf to the API (https://github.com/couchbase/couchbase-jvm-clients/blob/master/core-io/src/main/java/com/couchbase/client/core/env/SecurityConfig.java#L307) … again in the next version it will remove that boilerplate

ashernave · March 19, 2020, 6:57pm

Thanks, this is very helpful.
When can I expect the next version be released?

daschl · March 20, 2020, 10:57am

@ashernave currently targeting first tuesday of april. (for the java sdk, we try to do monthly releases on the first tuesday of the month if possible/feasible)

Shruti_Dixit · August 10, 2021, 6:44pm

How i can pass the Keystore and trustore file and password for cert based authentication as parameters not the actual path.

david.nault · August 10, 2021, 8:12pm

Hi @Shruti_Dixit ,

You can use the overloads that accept a KeyStore instead of a Path, namely: SecurityConfig.trustStore(KeyStore) and CertificateAuthenticator.fromKeyStore(KeyStore, String).

To turn a File into a KeyStore:

public static KeyStore readKeyStore(File file, char[] password) throws Exception {
  try (InputStream is = new FileInputStream(file)) {
    KeyStore store = KeyStore.getInstance(KeyStore.getDefaultType());
    store.load(is, password);
    return store;
  }
}

Thanks,
David

Sanjiv · August 25, 2021, 1:57pm

@Shruti_Dixit
Please let me know are you able to achieve TLS connection from java SDK 3.* clients.
It will be helpful, if I can get some steps and sample as I am facing handshake failure.
Thanks.
Sanjiv