Skip to content

Latest commit

 

History

History
91 lines (84 loc) · 5.69 KB

File metadata and controls

91 lines (84 loc) · 5.69 KB

Use azure-security-keyvault-jca.jar via Command Line in server side

Key concepts

This sample illustrates how to use azure-security-keyvault-jca.jar via command line in server side.

Getting started

  • This sample contains a simple and pure Spring Boot web application.

Environment

jdk 11.0.12 or above

Run Spring Boot web server with Azure key vault via command line.

  1. Open terminal and enter the folder where the pom.xml is and run mvn package. In the target folder there is a run-with-command-line-server-1.0.0.jar generated.
  2. Get a copy of the JCA configuration file.
    • Linux: /lib/security/java.security
    • MacOS Big Sur: /conf/security/java.security
    • Windows: \conf\security\java.security
  3. Edit your copy of the JCA configuration file. Replace the provider section with:
    security.provider.1=SUN
    security.provider.2=SunRsaSign
    security.provider.3=SunEC
    security.provider.4=SunJSSE
    security.provider.5=SunJCE
    security.provider.6=SunJGSS
    security.provider.7=SunSASL
    security.provider.8=XMLDSig
    security.provider.9=SunPCSC
    security.provider.10=JdkLDAP
    security.provider.11=JdkSASL
    security.provider.12=Apple
    security.provider.13=SunPKCS11
    # Next line is the new added item.
    security.provider.14=com.azure.security.keyvault.jca.KeyVaultJcaProvider
    
  4. Get the azure-security-keyvault-jca.jar. You can download the latest published jar from maven repository azure-security-keyvault-jca. When this document is written, the latest jar is azure-security-keyvault-jca-2.7.0.jar
  5. Make a directory, for example, sample_server. Then put the 3 files into sample_server folder
    • java.security
    • run-with-command-line-server-side-1.0.0.jar
    • azure-security-keyvault-jca-2.7.0.jar
  6. Create the key vault and certificates, please refer to create key vault and certificates. Create service principal and add a secret, please refer to register app with Microsoft Entra ID.
  7. Create a new Access policy for the service principal created in the previous step, including the Get and List permissions of the Secret permissions, and the Get and List permissions of the Certificate permissions.
  8. Replace properties <yourAzureKeyVaultUri>, <yourTenantID>, <youClientID>, <yourSecretValue>, <yourCertificateName> with your created resources in the following command, then open terminal and enter the directory sample_server, run the changed command:
    java \
    --module-path ./azure-security-keyvault-jca-2.7.0.jar \
    --add-modules com.azure.security.keyvault.jca \
    -Dsecurity.overridePropertiesFile=true \
    -Djava.security.properties==./java.security \
    -Dazure.keyvault.uri=<yourAzureKeyVaultUri> \
    -Dazure.keyvault.tenant-id=<yourTenantID> \
    -Dazure.keyvault.client-id=<youClientID> \
    -Dazure.keyvault.client-secret=<yourSecretValue> \
    -jar run-with-command-line-server-side-1.0.0.jar \
    --server.port=8443 \
    --server.ssl.enabled=true \
    --server.ssl.key-alias=<yourCertificatName> \
    --server.ssl.keystore-type=DKS \
    --server.ssl.keyStoreProvider=AzureKeyVault \
    --server.ssl.key-store=classpath:keyvault.dummy
    
  9. Check the output. The server will be started after a while without needing client side authentication, you can visit https://localhost:8443 and see "Hello World!". If you want to enable the client side authentication, please insert -Djavax.net.ssl.trustStoreType=AzureKeyVault into the above command and append --server.ssl.client-auth=need to the above command. Then you need start the client sample to see the output.
  10. (Optional) You can also use the KeyVaultKeyStore with local certificates.
    • For example, there are some well known CAs. You can put them into a folder, then configure the system property azure.cert-path.well-known=<yourFolderPath>. The certificates in this folder will be loaded by KeyVaultKeystore. If you don't configure such a property, the default well-known path will be /etc/certs/well-known/.
    • Besides, the well-known path, you can also put your customized certificates into another folder specified by azure.cert-path.custom=<yourCustomPath>, by default, the custom path is /etc/certs/custom/.
    • You can also put certificates under the class path, build a folder named keyvault and configure it under the class path, then all the certificates in this folder will be loaded by key vault keystore.

Deploy to Azure Spring Apps

Now that you have the Spring Boot application running locally, it's time to move it to production. Azure Spring Apps makes it easy to deploy Spring Boot applications to Azure without any code changes. The service manages the infrastructure of Spring applications so developers can focus on their code. Azure Spring Apps provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more. To deploy your application to Azure Spring Apps, see Deploy your first application to Azure Spring Apps.