SSL Configuration when using Spring cloud stream

ruplim

Hello

We are using Spring cloud stream solace binders. We are trying to configure SSL cert when connecting to solace queue and topic. Below is the configuration that we use in java and is working-

            properties.setProperty("Solace_JMS_VPN", vpn);
            properties.setProperty("Solace_JMS_Authentication_Scheme",  "AUTHENTICATION_SCHEME_CLIENT_CERTIFICATE");
            properties.setProperty("SOLACE_JMS_SSL_VALIDATE_CERTIFICATE","true");
            properties.setProperty("Solace_JMS_SSL_TrustStore", <path>);            
            properties.setProperty("Solace_JMS_SSL_TrustStorePassword", <pwd>);

We need help in configuring these properties in the solace binder. Currently we have the below entry -

binders:
    local_solace:
          type: solace
          environment:
            solace:
              java:
                host: tcps://<host:port>
                msgVpn: <vpn>
                clientUsername: <username>

amackenzie

hi, configuration for the JCSMP properties is handled by Spring Boot configuration as mentioned here: https://github.com/SolaceProducts/spring-cloud-stream-binder-solace#creating-a-simple-solace-binding
so if you used the sample Binder config listed on that page, you can just add in the SSL parameters into that config (or use one of the other ways that Spring Boot allows for configuration) application.yaml.

spring:
  cloud:
    stream:
      bindings:
        input:
          destination: queuename
          group: myconsumergroup

solace:
  java:
    host: tcp://192.168.133.64
    msgVpn: default
    clientUsername: default
    clientPassword: default
    connectRetries: -1
    reconnectRetries: -1
    apiProperties:
      SSL_VALIDATE_CERTIFICATE: true
      SSL_TRUST_STORE: <path>
      SSL_TRUST_STORE_PASSWORD: <pwd>

The apiProperties is needed as per the bottom of this section: https://github.com/SolaceProducts/solace-java-spring-boot#updating-your-application-properties.
Let me know how this goes.
edit: changed application.properties to application.yml as the example I give is YAML

amackenzie

hi, configuration for the JCSMP properties is handled by Spring Boot configuration as mentioned here: https://github.com/SolaceProducts/spring-cloud-stream-binder-solace#creating-a-simple-solace-binding
so if you used the sample Binder config listed on that page, you can just add in the SSL parameters into that config (or use one of the other ways that Spring Boot allows for configuration) application.yaml.

spring:
  cloud:
    stream:
      bindings:
        input:
          destination: queuename
          group: myconsumergroup

solace:
  java:
    host: tcp://192.168.133.64
    msgVpn: default
    clientUsername: default
    clientPassword: default
    connectRetries: -1
    reconnectRetries: -1
    apiProperties:
      SSL_VALIDATE_CERTIFICATE: true
      SSL_TRUST_STORE: <path>
      SSL_TRUST_STORE_PASSWORD: <pwd>

The apiProperties is needed as per the bottom of this section: https://github.com/SolaceProducts/solace-java-spring-boot#updating-your-application-properties.
Let me know how this goes.
edit: changed application.properties to application.yml as the example I give is YAML

[Deleted User]

Thanks for the answer @amackenzie ! @ruplim did this help you out?

ruplim

Thank you @amackenzie . The answer worked for me and we were able to connect using ssl

glenn_esl

• I would like to add to the solution that you have to use tcps not TCP.
• Additionally you can also include the port

example

tcps://192.168.133.64:55443

spring:
  cloud:
    stream:
      bindings:
        input:
          destination: queuename
          group: myconsumergroup

solace:
  java:
    host: tcps://192.168.133.64:55443
    msgVpn: default
    clientUsername: default
    clientPassword: default
    connectRetries: -1
    reconnectRetries: -1
    apiProperties:
      SSL_VALIDATE_CERTIFICATE: true
      SSL_TRUST_STORE: <path>
      SSL_TRUST_STORE_PASSWORD: <pwd>

marc

thanks for adding that info @glenn_esl 🙏

wenhede

Hi,

Since it is already using a certificate, is the clientUsername and clientPassword still required?

solace:
java:
host: tcps://192.168.133.64:55443
msgVpn: default
clientUsername: default
clientPassword: default
connectRetries: -1
reconnectRetries: -1
apiProperties:
SSL_VALIDATE_CERTIFICATE: true
SSL_TRUST_STORE:
SSL_TRUST_STORE_PASSWORD:

any settings or option can use to not require the said 2 properties?

glenn_esl

Hi @wenhede,

The SSL_* properties are only used to establish an SSL connection between the client and solace. Validating the certificate only makes sure that you can limit the client to connect only to trusted solace instances.

To authenticate with a certificate is a different topic, I would suggest creating a new question on the discussion board.