Working on the Alias Connecting issue (228) - nats-io/nats-jms-bridge GitHub Wiki

TLS Keystore Alias issue

To fix this issue, we had to reproduce and to that we had to set up NATS to verify TLS.

To fix this issue we followed these:

Removed the folder certs/keyalias/ with all content used in the previous version.

~/bridge2
cd certs/
rm -rf keyalias/

Created a new folder called alias inside certs/

pwd
Output:
~/bridge2/certs
mkdir alias

Now create the certificates, keystore and truststore

Certificates

Enter in the alias folder

cd alias

pwd
Output:
~/bridge2/certs/alias

Server Certificate

mkcert -cert-file server-cert.pem -key-file server-key.pem localhost ::1

Output:
Using the local CA at "~/Library/Application Support/mkcert" ✨

Created a new certificate valid for the following names 📜
 - "localhost"
 - "::1"

The certificate is at "server-cert.pem" and the key at "server-key.pem"

Clients Certificates

Client Certificate

mkcert -client -cert-file client-cert.pem -key-file client-key.pem localhost ::1

Output:
Using the local CA at "~/Library/Application Support/mkcert" ✨

Created a new certificate valid for the following names 📜
 - "localhost"
 - "::1"

The certificate is at "client-cert.pem" and the key at "client-key.pem"

Create Sample Cloudurable Certificate

mkcert -client -cert-file cloudurable-cert.pem -key-file cloudurable-key.pem localhost ::1

Output:
Using the local CA at "~/Library/Application Support/mkcert" ✨

Created a new certificate valid for the following names 📜
 - "localhost"
 - "::1"

The certificate is at "cloudurable-cert.pem" and the key at "cloudurable-key.pem"

Create sample Mamatus Certificate

mkcert -client -cert-file mamatus-cert.pem -key-file mamatus-key.pem localhost ::1

Outuput:
Using the local CA at "~/Library/Application Support/mkcert" ✨

Created a new certificate valid for the following names 📜
 - "localhost"
 - "::1"

The certificate is at "mamatus-cert.pem" and the key at "mamatus-key.pem"

Now we have 4 certificates and 4 certificates key, to check it list the folder content

ls

Output:
client-cert.pem		cloudurable-key.pem	server-cert.pem
client-key.pem		mamatus-cert.pem	server-key.pem
cloudurable-cert.pem	mamatus-key.pem

The tag -client for the client certificate tells to the truststore that this certificate will be used by a client.

This is needed to configure the tlsverify option on the Nats server. When the flag tlsverify is set to true we need to configure the rootCA on the server.

Get path for root CA

To obtain the path for the root CA type:

mkcert -CAROOT

Output:
~/Library/Application Support/mkcert


cp ~/Library/Application\ Support/mkcert/rootCA.pem rootCA.pem

ls

client-cert.pem		cloudurable-key.pem	rootCA.pem
client-key.pem		mamatus-cert.pem	server-cert.pem
cloudurable-cert.pem	mamatus-key.pem		server-key.pem

Creating a P12 file

We need to create a p12 file to insert the file inside the keystore.
You can hide the tag -password and type the password when it's asked.
If you prefer you can type your personal password after pass: parameter.

openssl pkcs12 -export -out client.p12 -inkey client-key.pem -in client-cert.pem -password pass:password -name "client-cert"

openssl pkcs12 -export -out cloudurable.p12 -inkey cloudurable-key.pem -in cloudurable-cert.pem -password pass:password -name "cloudurable-cert" 

openssl pkcs12 -export -out mamatus.p12 -inkey mamatus-key.pem -in mamatus-cert.pem -password pass:password -name "mamatus-cert"

The parameter -name, is used to config the certificate alias.

Now you have 3 more files in the folder

$ ls

client-cert.pem		cloudurable-key.pem	mamatus.p12
client-key.pem		cloudurable.p12		rootCA.pem
client.p12		mamatus-cert.pem	server-cert.pem
cloudurable-cert.pem	mamatus-key.pem		server-key.pem

Importing files to the keystore

keytool -importkeystore -srcstoretype PKCS12 -srckeystore client.p12 -srcstorepass password -destkeystore keystore.jks -deststorepass password -alias client-cert

keytool -importkeystore -srcstoretype PKCS12 -srckeystore cloudurable.p12 -srcstorepass password -destkeystore keystore.jks -deststorepass password -alias cloudurable-cert

keytool -importkeystore -srcstoretype PKCS12 -srckeystore mamatus.p12 -srcstorepass password -destkeystore keystore.jks -deststorepass password -alias mamatus-cert

Note: you need to use the same alias name set in the p12 file

The keystore file was created

$ ls

client-cert.pem		cloudurable.p12		rootCA.pem
client-key.pem		keystore.jks		server-cert.pem
client.p12		mamatus-cert.pem	server-key.pem
cloudurable-cert.pem	mamatus-key.pem
cloudurable-key.pem	mamatus.p12

Creating the trustore file

keytool -importcert -trustcacerts -file rootCA.pem -storepass cloudurable2 -noprompt -keystore truststore.jks

Truststore was created

$ ls

client-cert.pem		cloudurable.p12		rootCA.pem
client-key.pem		keystore.jks		server-cert.pem
client.p12		mamatus-cert.pem	server-key.pem
cloudurable-cert.pem	mamatus-key.pem		truststore.jks
cloudurable-key.pem	mamatus.p12

Now run NATS server with tlsverify.

nats-server -DV --tls --tlscert=~/job/nats-jms-mq-bridge2/bridge2/certs/alias/server-cert.pem /
--tlskey=~/job/nats-jms-mq-bridge2/bridge2/certs/alias/server-key.pem /
--tlscacert=~/job/nats-jms-mq-bridge2/bridge2/certs/alias/rootCA.pem --tlsverify=true

Running the bridge

You can run the bridge and set the alias

    natsCluster:
      name: "natsCluster"
      properties: !<nats>
        host: "localhost"
        port: 4222
        servers: []
        config:
          io.nats.client.reconnect.wait: "3000"
          io.nats.client.reconnect.max: "10"
          io.nats.client.timeout: "4000"
          io.nats.client.tls.jssl.enable: "true"
          io.nats.client.tls.truststore.path: "../certs/truststore.jks"
          io.nats.client.tls.keystore.path: "../certs/keystore.jks"
          io.nats.client.tls.algorithm: "SunX509"
          io.nats.client.tls.keystore.password: "password"
          io.nats.client.tls.truststore.password: "password"
          io.nats.client.tls.keystore.alias: "client-cert"
⚠️ **GitHub.com Fallback** ⚠️