Secure properties with spring cloud config

Overview: Earlier post I was demonstrating basic of spring cloud config. Now in this post, we will see how we can use secure properties in the spring cloud config. Before continuing on this, I recommend you to first go through the previous post.

Secure properties: Almost every application has some kind of configuration that can’t be exposable, some are very sensitive and should be limited access. we generally pronounce it secure properties. 

There are multiple ways you can secure your properties like using Cerberus, Hashicorp vault with consul backend, Cyberark password vault, and aim, confidant, Credstash etc. Here we are going to use the simplest way that may not as powerful as the above tools but secure and very easy to use.

Let’s implement this, in a sample code,

First, generate a key store. assuming you are aware of keytool.

keytool -genkeypair -alias mytestkey -keyalg RSA \ -dname "CN=Web Server,OU=Unit,O=Test,L=City,S=State,C=IN" \ -keypass changeme -keystore server.jks -storepass testPassword

Then place server.jks to resource folder in cloud config server project, after that edit bootstrap.properties(or .yaml). and add below properties.

Properties Description
encrypt.keyStore.locationContains a resource(.jks file) location
encrypt.keyStore.passwordHolds the password that unlocks the keystore
encrypt.keyStore.aliasIdentifies which key in the store to use
encrypt.keyStore.secret secret to encrypt or decrypt

e.g

encrypt.keyStore.location=server.jks encrypt.keyStore.password=testPassword encrypt.keyStore.alias=mytestkey encrypt.keyStore.secret=changeme

That’s it and now restart config server. 

There is encryption and decryption endpoint expose by config server. 

Let’s take a simple example, where we will try to encrypt and decrypt ‘testKey’.

#curl localhost:8888/encrypt --data-urlencode testKey

output:

AQAYqm8ax79kPFGT0sOvV8i8uN0GDLsToULmflVNYKf95bpyAKLIV4eCFVdNJpgb7SyS808a3uTjvQBj1SrIwFlQktRpln8ykpWUG3NdPM6aPf5k4yRhNkG43S5lCckmyLTH8CIzoSSFQeKoFuk4zPiAPTMchTP9qtAYG2EwbdWU1/a9xqoDJb9OQbSsEr0wp2Ud+HlG02NGF2qmhxL7kW5BJxTsGdZG2J8qwhkPYreYF6UQlehmheWCAJBzfBw4peT9LOxi7rA0sHD78xle7Bahziyc+WOETADloKfSowERNY5FCOe4/ywhcHpJuCk+6NPok3KVI+jMTXdSpqMmfxBNc764hHjlhpablwNcRPDv8XGCdstdy4Esb9/eXTZgh0g=

#curl localhost:8888/decrypt --data-urlencode AQAYqm8ax79kPFGT0sOvV8i8uN0GDLsToULmflVNYKf95bpyAKLIV4eCFVdNJpgb7SyS808a3uTjvQBj1SrIwFlQktRpln8ykpWUG3NdPM6aPf5k4yRhNkG43S5lCckmyLTH8CIzoSSFQeKoFuk4zPiAPTMchTP9qtAYG2EwbdWU1/a9xqoDJb9OQbSsEr0wp2Ud+HlG02NGF2qmhxL7kW5BJxTsGdZG2J8qwhkPYreYF6UQlehmheWCAJBzfBw4peT9LOxi7rA0sHD78xle7Bahziyc+WOETADloKfSowERNY5FCOe4/ywhcHpJuCk+6NPok3KVI+jMTXdSpqMmfxBNc764hHjlhpablwNcRPDv8XGCdstdy4Esb9/eXTZgh0g=

output:

testKey

As our keystore file containing public and private key so we can able to encrypt and decrypt properties.

In the case of config client, we do not have to do any extra step except below one, whenever we use encrypted property that has to start with ‘{cipher}’, for example

user.password={cipher}5lCckmyLTH8CIzoSSFQeKoFuk4zPiAPTMchTP9qtA

Caution: encrypted data should not be within single or double quotes.

In a case when a client wants to decrypt configuration locally

First,

If you want to encrypt and decrypt endpoint not work, Then comment all properties that start with encrypt.* and include the new line as below

spring.cloud.config.server.encrypt.enabled=false

Include keystore(.jks) file in client project and update below properties in bootstrap.properties(or .yaml) file

encrypt.keyStore.location=server.jks
encrypt.keyStore.password=testPassword
encrypt.keyStore.alias=mytestkey
encrypt.keyStore.secret=changeme

That’s all, now client project not going to connect with the server to decrypt properties.

Summary: We can secure our external properties using spring cloud config in fewer efforts, That may easily fulfill small or mid-scale project requirement.

Hope you like this 🙂

Advertisements

Spring cloud config

Overview: In this tutorial, we will cover the basics of Spring cloud config server and client, where you will set up your cloud config server and access configuration through client services.

What is Spring cloud config?

Spring cloud config provides server and client side support for externalized configuration a distributed system.

Why Spring cloud config?

External configuration is the basic need of almost any application. Now we are leaving in the microservices world, that need external configuration more often. Almost every individual application has some external and dynamic properties that keep updating based on the environment or some period of time.  In case of the massive size of services, it is hard to manage or left with creating a custom solution for it.

The dilemma is how we can make our application to adopt dynamic changes more often without investing time into it and with zero downtime. Here spring cloud config comes into the picture. It will help a user to manage their external properties from multiple sources like git, local file system etc. Transfer data into encrypted form and lot more.

How it works?

Screen Shot 2018-08-26 at 9.22.06 PM.png

Above diagram, you can see multiple services that get configuration from config server where config server sync with GIT or any other VCS to get new changes.

Let’s create a simple application, that will take a message from the config server and return through the endpoint.

Implementation of spring cloud config server:

Now I’m going to visit  spring initializer page to generate demo project, where I’ve included dependencies of spring ‘web’ and ‘config server’.

Once project imported into IDE, enable config server with ‘@EnableConfigServer’ annotation

@SpringBootApplication
@EnableConfigServer
public class DemoApplication {

   public static void main(String[] args) {
      SpringApplication.run(DemoApplication.class, args);
   }
}

In this example, I’m using local git  for demo purpose

#mkdir cloud-config
#git init
#touch config-client-demo.properties
#vi config-client-demo.properties 
message=Hello World
//wq (write and quite vi editor)
#git add config-client-demo.properties
#git commit -m "initial config"

By default, config server starts on port 8080 as spring boot application.

Here is config server application.properties

server.port=8888
spring.cloud.config.server.git.uri=${HOME}/Desktop/cloud-config

server.port: We use this property to define server port if you do not define it will set 8080 as a default port. Here I’m using the same machine for client and server so one of the port needs to be updated.

spirng.cloud.config.server.git.uri: We define this property to fetch configuration detail from git repository.

Implementation of client application:

Now I’m again going to generate a template application using spring initializer where included ‘web’, ‘client config’ and ‘actuator’ as dependencies. Here ‘actuator’ help us to refresh configuration.

Below is message controller that return message and that message came from config properties, you will notice @RefreshScope annotation that helps to refresh configuration.

@RestController
@RefreshScope
public class MessageRestController {

    @Value("${message}")
    private String message;

    @GetMapping("/message")
    String getMessage() {
        return this.message;
    }
}

Then rename your ‘applcation.properties‘ file to ‘bootstrap.properties‘ and include below config,  I’ve defined application name(name of application should accurate to fetch specific data), Configuration URI(which your config server URL that holds properties details) and expose all actuator endpoint that by default disabled

spring.application.name=config-client-demo
spring.cloud.config.uri=http://localhost:8888

management.endpoints.web.exposure.include=*

spring.application.name: Accurate name of the configuration file that defined on config server.

spring.cloud.config.uri: Base url of config server

management.endpoints.web.exposure.include: By default actuator’s most features are disabled so use a wildcard to enable all. That actually not needed in case of production.

Run your application and you will see below message.

GET http://localhost:8080/message

Response :
Hello world

Let’s update the properties file, I’m going to update ‘Hello World’ to ‘Hello Test’

#vi config-client-demo.properties
message= Hello Test
...
#git add config-client-demo.properties
#git commit -m "update message"
//Once file updated then 'refresh' configuration

Once you included the @RefreshScope annotation that will expose endpoint for you to refresh application, check below.

POST http://localhost:8080/actuator/refresh

Now again hit your message API

GET http://localhost:8080/message
Response:
Hello Test

checkout example at git

Conclusion: We can use spring cloud config to any kind of application for external, distributed and centralized configuration server. There is no limitation of technology and programming languages. You can apply spring cloud config in other languages as well.

Hope you like this tutorial.

 

Install spring boot application on linux

Today most of the people prefer to deploy the standalone application and easy to manageable instead of doing too much overhead or get expert advice on it to manage a specific web server for rest application.

dilemma: When we have a standalone jar there are few minor hacks we have to do this with it. like, configure log path, start with a specific promised user. run it with standalone process instead of inline execution.

A fully executable jar can be executed like any other executable binary or it can be registered with ‘systemd‘.  This makes it very easy to install and manage spring boot applications in common production environments.

#systemd: systemd is system and service manager for linux operating system. When run as the first process on boot (as PID 1), it acts as init system that brings up and maintains userspace services. it is a replacement of ‘Unix system v’ and BSD (Berkeley Software Distribution) init system. for more detail #man systemd

Assume that you have a linux server that has Java installed, now place your executable spring boot jar file in a /opt/apps/ directory

Now create a app.service file in a /etc/systemd/system
directory and execute below command also make sure your permission before creating a file at a particular location
#vi /etc/systemd/system/app.service

and paste script

[Unit]
Description=sample application
After=syslog.target

[Service]
User=appUser
ExecStart=/opt/apps/app.jar
SuccessExitStatus=143

[Install]
WantedBy=multi-user.target

now save above script using “:wq” for more detail check vi editor helps(#man vi)

let’s enable service

#systemctl enable app.service
(check #man systemctl for more detail.)

once service enables now you can start, stop and check status of your service.

#systemctl start app.service
#systemctl stop app.service

Hope you like this. Thanks for reading 🙂

Expose RESTful APIs using spring boot in 7 minutes

Hello Friends,

Today we are going to see how to expose standalone RESTful web services, the purpose of a post is to enable a reader to write their own restful web services.

Yes, that’s right! , I’m sure if you see complete video of this post you can write your RESTful web service.. ok enough talk 🙂 let’s start.

 

Hope you like this post. Thanks 🙂

 

 

Create spring beans using YAML

Spring highly adopted annotation based configuration and it is happily accepted by developer communities and why not, no one wants to struggle with XML tags but that’s not enough somewhere we still miss XML configuration or you can say external file configuration as powerful as XML configuration. especially when we write an application that has to alter behaviors without compilation.

But still writing an XML configuration is not readable and not easily understandable for beginners, so I’ve written experimental plugins for spring boot that convert YAML definition to Spring Beans.

here is an example of bean definition in XML and same in YAML.

Spring-beans.xml

Screen Shot 2017-11-04 at 6.45.07 PM

Spring-beans.yaml

Screen Shot 2017-11-04 at 6.44.14 PM

above code snippet, you can see a line of code and readability, let jump in a code example.

below code snippet, only need to add annotation “@ImportYamlResource” that will work same as “@ImportResource”

Screen Shot 2017-11-05 at 10.38.22 AM

below an example link, you can check out a project from git

yaml-beans-example

download library 

 

Note ->  YAML-spring-beans is a just experimental library, still there are lots of features not included

feedback will be much appreciated 🙂