In this article we will see how to enable ssl for your spring boot application.
HTTPS vs SSL vs TLS
HTTPS is the secure version of HTTP (Hyper Text Transfer Protocol). SSL (Secure Sockets Layer) is the encryption protocol used when communication happens over a network and this is what makes HTTPS secure. TLS (Transport Layer Security) is the upgraded version of SSL and in fact SSL has been deprecated . But the term has caught on with everyone and hence SSL and TLS are used interchangeably.
WHY HTTPS ?
HTTPS is required for privacy , integrity and identification.
Privacy : The data transferred over the network is secured by TLS so that even if the traffic is intercepted it will be extremely difficult to decrypt it.
Integrity: The data sent reaches the intended receiver without being tampered.
Identification : The sender is who he says he is and the receiver is who he says he is.
STEPS TO enable https in a Java spring Boot app
- Get SSL Certificate
- Configure SpringBoot Application to use the certificate
STEP 1: GET SSL CERTIFICATE
There are two ways to get an SSL certificate
- Create a self signed SSL certificate. (Useful for DEV and TEST environments)
- Use a certificate issued by a Certificate Authority. (For Production)
Keytool is a certificate management utility provided by Java. We will use it to create our self signed certificate. Keytool will generate a keystore file which will have the private-public key pair which essentially is the certificate.
keytool -genkeypair -alias springboot -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore app.p12 -validity 3650
The above command is used to create a cryptographic key-pair and store it in a keystore file ( app.p12 ) with the PKCS12 standard. Note that you will be prompted to create a password and also give other details like organization name once you hit Enter. A single keystore file can have more than one such key-pair.
PKCS12 (Public Key Cryptographic Standards) is the industry standard for private key pairs and it is language neutral which is supported by Spring Boot apps as well . The other format which Spring boot supports is the JKS (Java Key Store) which is used primarily for Java applications.
Below command can be used to generate a JKS keystore.
keytool -genkeypair -alias springboot -keyalg RSA -keysize 2048 -keystore app.jks -validity 3650
For production applications we might not a want a self signed certificate. We would need to get a certificate issued by a CA and then convert into either JKS or PKCS12 keystore file. Below is the command to convert the certificate cert.crt to keystore file app.p12
keytool -import -alias springboot -file cert.crt -keystore app.p12
Step 2: Configure the Spring Boot Application
Now that we have our own keystore file ensure to place the file in resources folder of the application. Now simply add the below properties to the application.properties file
server.port=8443
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:app.p12
server.ssl.key-store-password=963852
server.ssl.key-alias=springboot
These are the properties which we used to create the keystore file in Step 1. Now all we need to do is ensure that Spring boot allows only ssl requests after validating the keystore file. Add the below class to enable secure requests.
Now all requests to http will return a Bad Request error. This certificate can be distributed to the clients so that the browser trusts our URL.
CONCLUSION
In this article we saw how to create our own self signed certificate and enable HTTPS in Spring Boot. Optionally if the project demands we could tweak the Embedded Server configuration so that any request to HTTP is automatically redirected to HTTPS.
REFERENCES
https://docs.oracle.com/cd/E19509-01/820-3503/ggbhv/index.html
https://tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html
https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-configure-ssl
Shahul Basha 