Client migration to Java sdk 3.0, sslKeystoreFie and password

Java SDK
1

Hi,
I’m trying to migrate our existing cb client from v2 to 3. (our server is 6.0.1)
For security configuration we use ssl keystore file and ssl keystore password.
How are these params translated to the new v3 security config? I’m not able to find any reference to keystore in the code.
The docs hint that this is moved to CertificateAuthenticator but this is not clear how.

Thanks,
Asher

3

Hi Asher,

Are you just enabling SSL/TLS, or are you also authenticating the client using a certificate instead of a username & password?

Thanks,
David

4

Hi David,

Previously we used sslKeystoreFile and password for ssl, user/password for authentication

5

@ashernave in the next release we brought those APIs back for convenience: JVMCBC-830: More convenience overloads for certificates · couchbase/couchbase-jvm-clients@ecf78c1 · GitHub

If you don’t want to wait for that you can use the same code that we use internally to build up the factory and supply it.

6

Something along the lines of

final KeyStore store = KeyStore.getInstance(trustStoreType.orElse(KeyStore.getDefaultType()));
        store.load(
          Files.newInputStream(trustStorePath),
          trustStorePassword != null ? trustStorePassword.toCharArray() : null
        );

final TrustManagerFactory tmf = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        tmf.init(trustStore);

and then pass the tmf to the API (https://github.com/couchbase/couchbase-jvm-clients/blob/master/core-io/src/main/java/com/couchbase/client/core/env/SecurityConfig.java#L307) … again in the next version it will remove that boilerplate

7

Thanks, this is very helpful.
When can I expect the next version be released?

8

@ashernave currently targeting first tuesday of april. (for the java sdk, we try to do monthly releases on the first tuesday of the month if possible/feasible)

9

How i can pass the Keystore and trustore file and password for cert based authentication as parameters not the actual path.

10

Hi @Shruti_Dixit ,

You can use the overloads that accept a KeyStore instead of a Path, namely: SecurityConfig.trustStore(KeyStore) and CertificateAuthenticator.fromKeyStore(KeyStore, String).

To turn a File into a KeyStore:

public static KeyStore readKeyStore(File file, char[] password) throws Exception {
  try (InputStream is = new FileInputStream(file)) {
    KeyStore store = KeyStore.getInstance(KeyStore.getDefaultType());
    store.load(is, password);
    return store;
  }
}

Thanks,
David

11

@Shruti_Dixit
Please let me know are you able to achieve TLS connection from java SDK 3.* clients.
It will be helpful, if I can get some steps and sample as I am facing handshake failure.
Thanks.
Sanjiv