Hi Team,
If a CB cluster uses a CA root certificate then how we can use it JAVA Application in order to secure connection between client and CB server.
Thanks,
Debasis
Hi Team,
If a CB cluster uses a CA root certificate then how we can use it JAVA Application in order to secure connection between client and CB server.
Thanks,
Debasis
In creating the Environment, specify the path to the certificate with SecurityConfig.trustCertificate(path)
Here are some code samples to illustrate @mreiche 's suggestion.
There are a few ways to trust a custom CA certificate.
Option A: Programmatic environment configuration
This syntax requires Java SDK 3.4.1 or later, but the same idea works with earlier versions.
String connectionString = "couchbases://example.com";
Cluster cluster = Cluster.connect(
connectionString,
ClusterOptions.clusterOptions(username, password)
.environment(env -> env
.securityConfig(security -> security
.trustCertificate(Paths.get("/path/to/ca-cert.pem"))
)
)
);
TIP: The ca-cert.pem
file (or whatever you choose to name it) may contain multiple trusted CA certificates.
Option B: Configure via connection string
Most client settings (including security.trustCertificate
) can be specified as connection string query parameters.
String connectionString = "couchbases://example.com" +
"?security.trustCertificate=/path/to/ca-cert.pem";
Cluster cluster = Cluster.connect(connectionString, username, password);
Option C: Add certificate to JVM trust store
If you don’t tell the SDK to trust specific certificates, SDK 3.4.0 and later defaults to trusting all certificates in the JVM’s cacerts
trust store. You can add your certificate to cacerts
(the internet can show you how to do that) and just enable TLS.
String connectionString = "couchbases://example.com";
Cluster cluster = Cluster.connect(connectionString, username, password);
It’s also possible to put the certificate in a separate Java Keystore and tell the SDK to use that keystore, but it’s much simpler to use a plain old PEM file as in Options A & B.
NOTE: The above examples enable TLS by using the couchbases://
(note the final “s”) scheme in the connection string. An alternate way to enable TLS is to set the security.enableTls
client setting to true.
Thanks @david.nault . Could you please let me know if the existing program wants to use the certificate then we just need to add the above piece of code to the existing program.
Thanks,
Debasis
You would modify the client so when it connects to the cluster, it specifies which CA certificate(s) to trust – using code that looks something like the examples above.
Or, if you choose “Option C” above, no code change is required, but you’d need to add the the certificate to the JVM’s cacerts
truststore, and be using Couchbase Java SDK 3.4.0 or later.