IMLC.ME
Search…
IMLC.ME
en-US
Welcome
TeamCity is reporting "Unmet requirements: docker.server.version exists"
How to do math in Bash
Monitoring, ElasticSearch and Grafana
Zero Down Time Deployment in Kubernetes
brew install reported "Failed to connect to 127.0.0.1 port 1087"
How to resolve "no route to host" in Kubernetes
Helm - zsh: no matches found: imagePullSecrets[0].name=regcred
Helm - Pull image from private repository
How to install frp client in Kubernetes
How to enable mutual authentication in Jetty server
在国内如何拉取 quay.io 的镜像
How to set registry to NPM and Yarn
How to resolve the issue "DH key too small"
Compare HTTP/1.1, HTTP/2 and HTTP/2 Server Push
创建 Kubernetes Cron 定时任务
Docker/Kubernetes 国内镜像
下载 Everything
下载 Windows 10 镜像
Shall I avoid Exclamation Mark(!) in If-Statement in Java
How to force a program use HTTP proxy in Linux
格式化字符串攻击(Format String Attack
函数注入(Function Injection)
Next.js 如何生成 robots.txt 和 sitemap.xml
Generate robots.txt and sitemap.xml in Next.js
git rev-parse HEAD alternative command in JGit
Java Stream API 解析 - 1
Java Stream API 解析 - 2
How to serve one jersey resource or jetty servlet for different path
How to set registry for yarn
HTTP POST
How to inspect HTTP/2 in Wireshark
如何用 Wireshark 监听 HTTP/2 流量
在 macOS 上如何通过 Kubernetes 安装 wiki.js
How to install wiki.js via Kubuernetes in macOS
Nginx Permission denied while connecting to upstream 解决办法
Java 中的软引用(SoftReference)、弱引用(WeakReference)和虚引用(PhantomReference) 解析和实际用例
Remote Debugging for Java Application
How to set environment variable to a Docker container
在群晖上搭建 Nexus 私有仓库
How to split string into array in Bash
使用 OWASP ZAP 扫描网页/API漏洞
Vagrant CentOS 国内镜像
Why we need to disable TRACE method and how to disable TRACE in Embedded Jetty
How to run single test in egg.js
Enable TeamCity support for egg.js project
Create TCP Tunnel/Port Forwarding by SSH
Pull Docker Images and Re-Tag
Expose RDP service by SSH port forwarding
Enable OWASP ZAP mTLS/Client Certificate
Powered By GitBook
How to enable mutual authentication in Jetty server
Enable mutual authentication/mTLS in Jetty server, Java mTLS, Jetty client authentication
mutual authentication is a common way to authentication your client or integrate with upstream/downstream services. This post will demostrate how to enable mutual authentication, or so-call mTLS in SSL, in Jetty server.
The overall source code is stored at https://github.com/lawrenceching/jetty-mtls-example.

Prepare Certificates

Change the password "changeit" in below commands if you generate a real certificate in production.
Run below commans to generate server and client certificates. It's notable that when terminal prompts your to input your first name and last name, input your domain name or ip address. It's mandatory that your hostname match your certificate.
I assume that you generate certs in src/main/resources where we normally do.
1
# Generate server keystore
2
keytool -genkey -alias server -keyalg RSA -keypass changeit -storepass changeit -keystore server.jks
3
4
# Export server certificate from server keystore and import it into truststore.
5
# Client need it to validate server certificate in mTLS.
6
keytool -export -alias server -storepass changeit -file server.cer -keystore server.jks
7
keytool -import -file ./server.cer -alias server -keystore client_truststore.jks
8
9
# ---
10
11
# Generate client keystore
12
keytool -genkey -alias client -keyalg RSA -keypass changeit -storepass changeit -keystore client.jks
13
14
# Export client certificate and import in into truststore.
15
# Server need it to validate client certificate in mTLS.
16
keytool -export -alias client -storepass changeit -file client.cer -keystore client.jks
17
keytool -import -file ./client.cer -alias client -keystore server_truststore.jks
18
19
# You you can convert them to PKCS12 or PEM format
20
keytool -importkeystore -srckeystore client.jks -destkeystore client.p12 -srcalias client -srcstoretype jks -deststoretype pkcs12
21
openssl pkcs12 -in client.p12 -nokeys -out client.crt
22
openssl pkcs12 -in client.p12 -nocerts -nodes -out client.key
23
24
Copied!

Configurate Client Certificate in Jetty Server

The key to Jetty is to configurate the SslContextFactory. Things are pretty straightforward. You set the KeyStore and KeyStore password, and then set the TrustStore and TrustStore password. You need to call setNeedClientAuth(true) to enable mTLS.
1
// https://github.com/lawrenceching/jetty-mtls-example/blob/master/src/main/java/me/imlc/JettyMtlsServer.java#L25-L32
2
SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
3
sslContextFactory.setKeyStorePath(this.getClass().getResource(
4
"/server.jks").toExternalForm());
5
sslContextFactory.setKeyStorePassword("changeit");
6
7
sslContextFactory.setTrustStorePath(this.getClass().getResource("/server_truststore.jks").toExternalForm());
8
sslContextFactory.setTrustStorePassword("changeit");
9
sslContextFactory.setNeedClientAuth(true);
Copied!

Verification

CURL

We usually use curl to be a test client. However curl doesn't know .jks file. So we need some convertion.
1
# Convert KeyStore to pkcs12 format
2
keytool -importkeystore -srckeystore client.jks -destkeystore client.p12 -srcalias client -srcstoretype jks -deststoretype pkcs12
3
4
# Convert private key and certificate to .key and .crt in PEM format
5
openssl pkcs12 -in client.p12 -nokeys -out client.crt
6
openssl pkcs12 -in client.p12 -nocerts -nodes -out client.key
7
8
# curl it!
9
curl -v -k https://localhost:8443 \
10
--cert ./client.crt \
11
--key ./client.key
12
13
# Or
14
curl -v -k --cert-type=P12 --cert ./client.p12 \
15
https://localhost:8443
Copied!

Java HTTP Client

Or you may want to call mTLS server in Java client. Here is an example using Jetty http client. You can find similar configuration in OkHttp or Apacha Http Client.
1
https://github.com/lawrenceching/jetty-mtls-example/blob/master/src/test/java/me/imlc/JettyMtlsServerTest.java#L26-L46
2
@Test
3
public void canAuthenticateClient() throws Exception {
4
SslContextFactory sslContextFactory = new SslContextFactory.Client();
5
sslContextFactory.setKeyStorePath(this.getClass().getResource(
6
"/client.jks").toExternalForm());
7
sslContextFactory.setKeyStorePassword("changeit");
8
9
sslContextFactory.setTrustAll(true);
10
11
sslContextFactory.setTrustStorePath(this.getClass().getResource(
12
"/client_truststore.jks").toExternalForm());
13
sslContextFactory.setTrustStorePassword("changeit");
14
15
HttpClient httpClient = new HttpClient(sslContextFactory);
16
17
18
httpClient.start();
19
20
ContentResponse response = httpClient.newRequest("https://localhost:8443")
21
.send();
22
23
assertThat(200, equalTo(response.getStatus()));
24
assertThat("Hello, world", equalTo(response.getContentAsString()));
25
26
httpClient.stop();
27
}
Copied!
Previous
How to install frp client in Kubernetes
Next
在国内如何拉取 quay.io 的镜像
Last modified 1yr ago
Copy link
Contents
Prepare Certificates
Configurate Client Certificate in Jetty Server
Verification