Spring Boot's documentation specifies a few simple configuration additions to the application.properties file to enable https. However, in my experience these were insufficient to make the DXA Spring Boot application connect to the Tridion Sites microservices over https.
The alternative working approach involved extending the embedded Tomcat application server by setting some properties against the Connector and Http11NioProtocol.
The following bespoke properties were added to the dxa.properties file.
# Tomcat connector configuration
server.tomcat.port=8080
server.tomcat.ssl.enabled=true
server.tomcat.ssl.key-alias=ssl-key-alias.com
server.tomcat.ssl.key-store=certificates/key-store-file.jks
server.tomcat.ssl.key-password=SslKeyPassw0rd!
server.tomcat.ssl.key-store-type=JKS
server.tomcat.ssl.trust-store=certificates/trustStore.jks
server.tomcat.ssl.trust-store-password=SslTrustStorePassw0rd!
server.tomcat.ssl.certificate-fs-store-location=DXA/certificates
The certificate files are placed within the /src/main/resources/certificates folder in the application. This means these files will be embedded in the built WAR file inside the /certificates folder.
The certificate files cannot be referenced using the absolute path when deployed by Spring Boot inside an embedded Tomcat application server, so these need to be written to the file system onto the location specified by the server.tomcat.ssl.certificate-fs-store-location property.
IMPORTANT NOTE: if using Maven with a <resource> configuration entry specifying <filtering>true</filtering>, this will cause the certificate files (.jks in this example) to become corrupted.
The bespoke properties are referenced in the Spring Boot application using the @Value annotation.
@Value("${server.tomcat.port}")
private Integer port;
@Value("${server.tomcat.ssl.enabled:false}")
private boolean enableSsl;
@Value("${server.tomcat.ssl.key-alias:}")
private String sslKeyAlias;
@Value("${server.tomcat.ssl.key-store:}")
private String sslKeyStore;
@Value("${server.tomcat.ssl.key-password:}")
private String sslKeyPassword;
@Value("${server.tomcat.ssl.key-store-type:}")
private String sslKeyStoreType;
@Value("${server.tomcat.ssl.trust-store:}")
private String sslTrustStore;
@Value("${server.tomcat.ssl.trust-store-password:}")
private String sslTrustStorePassword;
@Value("${server.tomcat.ssl.certificate-fs-store-location:}")
private String certificateFileSystemStoreLocation;
An org.springframework.core.io.ResourceLoader is autowired to support reading the .jks certificate files from the configured location (i.e. certificates/key-store-file.jks).
The customization is implemented by invoking the addConnectorCustomizers method against the TomcatEmbeddedServletContainerFactory as shown below.
@Bean
public EmbeddedServletContainerCustomizer addConnectorCustomizers(){
return container -> {
if(container instanceof TomcatEmbeddedServletContainerFactory){
TomcatEmbeddedServletContainerFactory factory =
(TomcatEmbeddedServletContainerFactory)container;
factory.addConnectorCustomizers(connector -> {
connector.setPort(port);
if (enableSsl) {
Http11NioProtocol protocol =
(Http11NioProtocol)connector.getProtocolHandler();
connector.setScheme("https");
connector.setSecure(true);
protocol.setSSLEnabled(true);
try {
FileSystemResource keyStoreFile = new
FileSystemResource(getResource(sslKeyStore,
sslKeyPassword));
FileSystemResource trustStoreFile = new
FileSystemResource(getResource(sslTrustStore,
sslTrustStorePassword));
System.setProperty("javax.net.ssl.trustStore",
trustStoreFile.getFile().getAbsolutePath());
System.setProperty("javax.net.ssl.trustStorePassword",
sslTrustStorePassword);
protocol.setKeyAlias(sslKeyAlias);
protocol.setKeyPass(sslKeyPassword);
protocol.setKeystoreFile(keyStoreFile.getFile()
.getAbsolutePath());
protocol.setKeystorePass(sslKeyPassword);
protocol.setTruststoreFile(trustStoreFile.getFile()
.getAbsolutePath());
protocol.setTruststorePass(sslTrustStorePassword);
}
catch (Exception exception) {
throw new RuntimeException(
"Error setting up the SSL configuration [" +
exception.getMessage() + "]");
}
}
});
}
};
}
Resources
For completeness, the supporting code and property extracts can be found here.