truststore | Package to locally install development certificates | TLS library

I am trying to use kafka rest proxy for AWS MSK cluster.

MSK Encryption details:

Within the cluster

TLS encryption: Enabled

Between clients and brokers

TLS encryption: Enabled

Plaintext: Not enabled

I have created topic "TestTopic" on MSK and then I have created another EC2 instance in the same VPC as MSK to work as Rest proxy. Here are details from kafka-rest.properties:

Small question regarding Spring Cloud Config Client and Server, especially in the scenario when BOTH are mTLS enabled.

First of all, the server. On server side, since he is the first that has to be up, server has in properties file, the keystore and truststore, alongside passwords, in order to start mTLS.

Now, the client. The reason to chose Spring Cloud Config in the first place is that we can store properties in git, Vault, etc...

That way, the property file of client should be super light, just enough information to connect to the server, such as just spring.config.import=optional:configserver:http://localhost:8888

However, when mTLS is enabled at server side, then, by definition, the client needs the proper keystore and truststore (that is store in Git, Vault)

This is I believe a chicken end egg problem, since: In order to start the client, client needs to retrieve the keystore and truststore and password from Git, Vault, by connecting to the server.

But in order to connect to the server, it needs keystore and truststore and password.

Currently, it can work if on client side, the basic property file has

I have Zookeeper and Apache Kafka servers running on my Windows computer. The problem is with a Spring Boot application: it reads the same messages from Kafka whenever I start it. It means the offset is not being saved. How do I fix it?

Versions are: kafka_2.12-2.4.0, Spring Boot 2.5.0.

In Kafka listener bean, I have

I am trying to create HTTP and HTTPS endpoint in one of my web service. I want secure few endpoints with HTTPS and other endpoints with plain HTTP.

I am using the below code to do the same.

I'm adding X.509 Mutual Certificate authentication into the project. The specific case here is that one client (let's say manager) can access several service instances (servers). Each server has its own certificate. When providing a policy.xml configuration on client side should be set to server's alias certificate stored in client's trustore. It's not a problem when the server is only one but when client need to access specific server, an appropriate server's public key should be used for encryption so I need to provide a proper alias from the truststore. I was thinking to programmarically change Rampart configuration on each request to set a specific alias name but this looks like not a proper way to do. I'm looking for a standard approach here or, perhaps, some way to configure that in policy.xml My client's (manager's) Rampart configuration part from policy.xml is below

I'm trying to make a request to create a new user in WSO2 Identity Server but I can't connect to the api:

I want to make Flow Definitions portable by replacing absolute file paths to relative in below items

1. Script Path Property of all ExecuteScript Processors
2. Database Driver Location(s) property of DBCPConnectionPool Controller Services
3. Keystore Filename & Truststore Filename properties of StandardRestrictedSSLContextService Controller Services

Questions:

1. Is it possible to use Relative Paths in above items?
2. Where does the root of relative path point to - nifi installation directory?
3. What are best practices for managing paths in flow defitions?
4. Any other best practices for making flow definitions portable

EDIT: We're using parameters in Flow Definitions to make it easier to configure per environment. Currently we have a param to indicate Nifi root path. Te motive behind this question is to check if this param can eliminated entirely by using relative paths.

I am trying to setup https on the curity server with letsencrypt certificates. I would like to automate it so that when the certificate expires curity can read and use that new certificate (possibly without reloading.)

Currently I am unable to get the certificates imported into curity. I have created the /etc/init/crypto/signer-truststores and /etc/init/crypto/ssl-server-truststore directories and have copied my cert.pem into signer-truststores and fullchain.pem into ssl-server-truststore names as mydomain.com.pem. As states in https://curity.io/docs/idsvr/latest/system-admin-guide/crypto/index.html?highlight=https add certificates into these locations and curity will auto import them.

Furthermore on the link above it says

"IMPORTANT: The server needs to be started with the appropriate start-up arguments to consider reloading configuration files, please for more information please see Server Configuration overview."

I click on the link to Server Configuration and don't see anywhere what to add to get curity to import these certificates.

Can someone tell me where I need to place my certificates (so that I can automatically create a bash script to do it for me when keys expire) and so that curity will import them?

Edit: I have tried creating a certificate with privkey.pem and cert.pem. The site is now secured but I still do not know how to import https certificates through localfiles.

I was trying to upgrade our working Karate tests from the 0.9.6 karate version to the 1.0.x version. I have defined the Keystores and truststores in the feature file using the ssl configuration and they work fine in the 0.9.6 version of karate. When I change to utilize the 1.0.x version of karate, I receive a PKIX Path Building failure:

javax.net.ssl|ERROR|1B|pool-1-thread-1|2021-05-22 17:18:20.212 CDT|TransportContext.java:318|Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ( "throwable" : {
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I've added breakpoints in the karate ApacheHttpClient class and I can see that the Keystore and TrustStores are being set, as well as verifying that the trusted certs are being added as trusted certificates when running with -Djavax.net.debug=all.

I've even added the specific server cert that is being sent to the trust store. I cannot seem to find the root cause of why I am receiving a PKIX failure on the 1.0.x version of karate, yet the exact same configuration works fine in the 0.9.6 version. I have also validated the CAs from the full chain of the server cert being sent is included in my trust store. It seems that maybe my trust store is being ignored once the request is sent.

Any thoughts about what might be different for TLS connections in karate 1.0.x? As far as I can tell from the docs, the ssl configuration options have not changed.

Reproduced with Karate Demo: https://github.com/intuit/karate/tree/v1.0.1/karate-demo/src/test/java/ssl

I made some tweaks to the karate demo SSL tests to show the issue with having Scenario Outline and the connectTimeout or readTimeout set:

karate-config.js: