Enabling Native TLS/SSL Support
* To run the application with native TLS/SSL encryption protocol support, you'll need the keytool utility bundled with OpenJDK.
* If the keytool utility wasn't installed with JDK/JVM, you'll need to install it separately.
* You also need to install the OpenSSL utility for working with certificates.
* For self-signed certificates, you'll additionally need to install the root certificate of the certificate authority.
1. Using the OpenSSL utility, create a special JVM keystore from your Certificate/Private Key pair and store the certificate information in it.
* After entering the command, you'll need to set a password for the keystore. Remember it, as you'll need it later!
* For converting certificate formats other than PEM, refer to the OpenSSL utility documentation
openssl pkcs12 -export -name <alias> -in <cert.crt> -inkey <cert.key> -out <keystore.p12>
| Parameter | Value |
|---|---|
pkcs12 |
JVM keystore type. Recommended to use PKCS12 |
<alias> |
Alias for searching in the keystore |
<cert.crt> |
Path to the certificate file in PEM format |
<cert.key> |
Path to the private key file in PEM format |
<keystore.p12> |
Name of the JVM keystore |
2. Using the keytool utility, add the root CA certificate to the JVM trusted keystore.
* If you're not using a self-signed certificate, you can skip this step. Just install standard CA certificates in your system
keytool -importcert -alias <rootCA> -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -storepass changeit -file <rootCA.crt>
<rootCA>|Alias for searching in the keystore|
|/usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts|Default path to trusted certificates in JVM when installing openjdk-11-jdk.The java-11-openjdk-amd64 directory may vary depending on system architecture| |
changeit|Default password for JVM trusted certificates keystore|
|<rootCA.crt>|Path to certificate file in PEM format|
3. Open the GitFlic application's application.properties file and add configuration parameters according to your data
* Parameters marked as mandatory must be present in the file!
| Parameter | Mandatory | Value | Description |
|---|---|---|---|
server.ssl.enabled |
Yes | true |
Enable SSL support |
server.ssl.protocol |
No | TLS |
Specify to use TLS protocol |
server.ssl.key-store |
Yes | file:\<path> |
Absolute path to the keystore file created in step 1 |
server.ssl.key-store-type |
Yes | pkcs12 |
Specify keystore type |
server.ssl.key-store-password |
Yes | <secret> |
Password for the keystore created in step 1 |
server.ssl.key-alias |
Yes | <alias> |
Certificate/key pair alias specified in step 1 |
server.ssl.key-password |
No | <secret> |
Password for the certificate/key pair within the JVM keystore created in step 1, if one was set. By default, no password is set |
server.ssl.trust-store |
No | file:\<path> |
Absolute path to the JVM trusted certificates keystore file, if using a non-standard keystore |
server.ssl.trust-store-password |
No | <secret> |
Password for the JVM trusted certificates keystore, if using a non-standard keystore |
server.ssl.trust-store-type |
No | pkcs12/jks |
JVM trusted certificates keystore type |
* For a complete list of all available TLS/SSL configuration parameters, see this page.
4. Start the GitFlic application. The web interface will be available at https://\<server.address>:\<server.port>
Automatic Translation!
This page has been translated using automated tools. The text may contain inaccuracies.