Enabling Native TLS/SSL Support
- To run the application with native TLS/SSL encryption protocol support, you'll need the keytool utility bundled with OpenJDK.
- If the keytool utility wasn't installed with JDK/JVM, you'll need to install it separately.
- You also need to install the OpenSSL utility for working with certificates.
- For self-signed certificates, you'll additionally need to install the root certificate of the certificate authority.
1. Using the OpenSSL utility, create a special JVM keystore from your Certificate/Private Key pair and store the certificate information in it.
-
- After entering the command, you'll need to set a password for the keystore. Remember it, as you'll need it later!*
-
- For converting certificate formats other than PEM, refer to the OpenSSL utility documentation*
openssl pkcs12 -export -name <alias> -in <cert.crt> -inkey <cert.key> -out <keystore.p12>
| Parameter | Value |
|---|---|
pkcs12 |
JVM keystore type. Recommended to use PKCS12 |
<alias> |
Alias for searching in the keystore |
<cert.crt> |
Path to the certificate file in PEM format |
<cert.key> |
Path to the private key file in PEM format |
<keystore.p12> |
Name of the JVM keystore |
2. Using the keytool utility, add the root CA certificate to the JVM trusted keystore.
* If you're not using a self-signed certificate, you can skip this step. Just install standard CA certificates in your system
keytool -importcert -alias <rootCA> -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -storepass changeit -file <rootCA.crt>
<rootCA>|Alias for searching in the keystore|
|/usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts|Default path to trusted certificates in JVM when installing openjdk-11-jdk.The java-11-openjdk-amd64 directory may vary depending on system architecture| |
changeit|Default password for JVM trusted certificates keystore|
|<rootCA.crt>|Path to certificate file in PEM format|
3. Open the GitFlic application's application.properties file and add configuration parameters according to your data
* Parameters marked as mandatory must be present in the file!
| Parameter | Mandatory | Value | Description |
|---|---|---|---|
server.ssl.enabled |
Yes | true |
Enable SSL support |
server.ssl.protocol |
No | TLS |
Specify to use TLS protocol |
server.ssl.key-store |
Yes | file:\<path> |
Absolute path to the keystore file created in step 1 |
server.ssl.key-store-type |
Yes | pkcs12 |
Specify keystore type |
server.ssl.key-store-password |
Yes | <secret> |
Password for the keystore created in step 1 |
server.ssl.key-alias |
Yes | <alias> |
Certificate/key pair alias specified in step 1 |
server.ssl.key-password |
No | <secret> |
Password for the certificate/key pair within the JVM keystore created in step 1, if one was set. By default, no password is set |
server.ssl.trust-store |
No | file:\<path> |
Absolute path to the JVM trusted certificates keystore file, if using a non-standard keystore |
server.ssl.trust-store-password |
No | <secret> |
Password for the JVM trusted certificates keystore, if using a non-standard keystore |
server.ssl.trust-store-type |
No | pkcs12/jks |
JVM trusted certificates keystore type |
* For a complete list of all available TLS/SSL configuration parameters, see this page.
4. Start the GitFlic application. The web interface will be available at https://\<server.address>:\<server.port>
Using a privileged port
By default, ports below 1024 are privileged for Java. To use port 80 or 443, you need to run the following command to extend Java's privileges (this action is potentially dangerous):
sudo setcap 'cap_net_bind_service=+ep' $(readlink -f $(which java))
In this case, the Web interface will be available at https://\
Automatic Translation!
This page has been translated using automated tools. The text may contain inaccuracies.