The following Trust-stores/Keystores are used in Secrets-proxy application.
-
The default TLS server certificate for Keywhiz-Proxy application. This is a self-signed TLS cert with the following details.
- Common Name :
keywhiz-proxy.dev.oneops.com
- Key Password :
kwproxy-password
- Store Password :
kwproxy-password
For production deployment, contact your infosec team to get new TLS server certificate.
- Common Name :
-
The keywhiz automation mTLS client certificate. Used for all the keywhiz server automation API calls. Make sure the client has been registered and
automationAllowed=true
on the keywhiz server. The client cert has to be trusted by the same RootCA used on Keywhiz server.For production deployment, contact your infosec/keywhiz server team to get new TLS client certificate.
-
The keywhiz server trust-store, containing the trusted CA (Certificate Authorities) certs or cert chains. Used for all the keywhiz server admin/automation API calls.
For production deployment, use openssl to create trustore of your keywhiz server.
or you can use tool like InstallCerts to auto-generate trust-store from the TLS endpoint.
-
Your LDAP/AD server trust-store, containing the trusted CA (Certificate Authorities) certs or cert chains. Used for AD/LDAP user authentication APIs.
For production deployment, use openssl to create trustore of your AD/LDAP server.
or you can use tool like InstallCerts to auto-generate trust-store from the TLS endpoint.
-
Build the image
$ ./mvnw clean package $ docker build -t secrets-proxy:1.1.0 .
-
Run
$ docker run -it --rm --name secrets-proxy -p 8443:8443 -e name=Secrets-Proxy -d secrets-proxy:1.1.0 $ open https://localhost:8443/
-
Debugging and Logs
$ docker exec -it secrets-proxy sh # cd log/ /log # ls -ltrh total 64 drwxr-xr-x 2 root root 4.0K Aug 9 21:50 audit drwxr-xr-x 2 root root 4.0K Aug 9 21:50 access -rw-r--r-- 1 root root 54.0K Aug 9 21:51 keywhiz-proxy.log
set -o allexport source conf-file set +o allexport
$ ./mvnw clean package -P generate
# $ ./mvnw versions:display-dependency-updates
- Secrets Tools - https://github.com/oneops/secrets-proxy/releases/tag/tools
- JWT Token Verification - https://jwt.io/
- REST API References
- Move the automation client to Retrofit.
- X509 Authentication ??
- Update to the latest keysync.
- Feature toggles implementation.
- Http2/Grpc (May be with JDK 9)
- JTI claim to maintain list of blacklisted or revoked tokens.
- Springboot admin integration.
- https://twitter.com/springcentral/status/878264199729860608
- https://twitter.com/fintanr/status/877988573399531520
- https://www.jetbrains.com/research/devecosystem-2017/java/ (Check the Web framework section)
**Require Java 8 or later