Disable inter-cluster SSL
Overview (This section is applicable only to Initializr-based projects)
With an Initializr-based project, Broadleaf generates an initial starting point that produces sensible and secure defaults allowing you the implementor to easily dial up the security needs if needed or make a conscious choice to dial down certain security measures when it seems appropriate for your needs. One of the defaults that the initializr-based project sets up for you includes pre-generated inter-service SSL certs.
More information about this process can be found here: https://developer.broadleafcommerce.com/production/initializr-security#inter_service_ssl_certs
Steps to Disable SSL behind the Ingress
Spring Boot Resource Services
For a majority of the backend Java Spring Boot microservices, you will notice that the generated keystore and truststore files are generated and placed in your security
directory. Any credentials to authenticate with the keystore and truststore are encrypted and placed in your config
folder containing both a secure
and insecure
folder.
So, in order to disable SSL with these defaults, you should just disable SSL at the Spring Service layer by adding the following configuration to your application configuration files:
server: ssl: enabled: false
React Storefront and Admin Console
The storefront and admin starters come pre-configured with a node server that listens on Https by default. To disable this, you'll want look at your main Node sample express server configuration (e.g. in the index.js) file and remove references to `https` and replace them with `http`. So your server initialization script may look something like:
http .createServer( { }, app ) .listen(PORT, function() { logger.info( `Express is now listening on port ${PORT} and the gateway on port ${GATEWAY_PORT}.` ); logger.info( `The application should be accessible at ${GATEWAY_HOST}:${GATEWAY_PORT}.` ); });
Gateway Routes
Now that all the backing services have been updated to listen on http, you'll also want to make sure that all the Gateway routes are properly updated as well. For example, on the storefront "commerce gateway" - you'll want to make sure and update all applicable route configurations to be something like:
NOTE: with initializr, these gateway routes can be found in your config/insecure/gateway-local.yml
file and your config/insecure/gateway-cloud.yml
generated files
broadleaf: gateway: proxyurls: asset: http://localhost:8447 authapi: http://localhost:8080 auth: http://localhost:8080 campaign: http://localhost:8451 cartoperation: http://localhost:8447 catalog: http://localhost:8447 commerceweb: http://localhost:4000 menu: http://localhost:8447 offer: http://localhost:8447 personalization: http://localhost:8447 pricing: http://localhost:8447 sandbox: http://localhost:8447 search: http://localhost:8447 tenant: http://localhost:8447 customer: http://localhost:8447 catalogbrowse: http://localhost:8447 notification: http://localhost:8447 inventory: http://localhost:8447 orderoperation: http://localhost:8447
---
Overview (This section is applicable only to Legacy MicroservicesDemo based projects)
In general when deploying to a Kubernetes cluster, we recommend terminating SSL at the ingress. It is up to your implementation and infrastructure requirements whether or not to keep SSL communication between services within the cluster. The default MicroservicesDemo Flex Package starter projects are configured with SSL enabled for all communication using some default self-signed certs. You can choose to disable this by following these general directions:
Steps to Disable SSL behind the Ingress
Spring Boot Resource Services
For a majority of the backend Java Spring Boot microservices, you will notice that the pom.xml
will contain a maven profile called keygen
which loads the keytool-maven-plugin
. This is marked as "active by default" and will run during the generate-resources
phase of the maven lifecycle. After a build, you should notice a local.keystore
file that is generated using the configurations defined for this plugin in your src/main/resources
folder.
The generated keystore file is a self-signed cert and is typically referenced in your main application.yml
file. So, in order to disable SSL with this self-signed cert, you should just remove the following configuration in your application configuration file:
server: ssl: key-store: classpath:local.keystore key-store-password: storepass
and then remove the plugin that generates the local keystore from the maven build.
React Storefront and Admin Console
The storefront and admin starters come pre-configured with a node server that listens on Https by default. To disable this, you'll want look at your main Node sample express server configuration (e.g. in the index.js) file and remove references to `https` and replace them with `http`. So your server initialization script may look something like:
http .createServer( { }, app ) .listen(PORT, function() { logger.info( `Express is now listening on port ${PORT} and the gateway on port ${GATEWAY_PORT}.` ); logger.info( `The application should be accessible at ${GATEWAY_HOST}:${GATEWAY_PORT}.` ); });
Gateway Routes
Now that all the backing services have been updated to listen on http, you'll also want to make sure that all the Gateway routes are properly updated as well. For example, on the storefront "commerce gateway" - you'll want to update all applicable application.yml
configurations to be something like:
broadleaf: gateway: proxyurls: asset: http://localhost:8447 authapi: http://localhost:8080 auth: http://localhost:8080 campaign: http://localhost:8451 cartoperation: http://localhost:8447 catalog: http://localhost:8447 commerceweb: http://localhost:4000 menu: http://localhost:8447 offer: http://localhost:8447 personalization: http://localhost:8447 pricing: http://localhost:8447 sandbox: http://localhost:8447 search: http://localhost:8447 tenant: http://localhost:8447 customer: http://localhost:8447 catalogbrowse: http://localhost:8447 notification: http://localhost:8447 inventory: http://localhost:8447 orderoperation: http://localhost:8447
Comments
0 comments
Please sign in to leave a comment.