Disable inter-cluster SSL
Overview (This section is applicable only to Initializr-based projects)
With an Initializr-based project, Broadleaf generates an initial starting point that produces sensible and secure defaults allowing you the implementor to easily dial up the security needs if needed or make a conscious choice to dial down certain security measures when it seems appropriate for your needs. One of the defaults that the initializr-based project sets up for you includes pre-generated inter-service SSL certs.
More information about this process can be found here: https://developer.broadleafcommerce.com/production/initializr-security#inter_service_ssl_certs
Steps to Disable SSL behind the Ingress
Spring Boot Resource Services
For a majority of the backend Java Spring Boot microservices, you will notice that the generated keystore and truststore files are generated and placed in your securitydirectory. Any credentials to authenticate with the keystore and truststore are encrypted and placed in your config folder containing both a secure and insecure folder.
So, in order to disable SSL with these defaults, you should just disable SSL at the Spring Service layer by adding the following configuration to your application configuration files:
server:
ssl:
enabled: false
React Storefront and Admin Console
The storefront and admin starters come pre-configured with a node server that listens on Https by default. To disable this, you'll want look at your main Node sample express server configuration (e.g. in the index.js) file and remove references to `https` and replace them with `http`. So your server initialization script may look something like:
http
.createServer(
{
},
app
)
.listen(PORT, function() {
logger.info(
`Express is now listening on port ${PORT} and the gateway on port ${GATEWAY_PORT}.`
);
logger.info(
`The application should be accessible at ${GATEWAY_HOST}:${GATEWAY_PORT}.`
);
});
Gateway Routes
Now that all the backing services have been updated to listen on http, you'll also want to make sure that all the Gateway routes are properly updated as well. For example, on the storefront "commerce gateway" - you'll want to make sure and update all applicable route configurations to be something like:
NOTE: with initializr, these gateway routes can be found in your config/insecure/gateway-local.yml file and your config/insecure/gateway-cloud.yml generated files
broadleaf:
gateway:
proxyurls:
asset: http://localhost:8447
authapi: http://localhost:8080
auth: http://localhost:8080
campaign: http://localhost:8451
cartoperation: http://localhost:8447
catalog: http://localhost:8447
commerceweb: http://localhost:4000
menu: http://localhost:8447
offer: http://localhost:8447
personalization: http://localhost:8447
pricing: http://localhost:8447
sandbox: http://localhost:8447
search: http://localhost:8447
tenant: http://localhost:8447
customer: http://localhost:8447
catalogbrowse: http://localhost:8447
notification: http://localhost:8447
inventory: http://localhost:8447
orderoperation: http://localhost:8447
---
Overview (This section is applicable only to Legacy MicroservicesDemo based projects)
In general when deploying to a Kubernetes cluster, we recommend terminating SSL at the ingress. It is up to your implementation and infrastructure requirements whether or not to keep SSL communication between services within the cluster. The default MicroservicesDemo Flex Package starter projects are configured with SSL enabled for all communication using some default self-signed certs. You can choose to disable this by following these general directions:
Steps to Disable SSL behind the Ingress
Spring Boot Resource Services
For a majority of the backend Java Spring Boot microservices, you will notice that the pom.xml will contain a maven profile called keygen which loads the keytool-maven-plugin . This is marked as "active by default" and will run during the generate-resources phase of the maven lifecycle. After a build, you should notice a local.keystore file that is generated using the configurations defined for this plugin in your src/main/resources folder.
The generated keystore file is a self-signed cert and is typically referenced in your main application.yml file. So, in order to disable SSL with this self-signed cert, you should just remove the following configuration in your application configuration file:
server:
ssl:
key-store: classpath:local.keystore
key-store-password: storepass
and then remove the plugin that generates the local keystore from the maven build.
React Storefront and Admin Console
The storefront and admin starters come pre-configured with a node server that listens on Https by default. To disable this, you'll want look at your main Node sample express server configuration (e.g. in the index.js) file and remove references to `https` and replace them with `http`. So your server initialization script may look something like:
http
.createServer(
{
},
app
)
.listen(PORT, function() {
logger.info(
`Express is now listening on port ${PORT} and the gateway on port ${GATEWAY_PORT}.`
);
logger.info(
`The application should be accessible at ${GATEWAY_HOST}:${GATEWAY_PORT}.`
);
});
Gateway Routes
Now that all the backing services have been updated to listen on http, you'll also want to make sure that all the Gateway routes are properly updated as well. For example, on the storefront "commerce gateway" - you'll want to update all applicable application.yml configurations to be something like:
broadleaf:
gateway:
proxyurls:
asset: http://localhost:8447
authapi: http://localhost:8080
auth: http://localhost:8080
campaign: http://localhost:8451
cartoperation: http://localhost:8447
catalog: http://localhost:8447
commerceweb: http://localhost:4000
menu: http://localhost:8447
offer: http://localhost:8447
personalization: http://localhost:8447
pricing: http://localhost:8447
sandbox: http://localhost:8447
search: http://localhost:8447
tenant: http://localhost:8447
customer: http://localhost:8447
catalogbrowse: http://localhost:8447
notification: http://localhost:8447
inventory: http://localhost:8447
orderoperation: http://localhost:8447
Comments
0 comments
Please sign in to leave a comment.