I have a pure Java application that currently makes use of a .jks based key- and trust-store. To my understanding, the SSL protocol handling under Bluemix is done at the network side using a single port and a wild-card certificate for host and domain identification. My concern is regarding the use of the trust-store, where I use to add the certificates of the trusted partner nodes, like for example an identity provider. Is there a high level upload tool available that helps to install a trusted certificate? With that available, the Java could limit its functionality to a very basic HTTP implementation, externally assisted by the cloud and its HTTP to HTTPS conversion mechanism that occurs at the dynamic port.
What is the best way to upload and activate a trusted server certificate into my application?
Thanks @david for sending the comments.
The application is a pure Java package that integrates an embedded web container and handles one single GUI page to initiate and Oauth 2.o related authentication flow. Its design is similar to a cURL sequence, so its basically a web service. To keep it lean, my intention was to avoid a web application servers complexity. SSL could be driven by the code itself, as I managed to pack the key- and trust-store into the cf push package, using the Maven package resource extension command which is able to copy a set of flat files, by its extension, like *.jks. The testing showed that the Java code is able to read it. My doubt is about the default SSL handling which transfers SSL construction into the Bluemix proxy gateway basically connecting with the application through a basic HTTP protocol (question: does the proxy act at the incoming path only?).
I did not find a documentation about the flow of outgoing SSL or mechanisms that describes how to store the trusted certificates that could assist the proxy. Further does the keystore require a certificate that maps the wildcard of *.mybluemix.net domain, or does it need a self-signed certificate?
Regarding error: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
I've isolated the SSL issue with the JAVA_OPTS="-Djavax.net.debug=ssl" configured in the environment variable and repeated the application "push". The trace displayed an issue regarding unrestricted JCE stregth, an incompatibility between the calling node (IdP) and the OpenJDK Java 8. Apparently my code is able to generate SSL thought the use of local keystores. I will open a new report regarding the cryptography issue and will ask the community how to patch it.
Thanks @david for support to clarify the details about Bluemix and SSL proxy support and use of trust certificates.
There's no upload tool that I'm aware of, but assuming you're using Liberty, you should be able to just package a keystore with your server directory when you push it to Bluemix (typically in the resources/security dir). You'll have to configure the keystore element in your server.xml as described here. And you would have to re-push your app every time you need to modify the keystore (i.e. Add a new cert), but that probably wouldn't be very often depending on your use case.