We are currently using embedded Tomcat server for running our Spring boot web app. To enable HTTTPS, we are setting the certificate related configuration in a properties file. Using pom.xml, we package it:
mvn clean install -P PT # DEV, PT, UAT, Staging, DR, PROD
We package the code to a WAR file and run the app from the command line using:
java -jar our-spring-boot-wep.war
I have read several online articles on how to configure/enable HTTPS, they all use similar configuration approach as show below, either internally or externally.
# Tomcat connector configuration
server.tomcat.port=8080
server.tomcat.ssl.enabled=true
server.tomcat.ssl.key-alias=cd-something.net
server.tomcat.ssl.key-store=certificates/cd-something.net.jks
server.tomcat.ssl.key-password=secret
server.tomcat.ssl.key-store-type=JKS
server.tomcat.ssl.trust-store=certificates/trustStore.jks
server.tomcat.ssl.trust-store-password=secret
Is there a way to hide/encrypt those information such as the password? There are several different environments, DEV, PT, UAT, PROD. Each env has its own certificates/JKS file, What is the best practice to configure it? Thanks!
Your configuration properties must be unique by ambient, and place the shared properties inside the war.
Sample :
/resources/application.properties
server.tomcat.port=8080
server.tomcat.ssl.enabled=true
server.tomcat.ssl.key-alias=cd-something.net
server.tomcat.ssl.key-store-type=JKS
/home/app/config/application.properties
server.tomcat.ssl.key-store=certificates/cd-something.net.jks
server.tomcat.ssl.key-password=secret
server.tomcat.ssl.trust-store=certificates/trustStore.jks
server.tomcat.ssl.trust-store-password=secret
by this way acessing the code your only will see the shared properties, and the specific passwords will be only readable if you have access to the server running the app.
I think this native way should work, and there are severals key managers like AWS Key Management that you can explore.