Oracle Cloud Infrastructure Documentation

Service Mesh: Configure client mTLS

In this tutorial, configure a Oracle Cloud Infrastructure (OCI) Service Mesh ingress gateway to support mTLS encrypted connections from a web browser.

Key tasks include how to:

  • Issue the required certificates for mTLS.
  • Issue the required certificate authority bundle.
  • Configure mTLS for your ingress gateway.
  • Configure your browser for mTLS support.
  • Connect from your browser to the BookInfo application over a secure connection.
Figure 1. BookInfo Application on Service Mesh
A diagram of the components needed to run a Spring Boot app on Oracle Cloud Infrastructure Kubernetes Engine
Note

The gray rectangular boxes in the picture represent virtual deployments in the application. The named virtual deployments include: Product Page, Details, Reviews v1 to v3, and Ratings.

For additional information, see:

1. Prepare

Prepare your environment to create and deploy your application.

Gather Required Information

Collect the following information from the Oracle Cloud Infrastructure Console.

  • The OCID for your Service Mesh compartment.
  • The ingress gateway certificate OCID once the certificate is created.
  • The bookinfo CA Bundle OCID once the bundle is created.

2. Create and Configure Certificates for your Ingress Gateway

Create and configure the certificates needed for your ingress gateway.

Note

The steps assume you have a Certificate Authority called mesh-demo-ca for the Mesh. The Certificate Authority issues certificates for the mTLS between ingress gateway and browser.
Steps to Create and Configure Certificates for your Ingress Gateway

Follow these steps to create the required certificates and configure your application.

Issue a Certificate for the Ingress Gateway

To create a certificate for your ingress gateway, perform the following steps:

  1. Open the navigation menu and click Identity & Security. Under Certificates, click Certificate Authorities.
  2. Select the compartment where the certificate authority is located.
  3. Select your certificate authority: mesh-demo-ca
  4. Click Issue Certificate.
  5. Fill out the Basic Information dialog:
    • Compartment: <Select-your-Compartment>
    • Certificate Type: Issued by internal CA
    • Name: bookinfo-ingress
    • Description: Add your description (Optional)
      Note

      Avoid entering confidential information.
    Note

    This example, uses bookinfo-ingress for the certificate name. When implementing your own certs, create your own unique name for the cert.
  6. Click Next.
  7. Fill out the Subject Information dialog:
    • Common name: bookinfo.example.com
    • Subject Alternative Names: <leave-blank>
  8. Click Next
  9. Fill out the Certificate Configuration dialog:
    • Certificate Profile type: TLS Server or Client
    • Other fields: <take-defaults>
  10. Click Next
  11. Fill out the Rules dialog:
    • All fields: <take-defaults>
  12. Click Next
  13. Review your choices in the Summary dialog.
  14. Click Create Certificate.

Issue a Certificate for the Browser

To create a certificate for browsers, perform the following steps:

  1. Open the navigation menu and click Identity & Security. Under Certificates, click Certificate Authorities.
  2. Select the compartment where the certificate authority is located.
  3. Select your certificate authority: mesh-demo-ca
  4. Click Issue Certificate.
  5. Fill out the Basic Information dialog:
    • Compartment: <Select-your-Compartment>
    • Certificate Type: Issued by internal CA
    • Name: bookinfo-client
    • Description: Add your description (Optional)
      Note

      Avoid entering confidential information.
    Note

    This example, uses bookinfo-client for the certificate name. When implementing your own certs, create your own unique name for the cert.
  6. Click Next.
  7. Fill out the Subject Information dialog:
    • Common name: bookinfo-client
    • Subject Alternative Names: <leave-blank>
  8. Click Next
  9. Fill out the Certificate Configuration dialog:
    • Certificate Profile type: TLS Server or Client
    • Other fields: <take-defaults>
  10. Click Next
  11. Fill out the Rules dialog:
    • All fields: <take-defaults>
  12. Click Next
  13. Review your choices in the Summary dialog.
  14. Click Create Certificate.

Create a Certificate Bundle for the Certificate Authority

To get your Certificate Chain PEM, perform the following steps:

  1. Open the navigation menu and click Identity & Security. Under Certificates, click Certificate Authorities.
  2. Select your certificate authority: mesh-demo-ca
  3. In the left nav, click Versions.
  4. In the "latest" row, click ... to the right of the row.
  5. Click View Content.
  6. For Certificate Chain PEM, click Copy.

To create a CA Bundle, perform the following steps:

  1. Open the navigation menu and click Identity & Security. Under Certificates, click Certificates.
  2. In the left nav, click CA Bundles.
  3. Click Create CA Bundle.
  4. Fill out the Create CA Bundle dialog:
    • Compartment: <Select-your-Compartment>
    • Name: bookinfo
    • PEM file: Select Paste Content
  5. Paste your copied content into the dialog.
  6. Click Create.

Configure mTLS with a Configuration file

Use the following meshify-bookinfo-mtls.yaml file to configure mTLS.

  1. Create the meshify-bookinfo-mtls.yaml file and using the following sample file as a starting point.
  2. Update compartmentId for the Ingress Gateway with your compartment OCID.
  3. Update certificateId under serverCertificate to be the Ingress Gateway certificate OCID.
  4. Update caBundleId under clientValidation to be the bookinfo CA Bundle OCID.
  5. To apply your changes run: 
    kubectl apply -f meshify-bookinfo-mtls.yaml
meshify-bookinfo-mtls.yaml
---
kind: IngressGateway
apiVersion: servicemesh.oci.oracle.com/v1beta1
metadata:
  name: bookinfo-ingress-gateway
  namespace: bookinfo
spec:
  compartmentId: ocid1.compartment.oc1..aaaaaaaaaa...
  mesh:
    ref:
      name: bookinfo
  hosts:
    - name: bookinfoHost
      hostnames:
        - bookinfo.example.com
        - bookinfo.example.com:443
      listeners:
        - port: 9080
          protocol: HTTP
          tls:
            mode: MUTUAL_TLS
            serverCertificate:
              ociTlsCertificate:
                certificateId: ocid1.certificate.oc1.iad.aaaaaaaaaa...
            clientValidation:
              trustedCaBundle:
                ociCaBundle:
                  caBundleId: ocid1.cabundle.oc1.iad.aaaaaaaaaa...
  accessLogging:
    isEnabled: true
---
apiVersion: servicemesh.oci.oracle.com/v1beta1
kind: IngressGatewayDeployment
metadata:
  name: bookinfo-ingress-gateway-deployment
  namespace: bookinfo
spec:
  ingressGateway:
    ref:
      name: bookinfo-ingress-gateway
  deployment:
    autoscaling:
      minPods: 1
      maxPods: 1
  ports:
    - protocol: TCP
      port: 9080
      serviceport: 443
  service:
    type: LoadBalancer
---

3. Install the Browser Client Certificate

Install the browser client certificate you created.

Steps to Install the Browser Client Certificate

Prepare the Client Certificate for the Browser

To prepare your client certificate, perform the following steps:

  1. Download the bookinfo-client certificate. 
    oci certificates certificate-bundle get --certificate-id ocid1.certificate.oc1.iad.aaaaaaaaaa... | jq -r '.data."certificate-pem"' > bookinfo-client.pem
  2. Download the bookinfo-client certificate private key. 
    oci certificates certificate-bundle get --certificate-id ocid1.certificate.oc1.iad.aaaaaaaaaa... --bundle-type CERTIFICATE_CONTENT_WITH_PRIVATE_KEY | jq -r '.data."private-key-pem"' bookinfo-client-key.pem
  3. Create a PKCS file containing the certificate and the private key. 
    openssl pkcs12 -export -in bookinfo-client.pem -inkey bookinfo-client-key.pem -out bookinfo-client.p12

    To provide a blank password, press enter when prompted for password.

Import the Client Certificate

Import the client certificate (PKCS file) into your browser. Typically, all browsers are configured to use the client certificates from the OS Certificate Store. This example imports the certificate into Firefox.

To import the client certificate into the Firefox browser from a PKCS file, perform the following steps:

  1. Open a new tab, enter about:preferences#privacy in the address bar and hit enter.
  2. Scroll down to Security then Certificates.
  3. Click on View Certificates.
  4. In the Certificate Manager dialog, click Your Certificates.
  5. Click Import.
  6. Navigate to the bookinfo-client.p12 file and import it.

Test your Certificate with the following steps:

  1. Open a new tab and navigate to https://bookinfo.example.com.
  2. In the popup dialog, select the bookinfo-client certificate.

4. Add Client Certificate to a Java Application

Add your client certificate to a Java HTTP client application. To allow your Java application to connect to your mesh through mTLS, add the following Java code snippet examples.

Steps to Add Client Certificate to a Java Application

Add your client certificate to a Java HTTP client application. To allow your Java application to connect to your mesh through mTLS, add the following Java code snippet examples.

Review the Java Code to add a Client Certificate

To add a client certificate to your Java code, follow these steps:

  1. Fetch client certificate with private key. 
    GetCertificateBundleRequest getCertificateBundleRequest = GetCertificateBundleRequest.builder()
    .certificateId("ocid1.certificate.oc1.iad.aaaaaaaaaa...") // bookinfo-client certificate id
    .certificateBundleType(GetCertificateBundleRequest.CertificateBundleType.CertificateContentWithPrivateKey)
    .build();
 
CertificateBundleWithPrivateKey clientCertificate = (CertificateBundleWithPrivateKey) client.getCertificateBundle(getCertificateBundleRequest).getCertificateBundle();
  2. Fetch CA bundle for server cert validation. 
    GetCertificateAuthorityBundleRequest getCertificateAuthorityBundleRequest = GetCertificateAuthorityBundleRequest.builder()
        .certificateAuthorityId("ocid1.certificate.oc1.iad.aaaaaaaaaa...") // mesh-demo-ca certificate authority id
        .build();
 
CertificateAuthorityBundle caBundle = client.getCertificateAuthorityBundle(getCertificateAuthorityBundleRequest).getCertificateAuthorityBundle();
  3. Prepare SSLContext using a third-party library called sslcontext-kickstart.
    • Add Maven dependency for the library. 
      <dependency>
    <groupId>io.github.hakky54</groupId>
    <artifactId>sslcontext-kickstart-for-pem</artifactId>
    <version>7.4.5</version>
</dependency>
    • Create the SSLContext in Java. 
      SSLFactory sslFactory = SSLFactory.builder()
          .withIdentityMaterial(keyManager)
          .withTrustMaterial(trustManager)
          .build();
 
SSLContext sslContext = sslFactory.getSslContext();
  4. Initialize HTTPClient. 
    HttpClient httpClient = HttpClient.newBuilder()
    .sslParameters(sslFactory.getSslParameters())
    .sslContext(sslFactory.getSslContext())
    .build();
  5. Access https://bookinfo.example.com. 
    HttpClient httpClient = HttpClient.newBuilder()
    .sslParameters(sslFactory.getSslParameters())
    .sslContext(sslFactory.getSslContext())
    .build();
 
 
HttpRequest request = HttpRequest.newBuilder()
    .GET()
    .uri(URI.create("https://bookinfo.example.com"))
    .build();
 
HttpResponse<String> response = httpClient.send(request, HttpResponse.BodyHandlers.ofString());

What's Next

Congratulations! You have successfully configured ingress gateway client mTLS for your Bookinfo app Service Mesh.

To explore more information about development with Oracle products, check out these sites: