SSL/TLS Configuration


Lenses can use TLS/SSL connections and supports Java Keystore (JKS) format for keys and certificates. At the moment, services may require:

  • Truststore: The SSL/TLS trust store to use as the global JVM trust store. Available formats are .jks, .p12, .pfx.
  • Keystore: The SSL/TLS keystore to use for the TLS listener for Lenses. Available format is .jks.

Lenses can connect with external services through SSL, see the pages kafka brokers, schema registry and connect for specific details on how to configure them.

Convert PEM to JKS Format 

If the certificates are previously created with the PEM format, they need to be converted to JKS. To do so, we can use keytool, a key and certificate management tool, that can be easily used through the lenses docker image. By using the docker image we ensure the java version used by lenses and keytool are compatible.

Generic command example:

docker run -it --rm lensesio/lenses:<version> /usr/bin/keytool <args>

Generate Truststore 

To convert your PEM truststore to JKS, run the command below, where

  • file: input trustore file in PEM to be converted to JKS
  • keystore: output file in JKS format
  • alias: unique string to identify the key entry
docker run  \
        -v /path/to/file.pem:/tmp/file.pem:ro \
        -v /path/to/output/:/output \
        -it --rm lensesio/lenses:5.1.0 /usr/bin/keytool  \
        -importcert \
        -noprompt \
        -trustcacerts \
        -keystore /output/truststore.jks \
        -alias "${alias}" \
        -file /tmp/file.pem \
        -storepass changeit \
        -storetype JKS

The output truststore will be found at /path/to/output/truststore.jks.

Generate Keystore 

In this part, we’ll generate a keystore file from a private key and a certificate file in PEM format. The process requires two steps:

  1. Create .p12 keystore. Password is harcoded to changeit as an example
openssl pkcs12 -export \
            -inkey "${cert.key.pem}" \
            -in "${cert.crt.pem}"  \
            -out /tmp/keystore.p12 \
            -name service \
            -passout pass:changeit
  1. Run keytool to convert to JKS. Please, change all changeit references and mounted paths.
 docker run \
        -v /path/to/keystore.p12:/tmp/keystore.p12:ro \
        -v /path/to/output/:/output \
        -it --rm lensesio/lenses:5.1.0 /usr/bin/keytool \
        -importkeystore \
        -noprompt -v \
        -srckeystore /tmp/keystore.p12 \
        -srcstoretype PKCS12 \
        -srcstorepass changeit \
        -alias service \
        -deststorepass changeit \
        -destkeypass changeit \
        -destkeystore /output/cert.jks \
        -deststoretype JKS

The output keystore will be found at /path/to/output/cert.jks.

--
Last modified: July 17, 2024