Introducing Spring Cloud Azure Starter Key Vault JCA for Streamlined TLS and mTLS in Spring Boot
Moary Chen introduces the Spring Cloud Azure Starter Key Vault JCA, showing how to streamline TLS and mTLS for Spring Boot using Azure Key Vault for secure certificate management.
Introducing Spring Cloud Azure Starter Key Vault JCA for Streamlined TLS and mTLS in Spring Boot
Author: Moary Chen
Overview
Microsoft has released the Spring Cloud Azure Starter Key Vault Java Crypto Architecture (JCA), extending the Spring Cloud Azure ecosystem with new secure communication features for Java developers. This starter package simplifies configuring TLS and mutual TLS (mTLS) in Spring Boot applications by integrating Azure Key Vault’s certificate management through the Java Crypto Architecture and Spring SSL Bundles. The solution is designed for Spring Boot 3.1+ and is available in version 5.21.0 and above.
What is Spring Cloud Azure Starter Key Vault JCA?
Spring Cloud Azure Starter Key Vault JCA bridges Spring Boot’s SSL Bundles abstraction with the Azure Key Vault JCA provider. This integration allows developers to use certificates securely stored in Azure Key Vault directly in their Spring applications. This new approach reduces the complexity associated with traditional Java keystore management, offering a modern, secure, and maintainable alternative.
- SSL Bundles (Spring Boot 3.1+): Abstraction layer in Spring Boot for managing SSL credentials.
- Azure Key Vault JCA Provider: Enables reading certificates and keys securely from Azure Key Vault.
Reference: Legacy approach and comparison
Getting Started
To begin using the starter:
1. Add the Maven Dependency
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>spring-cloud-azure-starter-keyvault-jca</artifactId>
<version>5.21.0</version>
</dependency>
2. Prepare Azure Resources
- Create two self-signed certificates in separate Azure Key Vault resources: one named
server(inkeyvault1), and another namedclient(inkeyvault2). Instructions - Create a Service Principal with appropriate permissions using this guide.
- Assign Key Vault Certificate User Role to the Service Principal for both vaults (role assignment guide).
- Set environment variables: Variables prefixed with
KEY_VAULT_SSL_BUNDLES_store connection and credential information for Key Vault access.
Use Cases and Example Configurations
Enabling Embedded Server TLS
Secure inbound HTTP traffic with server-side TLS using Key Vault certificate:
application.yml Example:
spring:
application:
name: ssl-bundles-server
ssl:
bundle:
keyvault:
tlsServerBundle:
key:
alias: server
keystore:
keyvault-ref: keyvault1
cloud:
azure:
keyvault:
jca:
vaults:
keyvault1:
endpoint: ${KEY_VAULT_SSL_BUNDLES_KEYVAULT_URI_01}
profile:
tenant-id: ${KEY_VAULT_SSL_BUNDLES_TENANT_ID}
credential:
client-id: ${KEY_VAULT_SSL_BUNDLES_CLIENT_ID}
client-secret: ${KEY_VAULT_SSL_BUNDLES_CLIENT_SECRET}
server:
ssl:
bundle: tlsServerBundle
Securing RestTemplate for Outbound TLS
Configure Spring’s RestTemplate to use a Key Vault certificate for secure outbound HTTPS:
application.yml adjustment:
spring:
ssl:
bundle:
keyvault:
tlsClientBundle:
truststore:
keyvault-ref: keyvault1
cloud:
azure:
keyvault:
jca:
vaults:
keyvault1:
endpoint: ${KEY_VAULT_SSL_BUNDLES_KEYVAULT_URI_01}
profile:
tenant-id: ${KEY_VAULT_SSL_BUNDLES_TENANT_ID}
credential:
client-id: ${KEY_VAULT_SSL_BUNDLES_CLIENT_ID}
client-secret: ${KEY_VAULT_SSL_BUNDLES_CLIENT_SECRET}
Java configuration:
@Bean
RestTemplate restTemplateWithTLS(RestTemplateBuilder restTemplateBuilder, SslBundles sslBundles) {
return restTemplateBuilder.sslBundle(sslBundles.getBundle("tlsClientBundle")).build();
}
Securing WebClient for Outbound TLS
Follow the same application.yml as in the RestTemplate scenario, then adjust the WebClient registration:
@Bean
WebClient webClientWithTLS(WebClientSsl ssl) {
return WebClient.builder().apply(ssl.fromBundle("tlsClientBundle")).build();
}
mTLS (Mutual TLS) Communication Setup
Server Side Configuration
Trust client certificates in keyvault2 and enable client authentication:
spring:
application:
name: ssl-bundles-server
ssl:
bundle:
keyvault:
tlsServerBundle:
key:
alias: server
keystore:
keyvault-ref: keyvault1
truststore:
keyvault-ref: keyvault2
cloud:
azure:
keyvault:
jca:
vaults:
keyvault1: ... # as above
keyvault2: ...
server:
ssl:
bundle: tlsServerBundle
client-auth: NEED
Client Side Configuration
Configure application.yml to use keyvault2 for the client’s certificate and keyvault1 for the trust store:
spring:
ssl:
bundle:
keyvault:
mtlsClientBundle:
key:
alias: client
for-client-auth: true
keystore:
keyvault-ref: keyvault2
truststore:
keyvault-ref: keyvault1
cloud:
azure:
keyvault:
jca:
vaults:
keyvault1: ...
keyvault2: ...
Registering TLS/mTLS Java Beans:
@Bean
RestTemplate restTemplateWithMTLS(RestTemplateBuilder restTemplateBuilder, SslBundles sslBundles) {
return restTemplateBuilder.sslBundle(sslBundles.getBundle("mtlsClientBundle")).build();
}
@Bean
WebClient webClientWithMTLS(WebClientSsl ssl) {
return WebClient.builder().apply(ssl.fromBundle("mtlsClientBundle")).build();
}
Feedback and Contributions
You can share feedback or contribute via StackOverflow or the Azure SDK for Java GitHub repository.
Further Resources
- Enable HTTPS in Spring Boot application (Legacy)
- Sign and verify jar files with Azure Key Vault
- Using Azure Key Vault for JVM SSL certificates
- Using Azure Key Vault with Apache Tomcat
- Spring Cloud Azure Documentation
- Spring Cloud Azure Code Samples
- Changelog
This starter streamlines the integration of secure, certificate-based communication between Spring Boot applications and Azure Key Vault, making it easier for Java developers to adopt robust security practices on Azure.
This post appeared first on “Microsoft DevBlog”. Read the entire article here