In my last post I showed how easy it was to get your REST API based on Spring Boot framework up and running on AWS with the help of Boxfuse. The next step is making use of SSL for the communication with the API. By using SSL we make sure our data is save during the transport between our REST API server and the API client. To setup SSL for the Spring Boot application you have to perform the following two steps:
- Create a keystore
- Configure the Spring Boot application
Create the keystore
The first step can be quite easy. Especially for development and testing purposes you can easily generate your own SSL certificate and keystore. There are lots of sites describing this. Basically it is as simple as this:
keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore keystore.jks -validity 3650
Add the generated keystore file to your application’s classpath by putting the file in your ‘src/main/resources’ folder.
For a professional/production SSL certificate you would best get one from a trusted Certificate Authority. Just google for ‘buy SSL certificate‘ and you will get lots of options to choose from (I ran into this one which claims to generate certificates for free but I haven’t tried it yet). By using a self-signed certificate you will get warnings from your browser indicating the site you are going to visit might be unsafe.
Configure the Spring Boot application
The second step is to configure the Spring Boot application to make use of the keystore to setup SSL connections. To do this add the following to your ‘application.yml’ file that you use to configure your Spring Boot application:
server: port: 443 ssl: key-store: classpath:keystore.jks key-store-password: tomcat keyAlias: tomcat
There are two things that need your attention here:
- First the port 443. This works perfect on the AWS instance that is created by Boxfuse. If I use this setup for my dev environment (VirtualBox instance) the port is forwarded to 10443 on the host. Not really a problem but good to know when testing the API locally.
- The second property to give extra attention is the name you set for your keystore. I forgot to set the ‘classpath:’ part which make the application look for the key-store in a ‘/app’ folder which I didn’t have. I am not sure where that is coming from but just note that you have to add ‘classpath:’ to the path if you deliver your key-store within your application.
But wait… we forgot to configure Boxfuse for this! Well, we don’t need to because Boxfuse will use the same settings as Spring Boot and make sure the correct port is open in the security group for our server. So just run your application with Boxfuse and the REST API will now only be accessible over https: