Skip to content

Latest commit

 

History

History
91 lines (85 loc) · 4.73 KB

README.md

File metadata and controls

91 lines (85 loc) · 4.73 KB

Use azure-security-keyvault-jca.jar via Command Line in client side

Key concepts

This sample illustrates how to use azure-security-keyvault-jca.jar via command line in client side.

Getting started

  • This sample contains a simple web client function.

Environment

jdk 11.0.12 or above

Run Spring Boot web server with azure-security-keyvault-jca.jar via command line.

  1. Start the server side sample. Please refer to server side tutorial.
  2. Open terminal and enter the folder where the pom.xml is and run mvn package. In the target folder there is a run-with-command-line-client-1.0.0.jar generated.
  3. Get a copy of the JCA configuration file.
    • Linux: /lib/security/java.security
    • MacOS Big Sur: /conf/security/java.security
    • Windows: \conf\security\java.security
  4. Edit your copy of the JCA configuration file. Add a new item: KeyVaultJcaProvider 
    security.provider.1=SUN
security.provider.2=SunRsaSign
security.provider.3=SunEC
security.provider.4=SunJSSE
security.provider.5=SunJCE
security.provider.6=SunJGSS
security.provider.7=SunSASL
security.provider.8=XMLDSig
security.provider.9=SunPCSC
security.provider.10=JdkLDAP
security.provider.11=JdkSASL
security.provider.12=Apple
security.provider.13=SunPKCS11
# Next line is the new added item.
security.provider.14=com.azure.security.keyvault.jca.KeyVaultJcaProvider
  5. Get the azure-security-keyvault-jca.jar. You can download the latest published jar from maven repository azure-security-keyvault-jca. When this document is written, the latest jar is azure-security-keyvault-jca-2.6.0.jar
  6. Make a directory, for example, sample_client. Then put the 3 files into sample_client folder
    • java.security
    • run-with-command-line-client-side-1.0.0.jar
    • azure-security-keyvault-jca-2.6.0.jar
  7. Create the key vault and certificates, please refer to create key vault and certificates. Create service principal and add a secret, please refer to register app with AAD.
  8. Replace properties <yourAzureKeyVaultUri>, <yourTenantID>, <youClientID>, <yourSecretValue> with your created resources in the following command, open terminal and enter the directory sample_client, run the changed command: 
    java \
--module-path ./azure-security-keyvault-jca-2.6.0.jar \
--add-modules com.azure.security.keyvault.jca \
-Dsecurity.overridePropertiesFile=true \
-Djava.security.properties==./java.security \
-Djavax.net.ssl.trustStoreType=AzureKeyVault \
-Dazure.keyvault.uri=<yourKeyVaultURI> \
-Dazure.keyvault.tenant-id=<yourTenantID> \
-Dazure.keyvault.client-id=<yourClientID> \
-Dazure.keyvault.client-secret=<yourSecretValue> \
-jar run-with-command-line-client-side-1.0.0.jar
    If you have run the server side with client authentication needed, please use the following command instead of the above to run the client side: 
    java \
--module-path ./azure-security-keyvault-jca-2.6.0.jar \
--add-modules com.azure.security.keyvault.jca \
-Dsecurity.overridePropertiesFile=true \
-Djava.security.properties==./java.security \
-Djavax.net.ssl.trustStoreType=AzureKeyVault \
-Djavax.net.ssl.keyStoreType=AzureKeyVault \
-Dazure.keyvault.uri=<yourKeyVaultURI> \
-Dazure.keyvault.tenant-id=<yourTenantID> \
-Dazure.keyvault.client-id=<yourClientID> \
-Dazure.keyvault.client-secret=<yourSecretValue> \
-jar run-with-command-line-client-side-1.0.0.jar
  9. Check the output. The client will be started and connect to the server side after a while, you will see "Hello World!".
  10. (Optional) You can also use the KeyVaultKeyStore with local certificates.
    • For example, there are some well known CAs. You can put them into a folder, then configure the system property azure.cert-path.well-known=<yourFolderPath>. The certificates in this folder will be loaded by KeyVaultKeystore. If you don't configure such a property, the default well-known path will be /etc/certs/well-known/.
    • Besides, the well-known path, you can also put your customized certificates into another folder specified by azure.cert-path.custom=<yourCustomPath>, by default, the custom path is /etc/certs/custom/.
    • You can also put certificates under the class path, build a folder named keyvault and configure it under the class path, then all the certificates in this folder will be loaded by key vault keystore.