kumareshbabuns / c-2-c-boot Goto Github PK

• Container to Container networking on overlay network

• Java Buildpack add both diego identity key/cert to keystore and bosh trusted certs to truststore.

• One front end Application (client) with /hello endpoint.
• One Backend application (server) with /hello endpoint.
• Server uses .profile.d to load the certs from diego instance identity env vars
• Server opens two ports: one for 8080 to expose the internal IP through gorouter. One for ssl works with overlay network (c-2-c)
• Server mutual ssl is want, which means client certificate is optional
• /hello endpoint requires client certificate to be trusted and enforced by spring security.
• Client uses restTemplate to communicate with server through mutual SSL
• Enable java ssl debug

• push client/server to cf

cf push

• Add network policy to open up the communication

cf add-network-policy client-c2c --destination-app server-c2c --port 8443 --protocol tcp

• Find the server IP

Shaozhen-Ding-MacBook-Pro-3:c-2-c sding$ curl server-c2c.cfapps.haas-60.pez.pivotal.io/nomutual
this has no mutual auth. My Internal ip is:10.255.175.197

• Configure the client

cf set-env client-c2c BACKEND_SERVER https://10.255.175.197:8443
cf restart client-c2c

• Curl the client hello endpoint.

Client will contact with server through mutual ssl by using the diego identity certificate (The CN is CF instance ID)

Shaozhen-Ding-MacBook-Pro-3:c-2-c sding$ curl http://client-c2c.cfapps.haas-60.pez.pivotal.io/hello
Thanks for authenticating with X509, certificate CN is: c4aae08f-3612-4886-61df-3643