Steps to configure Mutual TLS in grpc-java?

[nddipiazza]

I created a new HelloWorld with TLS enabled example here: #3992

So far I have only configured TLS. Not mutual TLS.

What would be the steps to enable Mutual Auth in this example?

The script added to https://github.com/grpc/grpc-java/pull/3992/files#diff-1c0f522a61adc59307209c8e0296db49R39 generates the cert files needed.

The grpc-java security.md says to do this:

Server server = NettyServerBuilder.forPort(8443)
    .sslContext(GrpcSslContexts.forServer(certChainFile, privateKeyFile)
        .trustManager(clientCertChainFile)
        .clientAuth(ClientAuth.OPTIONAL)
        .build());

OK no problem. But what does the client-side look like?

[ejona86]

You just need to specify the keyManager() to SslContextBuilder on client-side.

Looking at that PR, I see this, which looks basically right.

        .sslContext(GrpcSslContexts.forClient()
            .trustManager(new File(trustCertCollectionFilePath))
            .keyManager(new File(certChainFilePath),
                new File(privateKeyFilePath))
            .build())

The certChainFilePath and privateKeyFilePath should both be for the client certificate. The trust manager is only used for verifying the server's certificate.

[nddipiazza]

Oh OK. So the inputs to the user would only need to be

Client: HelloWorldClientTls host port certChainFilePath privateKeyFilePath trustCertCollectionFilePath
Server: HelloWorldServerTls host port certChainFilePath privateKeyFilePath [trustCertCollectionFilePath] (where trustCertCollectionFilePath only needs to be specified when Mutual TLS is desired)

am i understanding that right @ejona86 ?

[nddipiazza]

never mind i get it now

[nddipiazza]

so the client only needs to specify

.keyManager(new File(certChainFilePath),
                new File(privateKeyFilePath))

when mutual auth is desired. i get it now

[carl-mastrangelo]

@nddipiazza Several people have asked about TLS so far, and I think the example you made would be really helpful. Would you consider adding your TLS hello world example?

[nddipiazza]

yes it's a PR that i would love to see merged

[nddipiazza]

@carl-mastrangelo @ejona86 this is ready for review. i have tested it with both TLS and TLS mutual auth. works.

[ejona86]

Seems this is resolved. Closing.