phani
August 27, 2021, 5:04am
1
Hi ,
How to disable host name verification when connecting from worker to temporal over ssl .
I didn’t see the option in API .
WorkflowServiceStubs service =
WorkflowServiceStubs.newInstance(
WorkflowServiceStubsOptions.newBuilder()
.setSslContext(SimpleSslContextBuilder.newBuilder(clientCert, clientKey).build())
.setTarget(targetEndpoint)
.build());
Thanks
phani
Which server version are you using? Since version 1.9.x host name verification is performed by default if TLS is enabled.
See the --tls_disable_host_verification flag on tctl here on how to disable it.
phani
August 27, 2021, 3:58pm
3
yes we can disable when from tctl what about worker when communicating to temporal .
SimpleSslContextBuilder has a “setUseInsecureTrustManager” method you can set to true.
Have you tried it to see if that fixes the issue?
@Vitaly do you know if this can be done any other way?
I have TLS hostname verification disabled using the method @tihomir mentioned and it seems to work fine.
@Bean
public WorkflowServiceStubs workflowServiceStubs() throws SSLException {
logger.info("Getting connection to {}",config.getServiceAddress());
SimpleSslContextBuilder builder = SimpleSslContextBuilder.newBuilder(null,null).setUseInsecureTrustManager(true);
return WorkflowServiceStubs.newInstance(WorkflowServiceStubsOptions.newBuilder().setSslContext(builder.build()).setTarget(config.getServiceAddress()).build());
}
Vitaly
August 27, 2021, 10:25pm
6
Insecure trust manager turns off client side validation, it’s not recommended for production setup as it would allow potential for man in the middle attack.
@arnesenfamily I’m not sure what is the original problem, what type of error are you getting?
phani
August 30, 2021, 5:52am
7
Hi ,
Below is the issue i am facing . I used below github sample to make tctl secure with MTLS .
I have tested with below tctl command and everything working as expected .
tctl --tls_ca_path=ca/server-intermediate-ca.pem --tls_cert_path=/internode/cluster-internode.pem --tls_key_path=tls-full/certs/cluster/internode/cluster-internode.key --tls_disable_host_verification=true --tls_server_name=internode.cluster-x.contoso.com cluster get-search-attributes
Now i am trying my worker with ssl enabled with the certs and i am getting below exception
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found.
As i am testing in local and i am using the same certificates the example provided assuming this may related to hotname verification .
Thanks
phani
Are you setting server name
in your client like you did with tctl
?
phani
August 31, 2021, 11:27am
9
Hi All,
Thank you for the help . finally below is the worker code to communicate mTLS .
TlsChannelCredentials.Builder tlsBuilder = TlsChannelCredentials.newBuilder();
tlsBuilder
.keyManager(new File("/tls/tls-full/certs/cluster/internode/cluster-internode.pem")
, new File("/pkcs8_key.pem"));
tlsBuilder
.trustManager(new File("//tls/tls-full/certs/cluster/ca/server-intermediate-ca.pem"));
ManagedChannel channel = Grpc
.newChannelBuilderForAddress("localhost", Integer.parseInt("7233"), tlsBuilder.build())
.overrideAuthority("abc.com")
.build();
WorkflowServiceStubs service =
WorkflowServiceStubs.newInstance(
WorkflowServiceStubsOptions.newBuilder()
.setChannel(channel)
//.setTarget(“localhost:7233”)
.build());
WorkflowClient client =
WorkflowClient.newInstance(
service, WorkflowClientOptions.newBuilder().setNamespace(“default”).build());
WorkerFactory factory = WorkerFactory.newInstance(client);
factory.start();
phani
September 2, 2021, 3:11pm
10
Hi sergey,
Is it possible to add temporal web to customization-samples . How do we use temporal web when add mtls for tctl and worker .
I add the below to the docker file but it is failing ,
temporal-web:
image: temporalio/web:latest
ports:
- “8088:8088”
stdin_open: true
tty: true
volumes:
- ${TEMPORAL_LOCAL_CERT_DIR}:${TEMPORAL_TLS_CERTS_DIR}
environment:
- “TEMPORAL_CLI_ADDRESS=temporal:7233”
- “TEMPORAL_CLI_TLS_CA=${TEMPORAL_TLS_CERTS_DIR}/cluster/ca/server-intermediate-ca.pem”
- “TEMPORAL_CLI_TLS_CERT=${TEMPORAL_TLS_CERTS_DIR}/cluster/internode/cluster-internode.pem”
- “TEMPORAL_CLI_TLS_KEY=${TEMPORAL_TLS_CERTS_DIR}/cluster/internode/cluster-internode.key”
- “TEMPORAL_CLI_TLS_ENABLE_HOST_VERIFICATION=true”
- “TEMPORAL_CLI_TLS_SERVER_NAME=internode.cluster-x.contoso.com ”
depends_on:
- temporal
phani
September 2, 2021, 3:56pm
11
Hi,
Below configuration worked
temporal-web:
image: temporalio/web
ports:
- “8088:8088”
stdin_open: true
tty: true
volumes:
- ${TEMPORAL_LOCAL_CERT_DIR}:${TEMPORAL_TLS_CERTS_DIR}
environment:
- “TEMPORAL_GRPC_ENDPOINT=temporal:7233”
- “TEMPORAL_CONFIG_PATH=./server/config.yml”
- “TEMPORAL_CLI_ADDRESS=temporal:7233”
- “TEMPORAL_TLS_CA_PATH=${TEMPORAL_TLS_CERTS_DIR}/cluster/ca/server-intermediate-ca.pem”
- “TEMPORAL_TLS_CERT_PATH=${TEMPORAL_TLS_CERTS_DIR}/cluster/internode/cluster-internode.pem”
- “TEMPORAL_TLS_KEY_PATH=${TEMPORAL_TLS_CERTS_DIR}/cluster/internode/cluster-internode.key”
- “TEMPORAL_TLS_ENABLE_HOST_VERIFICATION=true”
- “TEMPORAL_TLS_SERVER_NAME=internode.cluster-x.contoso.com ”
depends_on:
- temporal
Thanks
phani