How to set TLS server for java sdk connection option

Shean · November 27, 2022, 2:13pm

Before I connect to my Temporal cluster, I need to connect to the TLS server to get certificate then I could connect to the Temporal cluster. In go language, I could do like below:

var connOptions client.ConnectionOptions
	if cfg.Temporal.TLSServer != "" {
		connOptions = client.ConnectionOptions{
			TLS: &tls.Config{
				ServerName: cfg.Temporal.TLSServer,
			},
		}
	}

c, err := client.NewClient(client.Options{
	HostPort:          cfg.Temporal.HostPort,
	Namespace:         cfg.Temporal.Namespace,
	ConnectionOptions: connOptions,
	})

But in java, i did not find way to do this.

Need help in urgent, thanks in advance!

tihomir · November 28, 2022, 2:49am

I don’t think you need this setting in most cases. With Java SDK, the server name is set by netty from the target you specify, for example:

 WorkflowServiceStubs service =
    WorkflowServiceStubs.newServiceStubs(
        WorkflowServiceStubsOptions.newBuilder()
            .setSslContext(SimpleSslContextBuilder.forPKCS8(clientCert, clientKey).build())
            .setTarget(targetEndpoint)
            .build());

(see full sample here)

If you need to pass custom serverName to SSL that is indeed different than your target you are connecting to you could register a custom ChannelInitializer via ServiceStubsOptions.Builder#setChannelInitializer
it takes a builder for the gRPC channel, and then can call io.grpc.ManagedChannelBuilder.overrideAuthority on this builder:

ManagedChannelBuilder.forTarget("target").overrideAuthority("server").build();

See also here.

Shean · November 28, 2022, 11:29am

Thanks for the reply! That’s very detail! I’ll try this.

filip_bocse · September 10, 2024, 5:21pm

@tihomir Does this apply for the when using private links instead of actual grpc endpoints we’d provide VPC endpoint:7233 and use the original grpc endpoint (w/out the port, just fqdn) as ManagedChannelBuilder.forTarget("grpcEndpoint")?

I have been trying to correlate java SDK sample to understand how connecting via privatelink works.

Reverse engineering spring plugin I think it’s a yes but would appreciate a confirmation

github.com

temporalio/sdk-java/blob/add6c4e8174b81f31ebc373142844bd9c89c4b9d/temporal-spring-boot-autoconfigure/src/main/java/io/temporal/spring/boot/autoconfigure/template/ServiceStubOptionsTemplate.java#L155-L160


      
            String serverName = mtlsProperties.getServerName();
            if (serverName != null) {
              stubsOptionsBuilder.setChannelInitializer(
                  channelBuilder -> channelBuilder.overrideAuthority(serverName));
            }
          }

Thanks

Topic		Replies	Views
Java client with TLS Community Support java-sdk , tls	8	2043	April 18, 2024
HELP: How to create a client with TLS Community Support go-sdk	8	3155	May 20, 2022
Need Help on tls config in java Community Support java-sdk	4	1390	January 18, 2022
Need help to figure out how to use Temporal SDK w/ AWS private links Developer Corner java-sdk	1	27	September 10, 2024
Connecting via core-sdk in rust Community Support general-impl	3	743	December 23, 2022

How to set TLS server for java sdk connection option

Related topics