In modern microservice architectures, securing communication between services is crucial to protect sensitive data and maintain trust boundaries. Mutual TLS (mTLS) is an effective way to authenticate both client and server, ensuring that only authorized services can communicate with each other. In this article, we’ll explore how to set up mTLS in a Java microservices environment using Spring Cloud Gateway and Kubernetes.
Why Use mTLS?
- Authentication: Both parties verify each other’s identities, preventing unauthorized access.
- Encryption: Data transmitted between services is encrypted end-to-end.
- Compliance: Helps meet security standards and regulatory requirements.
- Zero Trust: Supports a zero-trust security model in distributed systems.
Prerequisites
- Java 11+ and Spring Boot microservices
- Spring Cloud Gateway as API Gateway
- Kubernetes cluster for deployment
- Basic knowledge of TLS/SSL certificates
Step 1: Generate Certificates for mTLS
To enable mTLS, you need certificates for both the client and the server, signed by a trusted Certificate Authority (CA). For simplicity, you can create your own CA and generate certificates using openssl:
# Generate CA key and cert openssl genrsa -out ca.key 4096 openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt -subj "/CN=MyCA" # Generate server key and CSR openssl genrsa -out server.key 4096 openssl req -new -key server.key -out server.csr -subj "/CN=server.microservice.local" # Sign server certificate with CA openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 # Generate client key and CSR openssl genrsa -out client.key 4096 openssl req -new -key client.key -out client.csr -subj "/CN=client.microservice.local" # Sign client certificate with CA openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256
Step 2: Configure Spring Cloud Gateway for mTLS
Configure your Spring Cloud Gateway to require client certificates and validate them against the CA:
server:
ssl:
enabled: true
key-store: classpath:server-keystore.p12
key-store-password: changeit
key-store-type: PKCS12
trust-store: classpath:ca-truststore.p12
trust-store-password: changeit
client-auth: need
Place your keystore and truststore files in the resources directory. The keystore holds your server’s private key and certificate, while the truststore contains the CA certificates you trust.
Step 3: Enable mTLS in Your Microservices
Each microservice acting as a client must present its certificate when calling other services. Here’s how to configure a RestTemplate or WebClient with client certificates:
@Bean
public WebClient webClient() throws Exception {
SslContext sslContext = SslContextBuilder.forClient()
.keyManager(new File("client.crt"), new File("client.key"))
.trustManager(new File("ca.crt"))
.build();
HttpClient httpClient = HttpClient.create().secure(sslSpec -> sslSpec.sslContext(sslContext));
return WebClient.builder()
.clientConnector(new ReactorClientHttpConnector(httpClient))
.build();
}
Step 4: Deploy to Kubernetes
Create Kubernetes secrets from your certificates and mount them in your pods:
kubectl create secret generic tls-certs --from-file=server.crt --from-file=server.key --from-file=ca.crt
Update your deployment YAML to mount these secrets as volumes and configure your Spring Boot application accordingly.
Best Practices for mTLS in Microservices
- Rotate certificates regularly and automate the process.
- Use a dedicated CA or integrate with a service mesh (e.g., Istio) for certificate management.
- Monitor and log TLS handshake failures for troubleshooting.
- Keep truststores updated to remove compromised or expired certificates.
Further Reading & Resources
- Spring Cloud Gateway Documentation
- Kubernetes TLS Documentation
- Secure Service-to-Service Communication
- Istio mTLS Overview
