Email: helpdesk@telkomuniversity.ac.id

This Portal for internal use only!

All Categories

All Categories

Search

0 Wishlist

Cart

Categories
More Categories Less Categories

iconTicket Service Desk

All Categories

All Categories

Search

0 Wishlist

Cart

Menu
Home/Microsoft/Seamlessly Integrating Azure KeyVault with Jarsigner for Enhanced Security

Seamlessly Integrating Azure KeyVault with Jarsigner for Enhanced Security

/ 2024-05-21
Seamlessly Integrating Azure KeyVault with Jarsigner for Enhanced Security
Microsoft

 

User Scenario and Benefits

In today’s cloud-driven world, securely managing and signing applications is crucial, particularly in the context of Software Supply Chain Security. The integration of the KeyVault JCA provider with Jarsigner helps ensure that your software supply chain remains secure by leveraging Azure KeyVault for key management. 

 

Consider a development team responsible for a microservices-based application deployed on Azure Spring Apps. They need to sign their Java archive (JAR) files to ensure the integrity and authenticity of their software artifacts before deployment. Integrating Azure KeyVault JCA provider with Jarsigner offers a streamlined approach to securely manage and use cryptographic keys stored in Azure KeyVault, mitigating the risks associated with key management and distribution in the software supply chain.

 

Prerequisites

Before beginning, ensure you have the following:

An Azure subscription – create one for free.

Java Development Kit (JDK) version 8 or higher.

Azure CLI

jq – a lightweight and flexible command-line JSON processor.

Ensure you are using one of the following supported algorithms: DSA, RSA, or ECDSA.

Step 1: Download and Configure JCA Provider Jar

Download the JCA Provider Jar.

If you are using Java8, you need to add the JCA provider jar to the class path.

Place the jar under the folder ${JAVA_HOME}/jre/lib/ext

If you are using Java9 or higher, just place the jar in a folder that jarsigner can access.

 

Step 2: Prepare Azure Resources

Follow these steps carefully to achieve successful integration:

Prepare your parameters

DATE_STRING=$(date +%H%M%S)
RESOURCE_GROUP_NAME=jarsigner-rg-$DATE_STRING
KEYVAULT_NAME=jarsiner-kv-$DATE_STRING
CERT_NAME=jarsiner-cert-$DATE_STRING
SERVICE_PRINCIPAL_NAME=jarsiner-sp-$DATE_STRING
Create a resource groupaz group create –name $RESOURCE_GROUP_NAME –location “EastUS”

Create a key vault

az keyvault create –name $KEYVAULT_NAME –resource-group $RESOURCE_GROUP_NAME –location “EastUS”

Get the key vault uri

KEYVAULT_URL=$(az keyvault show –name $KEYVAULT_NAME –query “properties.vaultUri” –resource-group $RESOURCE_GROUP_NAME -o tsv| tr -d ‘rn’)
echo $KEYVAULT_URL

Add a certificate to Key Vault

az keyvault certificate create –vault-name $KEYVAULT_NAME -n $CERT_NAME -p “$(az keyvault certificate get-default-policy)”

Create a Service Principal

SP_JSON=$(az ad sp create-for-rbac –name $SERVICE_PRINCIPAL_NAME)
CLIENT_ID=$(echo $SP_JSON | jq -r ‘.appId’)
CLIENT_SECRET=$(echo $SP_JSON | jq -r ‘.password’)
TENANT=$(echo $SP_JSON | jq -r ‘.tenant’)
echo “CLIENT_ID:”$CLIENT_ID
echo “CLIENT_SECRET:”$CLIENT_SECRET
echo “TENANT:”$TENANT

Get the objectId

OBJECTID=$(az ad sp show –id “$CLIENT_ID” –query id -o tsv | tr -d ‘rn’)
echo $OBJECTID

Assign Permissions to Service Principal:

az keyvault set-policy –name $KEYVAULT_NAME –resource-group $RESOURCE_GROUP_NAME –object-id $OBJECTID –secret-permissions get

az keyvault set-policy –name $KEYVAULT_NAME –resource-group $RESOURCE_GROUP_NAME –object-id $OBJECTID –certificate-permissions get list

 

Step 3: Sign with Jarsigner

Prepare Your Jar: Have the jar file you wish to sign ready.

Execute Jarsigner: Use the Jarsigner tool with the KeyVault JCA provider to sign your jar file. You need to update the parameters with the actuall values.

Parameter
Description
Example

PARAM_YOUR_JAR_FILE_PATH
The path to your jar file you wish to sign.
/path/to/your/jarfile.jar

PARAM_JCA_PROVIDER_JAR_PATH
The path to the jca provider jar file.
/path/to/your/azure-security-keyvault-jca-2.8.1.jar

If you are using Java8, try to sign the jar using below command

jarsigner -keystore NONE -storetype AzureKeyVault
-signedjar signerjar.jar ${PARAM_YOUR_JAR_FILE_PATH} “${CERT_NAME}”
-verbose -storepass “”
-providerName AzureKeyVault
-providerClass com.azure.security.keyvault.jca.KeyVaultJcaProvider
-J-Dazure.keyvault.uri=${KEYVAULT_URL}
-J-Dazure.keyvault.tenant-id=${TENANT}
-J-Dazure.keyvault.client-id=${CLIENT_ID}
-J-Dazure.keyvault.client-secret=${CLIENT_SECRET}

If you are using Java9 or higher, try to sign the jar using below command

jarsigner -keystore NONE -storetype AzureKeyVault
-signedjar signerjar.jar ${PARAM_YOUR_JAR_FILE_PATH} “${CERT_NAME}”
-verbose -storepass “”
-providerName AzureKeyVault
-providerClass com.azure.security.keyvault.jca.KeyVaultJcaProvider
-J–module-path=”${PARAM_JCA_PROVIDER_JAR_PATH}”
-J–add-modules=”com.azure.security.keyvault.jca”
-J-Dazure.keyvault.uri=${KEYVAULT_URL}
-J-Dazure.keyvault.tenant-id=${TENANT}
-J-Dazure.keyvault.client-id=${CLIENT_ID}
-J-Dazure.keyvault.client-secret=${CLIENT_SECRET}

Check your output, the output may look like this

 

Step 4: Verify with Jarsigner

You can verify the signed jar using the following Jarsigner command.

jarsigner -verify -verbose -certs signerjar.jar

The output may look like this

 

Conclusion

By following these steps, you can easily integrate KeyVault JCA provider with Jarsigner. This method ensures a secure and efficient signing process using Azure KeyVault.

 

Clean up resources

To avoid Azure charges, you should clean up unnecessary resources.

az group delete –name $RESOURCE_GROUP_NAME –yes –no-wait
az ad app delete –id $CLIENT_ID

 

Next step with Azure Spring Apps

Azure Spring Apps is a fully managed service that helps Spring developers focus on code, not on infrastructure. Deploy any type of Spring app—including web apps, microservices, event-driven, serverless, and batch—without the need for Kubernetes. 
By adopting the practices described in this blog, you can leverage Azure Spring Apps to secure your Java applications. This ensures a robust and secure software supply chain, enhancing the overall reliability and trustworthiness of your deployments.

 

Email Us

AzureSpringCloud-Talk@service.microsoft.com

 

Additional Resources

Continued investments in supply chain security in support of the cybersecurity Executive Order.
Learn using an MS Learn module or self-paced workshop on GitHub.
Deploy your first Spring app to Azure!
Deploy the demo Fitness Store Spring Boot app to Azure.
Deploy the demo Animal Rescue Spring Boot app to Azure.
Learn more about implementing solutions on Azure Spring Apps.
Deploy Spring Boot apps by leveraging enterprise best practices – Azure Spring Apps Reference Architecture.
Migrate your Spring BootSpring Cloud, and Tomcat applications to Azure Spring Apps.
Wire Spring applications to interact with Azure services.
For feedback and questions, please raise your issues on our GitHub.

​Microsoft Tech Community – Latest Blogs –Read More 

Tags:

Related posts

From questions to discoveries: NASA’s new Earth Copilot brings Microsoft AI capabilities to democratize access to complex data
2024-11-14

From questions to discoveries: NASA’s new Earth Copilot brings Microsoft AI capabilities to democratize access to complex data

Microsoft introduces new adapted AI models for industry
2024-11-13

Microsoft introduces new adapted AI models for industry

IDC’s 2024 AI opportunity study: Top five AI trends to watch
2024-11-13

IDC’s 2024 AI opportunity study: Top five AI trends to watch

Leave a Reply

Your email address will not be published. Required fields are marked *

Adobe
Google for Education
IBM
Matlab
Microsoft
Wordpress
Visual Paradigm
Opensource

Portal Application Package Repository Telkom University, for internal use only, empower civitas academica in study and research.

Information

Contact Us

Copyright © Telkom University. All Rights Reserved. ch