Security

Why this post I started this mini‑project after seeing a common roadblock: PKIX path building failed when calling HTTPS services with OpenFeign. The goal was to create a tiny, runnable example that eliminates guesswork, shows how to configure client certificates and trust properly, and layers basic IAM policies on top. Reference: https://stackoverflow.com/questions/79835509/unable-to-configure-ssl-context-for-open-feign-client-getting-pkix-error What’s inside the example Two Spring Boot apps: Server: HTTPS on 8443, requires client certs (mTLS), and recognizes/authorizes callers with Spring Security’s X.509 support. Client: Spring Cloud OpenFeign calling the server via Apache HttpClient5 with a custom SSLContext. A one‑command cert toolchain (local CA → server/client certs → PKCS#12 keystores/truststores). An automated test script that runs a positive call (expected 200) and a negative call with an unauthorized client (expected 403). Project (ready to publish here): ...

Client certificate authentication in PostgreSQL provides a secure, passwordless way to authenticate users. Instead of relying on passwords, clients present valid X.509 certificates to prove their identity. What to Configure Server-Side Requirements SSL certificates: Server certificate + client certificates PostgreSQL SSL settings: Enable SSL and configure certificate paths Authentication rules: Configure pg_hba.conf for certificate-based auth User mapping: Link certificate Common Names to database users Client-Side Requirements Client certificate: Valid X.509 certificate for the user Private key: Matching private key for the certificate Root certificate: Server’s certificate for verification Connection parameters: Proper SSL mode and certificate paths How to Configure 1. Generate SSL Certificates # Create SSL directory mkdir -p /var/lib/postgresql/17/main/ssl cd /var/lib/postgresql/17/main/ssl # Generate server certificate openssl genrsa -out server.key 4096 openssl req -new -key server.key -out server.csr \ -subj "/C=US/ST=State/L=City/O=Org/OU=OrgUnit/CN=localhost" openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt # Generate client certificate for user 'appuser' openssl genrsa -out appuser.key 4096 openssl req -new -key appuser.key -out appuser.csr \ -subj "/C=US/ST=State/L=City/O=Org/OU=OrgUnit/CN=appuser" openssl x509 -req -days 365 -in appuser.csr \ -CA server.crt -CAkey server.key -CAcreateserial -out appuser.crt # Set permissions chown postgres:postgres *.crt *.key chmod 600 *.key chmod 644 *.crt 2. Configure PostgreSQL SSL Settings Add to postgresql.conf: ...