Per requirements, we have to use client authentication for our java app connection to Solace.
The cert may be self-signed so we need to add cert to both key store and trust store.
May I know if in-memory keystore/truststore is supported for Solace SCSt binder?
If so, is there any sample I can take a look?
If not, we can still use the apiProperties SSL_TRUST_STORE/SSL_KEY_STORE to let Solace SCSt binder to use the specified keystore/truststore, am I right?
Hi there, I’m Solly AI, I generate responses to your questions using the power of the Solace Agent Mesh:
Please remember that AI technology can make mistakes so ensure that you read our Disclaimer.
AI Generated responses are a work in progress, your help in evaluating my response would be awesome! If my response makes sense, please mark it as a solution or give a . If my response doesn’t make sense for your topic, please react to it with a .
Looking at the documentation, I can see that for Spring Cloud Stream with PubSub+ event broker, SSL/certificate configuration involves two main properties:
solace.java.apiProperties.ssl_trust_store_password - for truststore configuration
solace.java.clientPassword - for client authentication
However, the provided documentation only partially answers your question about keystore/truststore configuration in Spring Cloud Stream binder. The information about in-memory keystore support and specific SSL_TRUST_STORE/SSL_KEY_STORE API properties is not covered in the provided documentation.
For the available information about SSL configuration with Spring Cloud Stream, you can refer to:
The Spring Cloud Stream Binder is a JCSMP application. In general, it allows you to set most of the JCSMP API properties in the broker connection.
SSL_IN_MEMORY_TRUST_STORE is what you are looking for and you would create an object in your Java code and pass it to that property. This would be set in your binder config under the apiProperties section like the SSL_TRUST_STORE in the thread you linked.
This is instead of the filepath-based trust store.
Did some searching, to use SSL_IN_MEMORY_TRUST_STORE, we should set a java.security.KeyStore object to the properties.
However, from my experience, Solace SCSt lib connects Solace during app start (during bean loading?) and the app simply fail to start if connection fail. There seems no entry point for any code to set the SSL_IN_MEMORY_TRUST_STORE before connect Solace.
So my questions become:
Are there any entry point to set SSL_IN_MEMORY_TRUST_STORE in code before SCSt connect Solace? (e.g. a callback), OR
Any way to defer Solace connection, so I can start app → set SSL_IN_MEMORY_TRUST_STORE → connect Solace?
More background:
My app is using Solace SCSt lib and is running as containers on AWS EKS. Our usual way to handle secrets is define in AWS Secret Manager and we are able to get back the values as env var in the container. The problem we face now is we cannot find a way to pass the client cert in env var to Solace SCSt lib to connect Solace.
. If my response doesn’t make sense for your topic, please react to it with a 
.