Quarkus Rest Client MTLS configuration guide

[leaqui]

Describe the bug

The documentation for setting up MTLS on REST clients disappeared from rest client guide at https://es.quarkus.io/version/main/guides/rest-client.

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

https://stackoverflow.com/questions/78460678/quarkus-rest-client-mtls-configuration-guide

[quarkus-bot]

/cc @cescoffier (rest-client), @geoand (rest-client), @radcortez (config)

[cescoffier]

The configuration is likely going to change (the current one will still be working) following the TLS config centralization work.

[leaqui]

Hi @cescoffier

But where is the current doc?

[mschorsch]

@leaqui https://quarkus.io/guides/security-authentication-mechanisms#mutual-tls

[leaqui]

but this is for client-side?

[mschorsch]

You are right, my fault.

[mschorsch]

The only documentation I have found is in the MicroProfile Rest Client documentation.

• https://download.eclipse.org/microprofile/microprofile-rest-client-2.0/microprofile-rest-client-spec-2.0.html#_trust_store
• https://download.eclipse.org/microprofile/microprofile-rest-client-2.0/microprofile-rest-client-spec-2.0.html#_key_store

Should probably be configured as follows (#22293 (comment) and https://quarkus.io/blog/quarkus-mutual-tls/#configure-microprofile-rest-client-for-mutual-tls):

# truststore config
org.acme.client.mtls.GreetingService/mp-rest/trustStore=classpath:/META-INF/resources/client.truststore.p12
org.acme.client.mtls.GreetingService/mp-rest/trustStoreType=PKCS12 # or JKS
org.acme.client.mtls.GreetingService/mp-rest/trustStorePassword=password

# keystore config
org.acme.client.mtls.GreetingService/mp-rest/keyStore=classpath:/META-INF/resources/client.keystore.p12
org.acme.client.mtls.GreetingService/mp-rest/keyStoreType=PKCS12 # or JKS
org.acme.client.mtls.GreetingService/mp-rest/keyStorePassword=password

[mschorsch]

As an alternative you could use the vert.x web client: https://quarkus.io/guides/vertx#using-vert-x-clients

WebClientOptions options = new WebClientOptions()
    .setSsl(true)
    .setPemKeyCertOptions(new PemKeyCertOptions()
        .addCertPath("path/to/cert.pem")
        .setKeyPath("path/to/key.pem"))
    .setTrustOptions(new PemTrustOptions()
        .addCertPath("path/to/cert.pem"));

WebClient client = WebClient.create(vertx, options);

[leaqui]

Also, properties are listed at: https://es.quarkus.io/guides/all-config#quarkus-rest-client-config_quarkus-rest-client-config-rest-clients-config

But I think lost MTLS configuration doc (or a link to) at REST client guide is useful.

[geoand]

Do you remember anything from the docs contents so we can look through the git history?

[leaqui]

I'm sure it was at https://quarkus.io/guides/rest-client but I can't find it at history.

I think the section title was something like Mutual - TLS

The section had a configuration block with properties like:
quarkus.rest-client.config-key.trust-store
quarkus.rest-client.config-key.trust-store-password

quarkus.rest-client.config-key.key-store
quarkus.rest-client.config-key.key-store-password

Similar to https://es.quarkus.io/guides/security-openid-connect-client-reference#mutual-tls

[geoand]

I had no luck in locating it unfortunately

[leaqui]

No matter, I think adding something like https://es.quarkus.io/guides/security-openid-connect-client-reference#mutual-tls would be fine.

[cescoffier]

Let's wait until the new mechanism is in place before adding anything, or I will have to change it in a few weeks.