This sample illustrates how to use azure-security-keyvault-jca.jar via command line in client side.
- This sample contains a simple web client function.
jdk 17 or above
- Start the server side sample. Please refer to server side tutorial.
- Open terminal and enter the folder where the pom.xml is and run
mvn package
. In the target folder there is a run-with-command-line-client-1.0.0.jar generated. - Get a copy of the JCA configuration file.
- Linux: /lib/security/java.security
- MacOS Big Sur: /conf/security/java.security
- Windows: \conf\security\java.security
- Edit your copy of the JCA configuration file. Add a new item: KeyVaultJcaProvider
security.provider.1=SUN security.provider.2=SunRsaSign security.provider.3=SunEC security.provider.4=SunJSSE security.provider.5=SunJCE security.provider.6=SunJGSS security.provider.7=SunSASL security.provider.8=XMLDSig security.provider.9=SunPCSC security.provider.10=JdkLDAP security.provider.11=JdkSASL security.provider.12=Apple security.provider.13=SunPKCS11 # Next line is the new added item. security.provider.14=com.azure.security.keyvault.jca.KeyVaultJcaProvider
- Get the azure-security-keyvault-jca.jar. You can download the latest published jar from maven repository azure-security-keyvault-jca. When this document is written, the latest jar is azure-security-keyvault-jca-2.10.0.jar
- Make a directory, for example, sample_client. Then put the 3 files into sample_client folder
- java.security
- run-with-command-line-client-side-1.0.0.jar
- azure-security-keyvault-jca-2.10.0.jar
- Create the key vault and certificates, please refer to create key vault and certificates. Create service principal and add a secret, please refer to register app with Microsoft Entra ID.
- Create a new Access policy for the service principal created in the previous step, including the Get and List permissions of the Secret permissions, and the Get and List permissions of the Certificate permissions.
- Replace properties
<yourAzureKeyVaultUri>
,<yourTenantID>
,<youClientID>
,<yourSecretValue>
with your created resources in the following command, open terminal and enter the directory sample_client, run the changed command:If you have run the server side with client authentication needed, please use the following command instead of the above to run the client side:java \ --module-path ./azure-security-keyvault-jca-2.10.0.jar \ --add-modules com.azure.security.keyvault.jca \ -Dsecurity.overridePropertiesFile=true \ -Djava.security.properties==./java.security \ -Djavax.net.ssl.trustStoreType=AzureKeyVault \ -Dazure.keyvault.uri=<yourKeyVaultURI> \ -Dazure.keyvault.tenant-id=<yourTenantID> \ -Dazure.keyvault.client-id=<yourClientID> \ -Dazure.keyvault.client-secret=<yourSecretValue> \ -jar run-with-command-line-client-side-1.0.0.jar
java \ --module-path ./azure-security-keyvault-jca-2.10.0.jar \ --add-modules com.azure.security.keyvault.jca \ -Dsecurity.overridePropertiesFile=true \ -Djava.security.properties==./java.security \ -Djavax.net.ssl.trustStoreType=AzureKeyVault \ -Djavax.net.ssl.keyStoreType=AzureKeyVault \ -Dazure.keyvault.uri=<yourKeyVaultURI> \ -Dazure.keyvault.tenant-id=<yourTenantID> \ -Dazure.keyvault.client-id=<yourClientID> \ -Dazure.keyvault.client-secret=<yourSecretValue> \ -jar run-with-command-line-client-side-1.0.0.jar
- Check the output. The client will be started and connect to the server side after a while, you will see "Hello World!".
- (Optional) You can also use the KeyVaultKeyStore with local certificates.
- For example, there are some well known CAs. You can put them into a folder, then configure the
system property azure.cert-path.well-known=<yourFolderPath>. The certificates in this folder
will be loaded by KeyVaultKeystore. If you don't configure such a property, the default
well-known path will be
/etc/certs/well-known/
. - Besides, the well-known path, you can also put your customized certificates into another folder
specified by azure.cert-path.custom=<yourCustomPath>, by default, the custom path is
/etc/certs/custom/
. - You can also put certificates under the class path, build a folder named
keyvault
and configure it under the class path, then all the certificates in this folder will be loaded by key vault keystore.
- For example, there are some well known CAs. You can put them into a folder, then configure the
system property azure.cert-path.well-known=<yourFolderPath>. The certificates in this folder
will be loaded by KeyVaultKeystore. If you don't configure such a property, the default
well-known path will be
Now that you have the Spring Boot application running locally, it's time to move it to production. Azure Spring Apps makes it easy to deploy Spring Boot applications to Azure without any code changes. The service manages the infrastructure of Spring applications so developers can focus on their code. Azure Spring Apps provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more. To deploy your application to Azure Spring Apps, see Deploy your first application to Azure Spring Apps.