How is SSL configured in the overall Broadleaf ecosystem?

broadleaf-devops · April 1, 2025, 1:15pm

Overview

With an Initializr-based project, Broadleaf generates an initial starting point that produces sensible and secure defaults allowing you the implementor to easily dial up the security needs if needed or make a conscious choice to dial down certain security measures when it seems appropriate for your needs. One of the defaults that the initializr-based project sets up for you includes pre-generated inter-service SSL certs.

More information about this process can be found here: Broadleaf Dev Central

Specifically, these certs would handle communication within the Broadleaf ecosystem, such as:

Gateways → Flex Packages
Flex Packages → Flex Packages
Flex Packages → Utility Services
etc…

Ingress and Gateway Interactions

Broadleaf does not ship with an Ingress. It will be up to the implementation to configure how the Broadleaf endpoints and services will be exposed for their needs.

With that said, unless changed, the default helm charts for both GATEWAYS (i.e. admingateway and commercegateway have the ENV property SERVER_SSL_ENABLED: false. Requests from your chosen ingress to the → gateways will work on port 80 and not 443. We by default turn off SSL on the gateways because:

typically SSL terminates at the ingress
the gateways do / can generate a self signed cert (as mentioned above), but it would be dependent on the implementation to install the CA cert authority onto whatever ingress implementation is used, so to make it easier, the default helm charts for the GATEWAYS ONLY disable SSL

Steps to Disable SSL behind the Ingress

If you wish to disable SSL for ALL inter-service communication (e.g. you are running the services behind an appropriately firewalled or secure/isolated environment), you can follow the guidance below for the different types of resources:

Spring Boot Resource Services

For a majority of the backend Java Spring Boot microservices, you will notice that the generated keystore and truststore files are generated and placed in your securitydirectory. Any credentials to authenticate with the keystore and truststore are encrypted and placed in your config folder containing both a secure and insecure folder.

So, in order to disable SSL with these defaults, you should just disable SSL at the Spring Service layer by adding the following configuration to your application configuration files:

server:
  ssl:
    enabled: false

React Storefront and Admin Console

The storefront and admin starters come pre-configured with a node server that listens on Https by default. To disable this, you’ll want look at your main Node sample express server configuration (e.g. in the index.js) file and remove references to https and replace them with http. So your server initialization script may look something like:

http
  .createServer(
    {
    },
    app
  )
  .listen(PORT, function() {
    logger.info(
      `Express is now listening on port ${PORT} and the gateway on port ${GATEWAY_PORT}.`
    );
    logger.info(
      `The application should be accessible at ${GATEWAY_HOST}:${GATEWAY_PORT}.`
    );
  });

Gateway Routes

Now that all the backing services have been updated to listen on http, you’ll also want to make sure that all the Gateway routes are properly updated as well. For example, on the storefront “commerce gateway” - you’ll want to make sure and update all applicable route configurations to be something like:

NOTE: with initializr, these gateway routes can be found in your config/insecure/gateway-local.yml file and your config/insecure/gateway-cloud.yml generated files

broadleaf:
  gateway:
    proxyurls:
      asset: http://localhost:8447
      authapi: http://localhost:8080
      auth: http://localhost:8080
      campaign: http://localhost:8451
      cartoperation: http://localhost:8447
      catalog: http://localhost:8447
      commerceweb: http://localhost:4000
      menu: http://localhost:8447
      offer: http://localhost:8447
      personalization: http://localhost:8447
      pricing: http://localhost:8447
      sandbox: http://localhost:8447
      search: http://localhost:8447
      tenant: http://localhost:8447
      customer: http://localhost:8447
      catalogbrowse: http://localhost:8447
      notification: http://localhost:8447
      inventory: http://localhost:8447
      orderoperation: http://localhost:8447

Topic	Replies	Views
I see in some helm chart values.yaml files fields related to "sslTruststoreSecret", how are those used? Dev Ops	2	March 31, 2025
How does the frontend funnel requests to a particular flex package in the backend when a new endpoint is added? Shared Concepts	2	November 26, 2024
SolrConnectionValidator SolrInitializationException Dev Ops	1	April 1, 2025
How do I find what messaging channels are used for Broadleaf's services? Dev Ops	2	April 1, 2025
How does Broadleaf identify that a new route/endpoint is added to the code (not default broadleaf one)? Shared Concepts	1	December 3, 2024