Skip to content

Add first-class mutual TLS support to AxonServerConnectionFactory#501

Merged
smcvb merged 2 commits into
masterfrom
feature/mtls-client-certificates
Jul 16, 2026
Merged

Add first-class mutual TLS support to AxonServerConnectionFactory#501
smcvb merged 2 commits into
masterfrom
feature/mtls-client-certificates

Conversation

@abuijze

@abuijze abuijze commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Client certificates could previously only be configured by hand-building a shaded-Netty SslContext. This adds file-based convenience methods to the builder:

  • useTransportSecurity(File trustedCertificates) — TLS with a custom CA bundle for verifying the server certificate
  • useMutualTransportSecurity(File clientCertificateChain, File clientPrivateKey) — mTLS with JVM-default server trust
  • useMutualTransportSecurity(File clientCertificateChain, File clientPrivateKey, File trustedCertificates) — mTLS with a custom CA bundle

Contexts are built via GrpcSslContexts for correct ALPN/HTTP2 configuration. All methods are self-contained (one call = complete TLS config, last call wins), consistent with the existing useTransportSecurity semantics. Null or unreadable files fail immediately with a clear exception. Files are PEM, keys PKCS#8, read once at build time.

Testing

MutualTlsConnectionTest verifies end-to-end against a stub PlatformService gRPC server requiring client authentication: connects with a trusted client certificate, fails without one, and trust-only TLS works when client auth isn't required.

Primary use case: connecting through Axon Server Proxy with proxy.tlsClientAuth=REQUIRE (AxonIQ/axon-server-proxy#22).

Client certificates could previously only be configured by hand-building
a shaded-Netty SslContext. This adds convenience methods to the builder:

- useTransportSecurity(File trustedCertificates): TLS with a custom CA
  bundle to verify the server certificate
- useMutualTransportSecurity(File clientCertificateChain,
  File clientPrivateKey[, File trustedCertificates]): mTLS, presenting
  the given client certificate during the handshake, optionally with a
  custom CA bundle (JVM default trust otherwise)

SslContexts are built via GrpcSslContexts to get the correct ALPN/HTTP2
configuration. Verified end-to-end against a stub PlatformService gRPC
server requiring client authentication.

@smcvb smcvb left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bunch of minor comments to tackle before we can go ahead I think. Nothing major though, so should be easy to tackle.

Comment thread src/main/java/io/axoniq/axonserver/connector/AxonServerConnectionFactory.java Outdated
Comment thread src/main/java/io/axoniq/axonserver/connector/AxonServerConnectionFactory.java Outdated
Comment thread src/main/java/io/axoniq/axonserver/connector/AxonServerConnectionFactory.java Outdated
Comment thread src/main/java/io/axoniq/axonserver/connector/AxonServerConnectionFactory.java Outdated
Comment thread src/main/java/io/axoniq/axonserver/connector/AxonServerConnectionFactory.java Outdated
Adds the missing copyright notice, updates the header year, uses
requireNonNull for null checks, documents that transport security
methods overwrite earlier invocations, and corrects the javadoc on
when certificate files are read.
@sonarqubecloud

Copy link
Copy Markdown

@abuijze
abuijze requested a review from smcvb July 15, 2026 15:55

@smcvb smcvb left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My concerns have been addressed, hence I'm approving this pull request.

@smcvb
smcvb merged commit 7ff95a0 into master Jul 16, 2026
5 checks passed
@smcvb
smcvb deleted the feature/mtls-client-certificates branch July 16, 2026 14:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants