Visit Azul.com Support

Configuring Cloud Native Compiler with SSL Authentication

While you can use Cloud Native Compiler (CNC) without SSL authentication for development and evaluation, it is highly recommended that you run your production CNC services with SSL authentication.

To enable SSL authentication on your CNC services:

  1. Prepare your SSL certificate. In order to enable SSL encryption of the communication between the JVM and Connected Compiler Service, you will need to provide a certificate and a corresponding private key in the pem format. Place files named cert.pem and key.pem in the <cnc-install-dir>/ssl-certificate directory.

    Note
    The common name field in the certificate must match the domain name, to which your JVMs will be connecting. Otherwise there may be issues when connecting.
  2. From the <cnc-install-dir>/kubernetes diretory, use the following command to provision your CNC service:

     
    kubectl apply -n compiler -k overlays/ssl-direct

Running Azul Zulu Prime JDK Clients with SSL

By default, the Azul Zulu Prime JDK connects to the CNC service using SSL. If you installed the base configuration of CNC service which does not use SSL, you must use the -XX:+CNCInsecure flag to instruct the Azul Zulu Prime JDK to connect without SSL.

If you attempt to connect to a CNC service that is running without SSL and do not specify the -XX:+CNCInsecure flag, you get the following error:

 
E1011 13:16:23.198074100 29 ssl_transport_security.cc:1446] Handshake failed with fatal error SSL_ERROR_SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number.

To connect to the CNC service using SSL, make sure the service certificate is trusted by the client server where you run Azul Zulu Prime JDK. This can be achieved by having the certificate signed by a publicly trusted certificate authority. If you have an internal CA trusted within the company infrastructure, make sure it is trusted.

The exact process depends on your OS distribution. Follow the instructions for your OS distribution to register the certificate on your client server. For example, on Ubuntu-based distributions you run the following command:

 
sudo openssl x509 -in <path to cert.pem> -inform PEM -out /usr/local/share/ca-certificates/cert.crt sudo update-ca-certificates

Alternatively, you can explicitly instruct Azul Zulu Prime JDK to use and trust a specified certificate on the filesystem by using the -XX:CNCSSLRootsPath=<path to cert.pem> flag.

If certificate validation fails, your .pem file is missing or does not match the certificate that you uploaded to the CNC service, you get the following error:

 
[1.856s][info][concomp] [gRPCEvent] read error! [1.856s][info][concomp] [gRPC processing] BidiStreamWrapper is dying, finishing stream 0x7fbec00180f0 with status: failed to connect to all addresses (14)