Issue/204 207 trusted cas #345
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Default trusted CAs (root, issuing or chains - root and issuing) are now stored as separate files in folders of the bpe, bpe_proxy, fhir and fhir_proxy docker images. The config parameters of the fhir and bpe servers can be configured with a folder containing (*.pem, *.crt) files or a single file with multiple pem encoded CAs. By default a folder is configured, allowing additions or full override via docker bind mount, but a single custom file can still be configured. The fhir_proxy and bpe_proxy images have now default folders configured via the SSL_CA_DN_REQUEST_PATH and SSL_CA_CERTIFICATE_PATH environment variables. The matching ..._PATH variables are ignored if SSL_CA_DN_REQUEST_FILE or SSL_CA_CERTIFICATE_FILE point to existing files. This change also enablsd addition or replacement via docker bind mount and configuration of single files via the ...FILE variables. The symlinks with sha1 hashes of a canonicalized form of the subject DN string needed for apache httpd are created during container startup.
BPE should not crash if a process plugins has a miss configured ProcessPluginDefinition that breaks the jvm service loader, but specific plugin should be ignored.
This was
linked to
issues
Aug 31, 2025
Adds new FhirClientConfigProvider to the API with access to client configs (moved from FhirClientProvider), the default client config trust store and a method to create a SSLContext based on the default trust store. New integration test for config provider.
* disabled annotation processor from log4j2-core by disabling all annotations processors in modules with a log42-core dependency * mockito-core configured as java agent for tests in modules where needed * added missing deprecation annotations * fixed bad method signatures in classes implementing HAPIs IValidationSupport interface * removed not needed method with potentially unsafe var-arg * configured maven-resources-plugin propertyEncoding and fixed BuildInfoReaderImpl to use UTF-8
wetret
approved these changes
Sep 5, 2025
jaboehri
approved these changes
Sep 5, 2025
Member
Author
The private Nevertheless renamed to createClientKeyStore via 95b95e3 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Default trusted CAs are now stored as separate files.
SSL_CA_DN_REQUEST_PATHandSSL_CA_CERTIFICATE_PATHenvironment variables. The matching..._PATHvariables are ignored ifSSL_CA_DN_REQUEST_FILEorSSL_CA_CERTIFICATE_FILEpoint to existing files. This change also enables addition or replacement via docker bindmount and configuration of single files via the
...FILEvariables.FhirClientConfigProviderto the API with access to client configs (moved from FhirClientProvider), the default client config trust store and a method to create an SSLContext based on the default trust store.closes #204
closes #207