How to zitify a spring-boot application

My end goal for this project is to use the ziti spring-boot sample to zitify an azure web application I’ve blocked my ip from accessing the service

However, before I jump into zitifying the azure web app I’d like to test the spring-boot sample by trial and error. I’ve cloned the code then I ran gradle bootRun. This came back with
Failed to parse keystore
This was because the application.properties file was missing

ziti.id <ziti.id>
ziti.serviceName <ziti.serviceName>

@ekoby helped me get past this issue.

For mac users you will want to visit. Download the correct version of the ziti cli. Then move the binaries to /usr/local/bin (make sure the binaries are executable). Then you’ll want to run

ziti edge enroll \
    --jwt my_file.jwt \
    --out my_config

This should return

INFO    generating 4096 bit RSA key                  
INFO    enrolled successfully. identity file written to: my_config

Next you’ll need to update the application.properties file

ziti.id = /Users/evangertis/Downloads/my_config
ziti.serviceName = core-management-service

After completing those steps I ran
gradle bootRun again and I ran into Caused by: java.net.BindException: no permission to bind to service[core-management-sandbox]. This is most likely related to a policy error. Any help with this would be greatly appreciated.

That would seem to me like you don’t have a “Bind” service-policy. Using the ziti CLI tool - issue: ziti edge policy-advisor identities and look for the “server” identity. Does that identity have bind ?

Here’s an example of that looks like for reference:

OKAY : reflectServerId (1) -> reflect (1) Common Routers: (1/1) Dial: N Bind: Y
1 Like

I did not receive

OKAY : reflectServerId (1) -> reflect (1) Common Routers: (1/1) Dial: N Bind: Y

I ran

evangertis@Evans-MacBook-Pro-2 ziti-spring-boot % ziti edge policy-advisor identities                                                    

Policy General Guidelines
  In order for an identity to dial or bind a service, the following must be true:
    - The identity must have access to the service via a service policy of the correct type (dial or bind)
    - The identity must have acces to at least one on-line edge router via an edge router policy
    - The service must have access to at least one on-line edge router via a service edge router policy
    - There must be at least one on-line edge router that both the identity and service have access to.

Then I checked that if the identity has access to the listed service.

Then I checked if the identity had access to at least one online edge router.
{limitations on media prevented the screenshot from being uploaded}
Screen Shot 2021-12-29 at 9.02.06 AM|690x413

Then I checked if the service had access to an online edge-router via service policy.
{limitations on media prevented the screenshot from being uploaded}
Screen Shot 2021-12-29 at 9.05.38 AM|690x413

Finally, I checked

panic: no identity 'default' found in cli config /Users/evangertis/.ziti/ziti-cli.json

via

evangertis@Evans-MacBook-Pro-2 ziti-spring-boot % ls /Users/evangertis/.ziti/                                                         
ziti-cli.json

full policy advisor output

evangertis@Evans-MacBook-Pro-2 ziti-spring-boot % ziti edge policy-advisor identities                                                    

Policy General Guidelines
  In order for an identity to dial or bind a service, the following must be true:
    - The identity must have access to the service via a service policy of the correct type (dial or bind)
    - The identity must have acces to at least one on-line edge router via an edge router policy
    - The service must have access to at least one on-line edge router via a service edge router policy
    - There must be at least one on-line edge router that both the identity and service have access to.

Policy Advisor Output Guide:
  STATUS = The status of the identity -> service reachability. Will be OKAY or ERROR. 
  ID = identity name
  ID ROUTERS = number of routers accessible to the identity via edge router policies.
    - See edge router polices for an identity: ziti edge controller list identity edge-router-policies <identity>
  SVC = service name
  SVC ROUTERS = number of routers accessible to the service via service edge router policies.
    - See service edge router policies for a service with: ziti edge controller list service service-edge-router-policies <service>
  ONLINE COMMON ROUTERS = number of routers the identity and service have in common which are online.
  COMMON ROUTERS = number of routers (online or offline) the identity and service have in common.
  DIAL_OK = indicates if the identity has permission to dial the service.
    - See service polices for a service  : ziti edge controller list service service-policies <service>
    - See service polices for an identity: ziti edge controller list identity service-policies <identity>
  BIND_OK = indicates if the identity has permission to bind the service.
  ERROR_LIST = if the status is ERROR, error details will be listed on the following lines

Output format: STATUS: ID (ID ROUTERS) -> SVC (SVC ROUTERS) Common Routers: (ONLINE COMMON ROUTERS/COMMON ROUTERS) Dial: DIAL_OK Bind: BIND_OK. ERROR_LIST
-------------------------------------------------------------------------------
panic: no identity 'default' found in cli config /Users/evangertis/.ziti/ziti-cli.json

goroutine 1 [running]:
github.com/openziti/ziti/ziti/cmd/ziti/cmd/edge.runPolicyAdvisorForIdentities(0xc000395cb0)
        github.com/openziti/ziti/ziti/cmd/ziti/cmd/edge/policy_advisor.go:211 +0x22b
github.com/openziti/ziti/ziti/cmd/ziti/cmd/edge.runIdentitiesPolicyAdvisor(0xc000395cb0)
        github.com/openziti/ziti/ziti/cmd/ziti/cmd/edge/policy_advisor.go:137 +0x97
github.com/openziti/ziti/ziti/cmd/ziti/cmd/edge.newPolicyAdvisorIdentitiesCmd.func1(0xc0004a9400, {0x66c8a58, 0x0, 0x0})
        github.com/openziti/ziti/ziti/cmd/ziti/cmd/edge/policy_advisor.go:67 +0x70
github.com/spf13/cobra.(*Command).execute(0xc0004a9400, {0x66c8a58, 0x0, 0x0})
        github.com/spf13/cobra@v1.2.1/command.go:860 +0x5f8
github.com/spf13/cobra.(*Command).ExecuteC(0x6674b80)
        github.com/spf13/cobra@v1.2.1/command.go:974 +0x3bc
github.com/spf13/cobra.(*Command).Execute(...)
        github.com/spf13/cobra@v1.2.1/command.go:902
github.com/openziti/ziti/ziti/cmd/ziti/cmd.Execute()
        github.com/openziti/ziti/ziti/cmd/ziti/cmd/cmd.go:79 +0x38
main.main()
        github.com/openziti/ziti/ziti/cmd/ziti/main.go:24 +0x17

The screenshot you shared is from the netfoundry console - help with netfoundry console issues can be found at the other discourse: https://community.netfoundry.io/

That said - looking at your policy advisor output - it seems quite incomplete. can you post the full output?

@dovholuknf Thank you I’ve updated it.

Delete the file at /Users/evangertis/.ziti/ziti-cli.json and login via the ziti cli again. if that fails make an empty json file at that location and try again

1 Like

Thank you @dovholuknf! I was able to start the project after removing the maxPerm size, changing buildForAndroid=false to false in the gradle.properties file, and pulling the latest code changes from @ekoby for ziti-sdk-jvm/ziti-springboot at main · openziti/ziti-sdk-jvm · GitHub.