To ensure secure communication between the FOLIO edge-orders module and OKAPI servers, the WebClient utilized must be capable of establishing secured connections using TLS. This enhancement is aimed at providing robust, configurable TLS support, allowing for flexible trust management based on the environment in which the WebClient operates.

Requirements:

1. TLS Configuration:

   • Introduce a boolean configuration parameter (webClientEnableTLS for example) to toggle TLS for the WebClient.

   • Implement logging for TLS activation to ensure traceability and aid in debugging.

2. Trust Store Management:

   • Provide a configuration parameter (webClientTrustStorePath for example) to specify the file path for the trust store when required.

   • Include a parameter (webClientTrustStorePassword for example) for the password needed to access the trust store.

   • Ensure that the system can accept and correctly handle the JKS format of trust stores.

3. Support for Public Trusted Certificates:

   • The WebClient should automatically support connections to servers using certificates from Public Trusted Certificate Authorities (CAs) without requiring a specific trust store configuration.

   • This includes configurations for environments where Web/HTTP clients communicate through AWS Application Load Balancers (ALBs), which use certificates issued by trusted CAs. In such cases, the WebClient should operate without a specified trust store.

4. Documentation and Examples:

   • Provide comprehensive documentation covering the setup and configuration of TLS and trust store management in the WebClient.

   • Include example configurations demonstrating how to enable TLS, configure a trust store, and connect to servers with both private and public certificates.

5. Testing:

   • Develop unit and integration tests to verify that the WebClient can successfully connect using both secured and non-secured configurations.

   • Test scenarios should include connections to endpoints with self-signed certificates, private CA certificates, and certificates from public CAs.

   • Ensure that all configurations are covered, including those without a trust store.

6. Error Handling:

   • Implement clear, user-friendly error messages for common misconfigurations or TLS errors.

   • Ensure the WebClient gracefully handles incorrect or missing trust store paths or passwords.

Acceptance Criteria:

• The WebClient must support enabling and disabling TLS through configuration.

• It must handle both specified and default trust stores correctly.

• Connections through AWS ALBs without specifying a trust store must be supported and function correctly.

• All functionalities must be validated by tests that confirm the WebClient operates as expected under various security configurations.

• Documentation must be clear, detailed, and provide actionable guidance for setting up secure connections.