Skip to content

Commit

Permalink
CLOUD-294 Keystore key password for SSL
Browse files Browse the repository at this point in the history
  • Loading branch information
@wdecoste
wdecoste committed Oct 13, 2017
1 parent 98d343c commit 35e7be3
Show file tree
Hide file tree
Showing 11 changed files with 127 additions and 6 deletions.
6 changes: 5 additions & 1 deletion os-amq-launch/added/configure.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,9 +115,13 @@ function configureSSL() {
keyStorePath="$sslDir/$keyStoreFile"
trustStorePath="$sslDir/$trustStoreFile"

if [ -n "$AMQ_KEY_PASSWORD" ]; then
keyPassword="keyStoreKeyPassword=\"$AMQ_KEY_PASSWORD\""
fi

sslElement="<sslContext>\n\
<sslContext keyStore=\"file:$keyStorePath\"\n\
keyStorePassword=\"$keyStorePassword\"\n\
keyStorePassword=\"$keyStorePassword\" $keyPassword \n\
trustStore=\"file:$trustStorePath\"\n\
trustStorePassword=\"$trustStorePassword\" />\n\
</sslContext>"
Expand Down
16 changes: 14 additions & 2 deletions os-datavirt/added/launch/teiid.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,15 @@ function prepareEnv() {
unset DATAVIRT_TRANSPORT_KEY_ALIAS
unset DATAVIRT_TRANSPORT_KEYSTORE
unset DATAVIRT_TRANSPORT_KEYSTORE_PASSWORD
unset DATAVIRT_TRANSPORT_KEY_PASSWORD
unset DATAVIRT_TRANSPORT_KEYSTORE_TYPE
unset DATAVIRT_TRANSPORT_KEYSTORE_DIR
unset HTTPS_NAME
unset HTTPS_PASSWORD
unset HTTPS_KEY_PASSWORD
unset HTTPS_KEYSTORE_DIR
unset HTTPS_KEYSTORE
unset HTTPS_KEYSTORE_TYPE
unset DATAVIRT_USERS
unset DATAVIRT_USER_PASSWORDS
unset DATAVIRT_USER_GROUPS
Expand Down Expand Up @@ -69,6 +76,7 @@ function add_secure_transport(){
local key_alias=${DATAVIRT_TRANSPORT_KEY_ALIAS}
local keystore=${DATAVIRT_TRANSPORT_KEYSTORE-$HTTPS_KEYSTORE}
local keystore_pwd=${DATAVIRT_TRANSPORT_KEYSTORE_PASSWORD-$HTTPS_PASSWORD}
local key_pwd=${DATAVIRT_TRANSPORT_KEY_PASSWORD-$HTTPS_KEY_PASSWORD}
local keystore_type=${DATAVIRT_TRANSPORT_KEYSTORE_TYPE-$HTTPS_KEYSTORE_TYPE}
local keystore_dir=${DATAVIRT_TRANSPORT_KEYSTORE_DIR-$HTTPS_KEYSTORE_DIR}
local auth_mode=${DATAVIRT_TRANSPORT_AUTHENTICATION_MODE}
Expand All @@ -91,11 +99,15 @@ function add_secure_transport(){
fi
fi

if [ -n "$key_pwd" ]; then
key_password="key-password=\"${key_pwd}\""
fi

# JDBC
transport="<transport name=\"secure-jdbc\" socket-binding=\"secure-teiid-jdbc\" protocol=\"teiid\"><authentication security-domain=\"teiid-security\"/><ssl mode=\"enabled\" authentication-mode=\"$auth_mode\" ssl-protocol=\"TLSv1.2\" keymanagement-algorithm=\"SunX509\">"

if [ "$auth_mode" != "anonymous" ]; then
transport="$transport <keystore name=\"${keystore_dir}/${keystore}\" password=\"$DATAVIRT_TRANSPORT_KEYSTORE_PASSWORD\" type=\"$keystore_type\" key-alias=\"$key_alias\"/><truststore name=\"${keystore_dir}/${keystore}\" password=\"$keystore_pwd\"/>"
transport="$transport <keystore name=\"${keystore_dir}/${keystore}\" password=\"$keystore_pwd\" type=\"$keystore_type\" key-alias=\"$key_alias\" ${key_password} /><truststore name=\"${keystore_dir}/${keystore}\" password=\"$keystore_pwd\"/>"
fi

transport="$transport </ssl></transport>"
Expand All @@ -104,7 +116,7 @@ function add_secure_transport(){
transport="$transport <transport name=\"secure-odbc\" socket-binding=\"secure-teiid-odbc\" protocol=\"pg\"><authentication security-domain=\"teiid-security\"/><ssl mode=\"enabled\" authentication-mode=\"$auth_mode\" ssl-protocol=\"TLSv1.2\" keymanagement-algorithm=\"SunX509\">"

if [ "$auth_mode" != "anonymous" ]; then
transport="$transport <keystore name=\"${keystore_dir}/${keystore}\" password=\"$DATAVIRT_TRANSPORT_KEYSTORE_PASSWORD\" type=\"$keystore_type\" key-alias=\"$key_alias\"/><truststore name=\"${keystore_dir}/${keystore}\" password=\"$keystore_pwd\"/>"
transport="$transport <keystore name=\"${keystore_dir}/${keystore}\" password=\"$keystore_pwd\" type=\"$keystore_type\" key-alias=\"$key_alias\" ${key_password} /><truststore name=\"${keystore_dir}/${keystore}\" password=\"$keystore_pwd\"/>"
fi

transport="$transport </ssl></transport>"
Expand Down
2 changes: 1 addition & 1 deletion os-eap64-launch/added/launch/https.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ function configure_https() {
fi

https="<connector name=\"https\" protocol=\"HTTP/1.1\" socket-binding=\"https\" scheme=\"https\" secure=\"true\"> \
<ssl name=\"${HTTPS_NAME}\" password=\"${HTTPS_PASSWORD}\" certificate-key-file=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\" ${keystore_type}/> \
<ssl name=\"${HTTPS_NAME}\" key-alias=\"${HTTPS_NAME}\" password=\"${HTTPS_PASSWORD}\" certificate-key-file=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\" ${keystore_type} /> \
</connector>"
elif [ -n "${HTTPS_NAME}" -o -n "${HTTPS_PASSWORD}" -o -n "${HTTPS_KEYSTORE_DIR}" -o -n "${HTTPS_KEYSTORE}" ] ; then
echo "WARNING! Partial HTTPS configuration, the https connector WILL NOT be configured."
Expand Down
10 changes: 9 additions & 1 deletion os-eap7-launch/added/launch/https.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
function prepareEnv() {
unset HTTPS_NAME
unset HTTPS_PASSWORD
unset HTTPS_KEY_PASSWORD
unset HTTPS_KEYSTORE_DIR
unset HTTPS_KEYSTORE
unset HTTPS_KEYSTORE_TYPE
Expand All @@ -25,9 +26,16 @@ function configure_https() {
if [ -n "$HTTPS_KEYSTORE_TYPE" ]; then
keystore_provider="provider=\"${HTTPS_KEYSTORE_TYPE}\""
fi
if [ -n "$HTTPS_NAME" ]; then
keystore_alias="alias=\"${HTTPS_NAME}\""
fi
if [ -n "$HTTPS_KEY_PASSWORD" ]; then
key_password="key-password=\"${HTTPS_KEY_PASSWORD}\""
fi

ssl="<server-identities>\n\
<ssl>\n\
<keystore ${keystore_provider} path=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\" keystore-password=\"${HTTPS_PASSWORD}\"/>\n\
<keystore ${keystore_provider} path=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\" keystore-password=\"${HTTPS_PASSWORD}\" ${keystore_alias} ${key_password} />\n\
</ssl>\n\
</server-identities>"

Expand Down
15 changes: 14 additions & 1 deletion os-jdg7-launch/added/launch/authentication-config.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,12 @@ function prepareEnv() {
unset SECDOMAIN_LOGIN_MODULE
unset SECDOMAIN_REALM
unset REST_SECURITY_DOMAIN
unset HTTPS_NAME
unset HTTPS_PASSWORD
unset HTTPS_KEY_PASSWORD
unset HTTPS_KEYSTORE_DIR
unset HTTPS_KEYSTORE
unset HTTPS_KEYSTORE_TYPE
}

function configure() {
Expand Down Expand Up @@ -79,9 +85,16 @@ function add_realm_domain_mapping() {
if [ -n "$HTTPS_KEYSTORE_TYPE" ]; then
keystore_provider="provider=\"${HTTPS_KEYSTORE_TYPE}\""
fi
if [ -n "$HTTPS_NAME" ]; then
keystore_alias="alias=\"${HTTPS_NAME}\""
fi
if [ -n "$HTTPS_KEY_PASSWORD" ]; then
key_password="key-password=\"${HTTPS_KEY_PASSWORD}\""
fi

ssl="<server-identities>\n\
<ssl>\n\
<keystore ${keystore_provider} path=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\" keystore-password=\"${HTTPS_PASSWORD}\"/>\n\
<keystore ${keystore_provider} path=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\" keystore-password=\"${HTTPS_PASSWORD}\" ${keystore_alias} ${key_password} />\n\
</ssl>\n\
</server-identities>"
fi
Expand Down
5 changes: 5 additions & 0 deletions os-jdg7-launch/added/launch/infinispan-config.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,10 +139,15 @@ function configure_server_identities() {
fi
if [ -n "$SSL_KEYSTORE_ALIAS" ]; then
keystore_alias="alias=\"$SSL_KEYSTORE_ALIAS\""
elif [ -n "$HTTPS_NAME" ]; then
keystore_alias="alias=\"$HTTPS_NAME\""
fi
if [ -n "$SSL_KEY_PASSWORD" ]; then
key_password="key-password=\"$SSL_KEY_PASSWORD\""
elif [ -n "$HTTPS_KEY_PASSWORD" ]; then
key_password="key-password=\"$HTTPS_KEY_PASSWORD\""
fi

ssl="\
<ssl $ssl_protocol>\
<keystore path=\"$keystore_path\" keystore-password=\"$keystore_password\" $keystore_relative_to $keystore_alias $key_password/>\
Expand Down
2 changes: 2 additions & 0 deletions tests/features/amq/amq-common.feature
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,10 +81,12 @@ Feature: Openshift AMQ tests
| AMQ_KEYSTORE_TRUSTSTORE_DIR | /opt/amq/conf |
| AMQ_KEYSTORE | broker.ks |
| AMQ_KEYSTORE_PASSWORD | password |
| AMQ_KEY_PASSWORD | keypass |
| AMQ_TRUSTSTORE | broker.ts |
| AMQ_TRUSTSTORE_PASSWORD | password |
Then XML file /opt/amq/conf/activemq.xml should contain value file:/opt/amq/conf/broker.ks on XPath //amq:sslContext/@keyStore
And XML file /opt/amq/conf/activemq.xml should contain value password on XPath //amq:sslContext/@keyStorePassword
And XML file /opt/amq/conf/activemq.xml should contain value keypass on XPath //amq:sslContext/@keyStoreKeyPassword
And XML file /opt/amq/conf/activemq.xml should contain value file:/opt/amq/conf/broker.ts on XPath //amq:sslContext/@trustStore
And XML file /opt/amq/conf/activemq.xml should contain value password on XPath //amq:sslContext/@trustStorePassword

Expand Down
21 changes: 21 additions & 0 deletions tests/features/datagrid/7.1/datagrid_variable_expansion.feature
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
@jboss-datagrid-7
Feature: Check correct JDG variable expansion used
Scenario: Check HTTPS basic config
When container is started with env
| variable | value |
| USERNAME | tombrady |
| PASSWORD | ringsix6! |
| HTTPS_NAME | jboss |
| HTTPS_PASSWORD | mykeystorepass |
| HTTPS_KEY_PASSWORD | mykeypass |
| HTTPS_KEYSTORE_DIR | /etc/eap-secret-volume |
| HTTPS_KEYSTORE | keystore.jks |
Then XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='security-realm'][@name='ApplicationRealm']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@path
And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='security-realm'][@name='ApplicationRealm']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@keystore-password
And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value mykeypass on XPath //*[local-name()='security-realm'][@name='ApplicationRealm']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password
And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value jboss on XPath //*[local-name()='security-realm'][@name='ApplicationRealm']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@alias
Then XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='security-realm'][@name='jdg-openshift']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@path
And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='security-realm'][@name='jdg-openshift']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@keystore-password
And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value mykeypass on XPath //*[local-name()='security-realm'][@name='jdg-openshift']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password
And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value jboss on XPath //*[local-name()='security-realm'][@name='jdg-openshift']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@alias

26 changes: 26 additions & 0 deletions tests/features/datavirt/datavirt_variable_expansion.feature
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
@jboss-datavirt-6
Feature: Check correct JDV variable expansion used
Scenario: Check HTTPS basic config
When container is started with env
| variable | value |
| DATAVIRT_TRANSPORT_KEY_ALIAS | jboss |
| HTTPS_PASSWORD | mykeystorepass |
| HTTPS_KEY_PASSWORD | mykeypass |
| HTTPS_KEYSTORE_DIR | /etc/eap-secret-volume |
| HTTPS_KEYSTORE | keystore.jks |
| HTTPS_KEYSTORE_TYPE | JKS |
Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@name
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@password
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value JKS on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@type
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeypass on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value jboss on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@key-alias
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='truststore']/@name
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='truststore']/@password
Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@name
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@password
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value JKS on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@type
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeypass on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value jboss on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@key-alias
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='truststore']/@name
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='truststore']/@password

13 changes: 13 additions & 0 deletions tests/features/eap/6.4/eap_variable_expansion.feature
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,3 +113,16 @@ Feature: Check correct variable expansion used
| ns | urn:jboss:domain:security:1.2 |
Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should have 1 elements on XPath //ns:security-domain[@name='eap-secdomain-name']/ns:authentication/ns:login-module/ns:module-option[@name='password-stacking']

Scenario: Check HTTPS basic config
When container is started with env
| variable | value |
| HTTPS_NAME | jboss |
| HTTPS_PASSWORD | mykeystorepass |
| HTTPS_KEYSTORE_DIR | /etc/eap-secret-volume |
| HTTPS_KEYSTORE | keystore.jks |
| HTTPS_KEYSTORE_TYPE | JKS |
Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='connector']/*[local-name()='ssl']/@certificate-key-file
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='connector']/*[local-name()='ssl']/@password
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value jboss on XPath //*[local-name()='connector']/*[local-name()='ssl']/@key-alias
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value JKS on XPath //*[local-name()='connector']/*[local-name()='ssl']/@keystore-type

17 changes: 17 additions & 0 deletions tests/features/eap/7/eap_variable_expansion.feature
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
@jboss-eap-7
Feature: Check correct variable expansion used
Scenario: Check HTTPS basic config
When container is started with env
| variable | value |
| HTTPS_NAME | jboss |
| HTTPS_PASSWORD | mykeystorepass |
| HTTPS_KEY_PASSWORD | mykeypass |
| HTTPS_KEYSTORE_DIR | /etc/eap-secret-volume |
| HTTPS_KEYSTORE | keystore.jks |
| HTTPS_KEYSTORE_TYPE | JKS |
Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@path
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@keystore-password
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value jboss on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@alias
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeypass on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value JKS on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@provider

0 comments on commit 35e7be3

Please sign in to comment.