From 35e7be3bdf95a4b6469be62fd653d26482c6e024 Mon Sep 17 00:00:00 2001 From: Bill Decoste Date: Wed, 11 Oct 2017 13:20:06 -0700 Subject: [PATCH] CLOUD-294 Keystore key password for SSL --- os-amq-launch/added/configure.sh | 6 ++++- os-datavirt/added/launch/teiid.sh | 16 ++++++++++-- os-eap64-launch/added/launch/https.sh | 2 +- os-eap7-launch/added/launch/https.sh | 10 ++++++- .../added/launch/authentication-config.sh | 15 ++++++++++- .../added/launch/infinispan-config.sh | 5 ++++ tests/features/amq/amq-common.feature | 2 ++ .../7.1/datagrid_variable_expansion.feature | 21 +++++++++++++++ .../datavirt_variable_expansion.feature | 26 +++++++++++++++++++ .../eap/6.4/eap_variable_expansion.feature | 13 ++++++++++ .../eap/7/eap_variable_expansion.feature | 17 ++++++++++++ 11 files changed, 127 insertions(+), 6 deletions(-) create mode 100644 tests/features/datagrid/7.1/datagrid_variable_expansion.feature create mode 100644 tests/features/datavirt/datavirt_variable_expansion.feature create mode 100644 tests/features/eap/7/eap_variable_expansion.feature diff --git a/os-amq-launch/added/configure.sh b/os-amq-launch/added/configure.sh index 8c94d844..6be0ffe9 100644 --- a/os-amq-launch/added/configure.sh +++ b/os-amq-launch/added/configure.sh @@ -115,9 +115,13 @@ function configureSSL() { keyStorePath="$sslDir/$keyStoreFile" trustStorePath="$sslDir/$trustStoreFile" + if [ -n "$AMQ_KEY_PASSWORD" ]; then + keyPassword="keyStoreKeyPassword=\"$AMQ_KEY_PASSWORD\"" + fi + sslElement="\n\ \n\ " diff --git a/os-datavirt/added/launch/teiid.sh b/os-datavirt/added/launch/teiid.sh index c8b5a66b..38f48883 100755 --- a/os-datavirt/added/launch/teiid.sh +++ b/os-datavirt/added/launch/teiid.sh @@ -11,8 +11,15 @@ function prepareEnv() { unset DATAVIRT_TRANSPORT_KEY_ALIAS unset DATAVIRT_TRANSPORT_KEYSTORE unset DATAVIRT_TRANSPORT_KEYSTORE_PASSWORD + unset DATAVIRT_TRANSPORT_KEY_PASSWORD unset DATAVIRT_TRANSPORT_KEYSTORE_TYPE unset DATAVIRT_TRANSPORT_KEYSTORE_DIR + unset HTTPS_NAME + unset HTTPS_PASSWORD + unset HTTPS_KEY_PASSWORD + unset HTTPS_KEYSTORE_DIR + unset HTTPS_KEYSTORE + unset HTTPS_KEYSTORE_TYPE unset DATAVIRT_USERS unset DATAVIRT_USER_PASSWORDS unset DATAVIRT_USER_GROUPS @@ -69,6 +76,7 @@ function add_secure_transport(){ local key_alias=${DATAVIRT_TRANSPORT_KEY_ALIAS} local keystore=${DATAVIRT_TRANSPORT_KEYSTORE-$HTTPS_KEYSTORE} local keystore_pwd=${DATAVIRT_TRANSPORT_KEYSTORE_PASSWORD-$HTTPS_PASSWORD} + local key_pwd=${DATAVIRT_TRANSPORT_KEY_PASSWORD-$HTTPS_KEY_PASSWORD} local keystore_type=${DATAVIRT_TRANSPORT_KEYSTORE_TYPE-$HTTPS_KEYSTORE_TYPE} local keystore_dir=${DATAVIRT_TRANSPORT_KEYSTORE_DIR-$HTTPS_KEYSTORE_DIR} local auth_mode=${DATAVIRT_TRANSPORT_AUTHENTICATION_MODE} @@ -91,11 +99,15 @@ function add_secure_transport(){ fi fi + if [ -n "$key_pwd" ]; then + key_password="key-password=\"${key_pwd}\"" + fi + # JDBC transport="" if [ "$auth_mode" != "anonymous" ]; then - transport="$transport " + transport="$transport " fi transport="$transport " @@ -104,7 +116,7 @@ function add_secure_transport(){ transport="$transport " if [ "$auth_mode" != "anonymous" ]; then - transport="$transport " + transport="$transport " fi transport="$transport " diff --git a/os-eap64-launch/added/launch/https.sh b/os-eap64-launch/added/launch/https.sh index 159673e8..23629b3d 100644 --- a/os-eap64-launch/added/launch/https.sh +++ b/os-eap64-launch/added/launch/https.sh @@ -25,7 +25,7 @@ function configure_https() { fi https=" \ - \ + \ " elif [ -n "${HTTPS_NAME}" -o -n "${HTTPS_PASSWORD}" -o -n "${HTTPS_KEYSTORE_DIR}" -o -n "${HTTPS_KEYSTORE}" ] ; then echo "WARNING! Partial HTTPS configuration, the https connector WILL NOT be configured." diff --git a/os-eap7-launch/added/launch/https.sh b/os-eap7-launch/added/launch/https.sh index b3e5935b..80f4f0ca 100644 --- a/os-eap7-launch/added/launch/https.sh +++ b/os-eap7-launch/added/launch/https.sh @@ -3,6 +3,7 @@ function prepareEnv() { unset HTTPS_NAME unset HTTPS_PASSWORD + unset HTTPS_KEY_PASSWORD unset HTTPS_KEYSTORE_DIR unset HTTPS_KEYSTORE unset HTTPS_KEYSTORE_TYPE @@ -25,9 +26,16 @@ function configure_https() { if [ -n "$HTTPS_KEYSTORE_TYPE" ]; then keystore_provider="provider=\"${HTTPS_KEYSTORE_TYPE}\"" fi + if [ -n "$HTTPS_NAME" ]; then + keystore_alias="alias=\"${HTTPS_NAME}\"" + fi + if [ -n "$HTTPS_KEY_PASSWORD" ]; then + key_password="key-password=\"${HTTPS_KEY_PASSWORD}\"" + fi + ssl="\n\ \n\ - \n\ + \n\ \n\ " diff --git a/os-jdg7-launch/added/launch/authentication-config.sh b/os-jdg7-launch/added/launch/authentication-config.sh index 9bfcd4e6..17bf96f2 100755 --- a/os-jdg7-launch/added/launch/authentication-config.sh +++ b/os-jdg7-launch/added/launch/authentication-config.sh @@ -9,6 +9,12 @@ function prepareEnv() { unset SECDOMAIN_LOGIN_MODULE unset SECDOMAIN_REALM unset REST_SECURITY_DOMAIN + unset HTTPS_NAME + unset HTTPS_PASSWORD + unset HTTPS_KEY_PASSWORD + unset HTTPS_KEYSTORE_DIR + unset HTTPS_KEYSTORE + unset HTTPS_KEYSTORE_TYPE } function configure() { @@ -79,9 +85,16 @@ function add_realm_domain_mapping() { if [ -n "$HTTPS_KEYSTORE_TYPE" ]; then keystore_provider="provider=\"${HTTPS_KEYSTORE_TYPE}\"" fi + if [ -n "$HTTPS_NAME" ]; then + keystore_alias="alias=\"${HTTPS_NAME}\"" + fi + if [ -n "$HTTPS_KEY_PASSWORD" ]; then + key_password="key-password=\"${HTTPS_KEY_PASSWORD}\"" + fi + ssl="\n\ \n\ - \n\ + \n\ \n\ " fi diff --git a/os-jdg7-launch/added/launch/infinispan-config.sh b/os-jdg7-launch/added/launch/infinispan-config.sh index 7716e1ca..a667dee2 100644 --- a/os-jdg7-launch/added/launch/infinispan-config.sh +++ b/os-jdg7-launch/added/launch/infinispan-config.sh @@ -139,10 +139,15 @@ function configure_server_identities() { fi if [ -n "$SSL_KEYSTORE_ALIAS" ]; then keystore_alias="alias=\"$SSL_KEYSTORE_ALIAS\"" + elif [ -n "$HTTPS_NAME" ]; then + keystore_alias="alias=\"$HTTPS_NAME\"" fi if [ -n "$SSL_KEY_PASSWORD" ]; then key_password="key-password=\"$SSL_KEY_PASSWORD\"" + elif [ -n "$HTTPS_KEY_PASSWORD" ]; then + key_password="key-password=\"$HTTPS_KEY_PASSWORD\"" fi + ssl="\ \ \ diff --git a/tests/features/amq/amq-common.feature b/tests/features/amq/amq-common.feature index aa2370e4..7fb65ce9 100644 --- a/tests/features/amq/amq-common.feature +++ b/tests/features/amq/amq-common.feature @@ -81,10 +81,12 @@ Feature: Openshift AMQ tests | AMQ_KEYSTORE_TRUSTSTORE_DIR | /opt/amq/conf | | AMQ_KEYSTORE | broker.ks | | AMQ_KEYSTORE_PASSWORD | password | + | AMQ_KEY_PASSWORD | keypass | | AMQ_TRUSTSTORE | broker.ts | | AMQ_TRUSTSTORE_PASSWORD | password | Then XML file /opt/amq/conf/activemq.xml should contain value file:/opt/amq/conf/broker.ks on XPath //amq:sslContext/@keyStore And XML file /opt/amq/conf/activemq.xml should contain value password on XPath //amq:sslContext/@keyStorePassword + And XML file /opt/amq/conf/activemq.xml should contain value keypass on XPath //amq:sslContext/@keyStoreKeyPassword And XML file /opt/amq/conf/activemq.xml should contain value file:/opt/amq/conf/broker.ts on XPath //amq:sslContext/@trustStore And XML file /opt/amq/conf/activemq.xml should contain value password on XPath //amq:sslContext/@trustStorePassword diff --git a/tests/features/datagrid/7.1/datagrid_variable_expansion.feature b/tests/features/datagrid/7.1/datagrid_variable_expansion.feature new file mode 100644 index 00000000..b755a974 --- /dev/null +++ b/tests/features/datagrid/7.1/datagrid_variable_expansion.feature @@ -0,0 +1,21 @@ +@jboss-datagrid-7 +Feature: Check correct JDG variable expansion used + Scenario: Check HTTPS basic config + When container is started with env + | variable | value | + | USERNAME | tombrady | + | PASSWORD | ringsix6! | + | HTTPS_NAME | jboss | + | HTTPS_PASSWORD | mykeystorepass | + | HTTPS_KEY_PASSWORD | mykeypass | + | HTTPS_KEYSTORE_DIR | /etc/eap-secret-volume | + | HTTPS_KEYSTORE | keystore.jks | + Then XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='security-realm'][@name='ApplicationRealm']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@path + And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='security-realm'][@name='ApplicationRealm']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@keystore-password + And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value mykeypass on XPath //*[local-name()='security-realm'][@name='ApplicationRealm']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password + And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value jboss on XPath //*[local-name()='security-realm'][@name='ApplicationRealm']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@alias + Then XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='security-realm'][@name='jdg-openshift']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@path + And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='security-realm'][@name='jdg-openshift']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@keystore-password + And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value mykeypass on XPath //*[local-name()='security-realm'][@name='jdg-openshift']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password + And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value jboss on XPath //*[local-name()='security-realm'][@name='jdg-openshift']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@alias + diff --git a/tests/features/datavirt/datavirt_variable_expansion.feature b/tests/features/datavirt/datavirt_variable_expansion.feature new file mode 100644 index 00000000..21721cd4 --- /dev/null +++ b/tests/features/datavirt/datavirt_variable_expansion.feature @@ -0,0 +1,26 @@ +@jboss-datavirt-6 +Feature: Check correct JDV variable expansion used + Scenario: Check HTTPS basic config + When container is started with env + | variable | value | + | DATAVIRT_TRANSPORT_KEY_ALIAS | jboss | + | HTTPS_PASSWORD | mykeystorepass | + | HTTPS_KEY_PASSWORD | mykeypass | + | HTTPS_KEYSTORE_DIR | /etc/eap-secret-volume | + | HTTPS_KEYSTORE | keystore.jks | + | HTTPS_KEYSTORE_TYPE | JKS | + Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@name + And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@password + And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value JKS on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@type + And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeypass on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password + And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value jboss on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@key-alias + And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='truststore']/@name + And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='truststore']/@password + Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@name + And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@password + And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value JKS on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@type + And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeypass on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password + And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value jboss on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@key-alias + And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='truststore']/@name + And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='truststore']/@password + diff --git a/tests/features/eap/6.4/eap_variable_expansion.feature b/tests/features/eap/6.4/eap_variable_expansion.feature index 0fdaae42..c1da56f8 100644 --- a/tests/features/eap/6.4/eap_variable_expansion.feature +++ b/tests/features/eap/6.4/eap_variable_expansion.feature @@ -113,3 +113,16 @@ Feature: Check correct variable expansion used | ns | urn:jboss:domain:security:1.2 | Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should have 1 elements on XPath //ns:security-domain[@name='eap-secdomain-name']/ns:authentication/ns:login-module/ns:module-option[@name='password-stacking'] + Scenario: Check HTTPS basic config + When container is started with env + | variable | value | + | HTTPS_NAME | jboss | + | HTTPS_PASSWORD | mykeystorepass | + | HTTPS_KEYSTORE_DIR | /etc/eap-secret-volume | + | HTTPS_KEYSTORE | keystore.jks | + | HTTPS_KEYSTORE_TYPE | JKS | + Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='connector']/*[local-name()='ssl']/@certificate-key-file + And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='connector']/*[local-name()='ssl']/@password + And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value jboss on XPath //*[local-name()='connector']/*[local-name()='ssl']/@key-alias + And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value JKS on XPath //*[local-name()='connector']/*[local-name()='ssl']/@keystore-type + diff --git a/tests/features/eap/7/eap_variable_expansion.feature b/tests/features/eap/7/eap_variable_expansion.feature new file mode 100644 index 00000000..f881d2f9 --- /dev/null +++ b/tests/features/eap/7/eap_variable_expansion.feature @@ -0,0 +1,17 @@ +@jboss-eap-7 +Feature: Check correct variable expansion used + Scenario: Check HTTPS basic config + When container is started with env + | variable | value | + | HTTPS_NAME | jboss | + | HTTPS_PASSWORD | mykeystorepass | + | HTTPS_KEY_PASSWORD | mykeypass | + | HTTPS_KEYSTORE_DIR | /etc/eap-secret-volume | + | HTTPS_KEYSTORE | keystore.jks | + | HTTPS_KEYSTORE_TYPE | JKS | + Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@path + And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@keystore-password + And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value jboss on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@alias + And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeypass on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password + And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value JKS on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@provider +