Skip to content

Commit

Permalink
updating LibertyServer
Browse files Browse the repository at this point in the history
  • Loading branch information
@jacobwdv
jacobwdv committed Dec 3, 2024
1 parent 7ffa5ea commit d968747
Showing 1 changed file with 87 additions and 63 deletions.
150 changes: 87 additions & 63 deletions dev/fattest.simplicity/src/componenttest/topology/impl/LibertyServer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,9 @@
import java.net.InetSocketAddress;
import java.net.ServerSocket;
import java.nio.charset.Charset;
import java.nio.file.CopyOption;
import java.nio.file.Files;
import java.nio.file.StandardCopyOption;
import java.security.AccessController;
import java.security.KeyStore;
import java.security.PrivilegedAction;
Expand All @@ -62,6 +65,7 @@
import java.util.Properties;
import java.util.Scanner;
import java.util.Set;
import java.util.StringJoiner;
import java.util.StringTokenizer;
import java.util.TreeSet;
import java.util.concurrent.BlockingQueue;
Expand Down Expand Up @@ -1722,25 +1726,18 @@ public ProgramOutput startServerWithArgs(boolean preClean, boolean cleanStart,
//FIPS 140-3
// if we have FIPS 140-3 enabled, and the matched java/platform, add JVM Arg
if (isFIPS140_3EnabledAndSupported()) {
Log.info(c, "startServerWithArgs", "Liberty server is running JDK version: " + info.majorVersion() + " and vendor: " + info.VENDOR);

if (info.majorVersion() == 17){
Log.info(c, "startServerWithArgs", "FIPS 140-3 global build properties is set for server " + getServerName()
+ " with IBM Java 17, adding required JVM arguments to run with FIPS 140-3 enabled");
JVM_ARGS += " -Dsemeru.fips=true";
JVM_ARGS += " -Dsemeru.customprofile=OpenJCEPlusFIPS.FIPS140-3-withPKCS12";
JVM_ARGS += " -Dcom.ibm.fips.mode=140-3";
// JVM_ARGS += " -Djavax.net.debug=all"; // Uncomment as needed for additional debugging
}
else if (info.majorVersion() == 8) {
Log.info(c, "startServerWithArgs", "FIPS 140-3 global build properties is set for server " + getServerName()
+ " with IBM Java 8, adding JVM arguments -Xenablefips140-3, ..., to run with FIPS 140-3 enabled");
JVM_ARGS += " -Xenablefips140-3";
JVM_ARGS += " -Dcom.ibm.jsse2.usefipsprovider=true";
JVM_ARGS += " -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS";
JVM_ARGS += " -Dcom.ibm.fips.mode=140-3";
// JVM_ARGS += " -Djavax.net.debug=all"; // Uncomment as needed for additional debugging
Log.info(c, "startServerWithArgs",
"Liberty server is running JDK version: " + info.majorVersion() + " and vendor: " + info.VENDOR);
Map<String, String> fipsOpts = getFipsJvmOptions(info, false);
StringJoiner joiner = new StringJoiner(" ", " ", "");
for (String key : fipsOpts.keySet()) {
if (fipsOpts.get(key) != null) {
joiner.add(String.format("%s=%s", key, fipsOpts.get(key)));
} else {
joiner.add(key);
}
}
JVM_ARGS += joiner.toString();
}

Properties bootstrapProperties = getBootstrapProperties();
Expand Down Expand Up @@ -1817,50 +1814,7 @@ else if (info.majorVersion() == 8) {

Log.finer(c, method, "Starting Server with command: " + cmd);

if (isFIPS140_3EnabledAndSupported()) {
String serverSecurityDir = serverRoot + File.separator + "resources" + File.separator + "security";
File ltpaFIPSKeys = new File(serverSecurityDir, "ltpaFIPS.keys");
File ltpaKeys = new File(serverSecurityDir, "ltpa.keys");

if (!ltpaKeys.exists() && !ltpaFIPSKeys.exists()) {
Log.info(this.getClass(), "startServerWithArgs",
"FIPS 140-3 global build properties are set for server " + getServerName()
+ ", but neither ltpa.keys nor ltpaFIPS.keys is found in " + serverSecurityDir);
} else {
Log.info(this.getClass(), "startServerWithArgs",
"FIPS 140-3 global build properties are set for server " + getServerName()
+ ", swapping ltpaFIPS.keys into ltpa.keys");

try {
// Delete ltpa.keys if it exists
if (ltpaKeys.exists()) {
if (!ltpaKeys.delete()) {
Log.info(this.getClass(), "startServerWithArgs", "Failed to delete existing ltpa.keys.");
} else {
Log.info(this.getClass(), "startServerWithArgs", "Waiting for 1 second after deleting ltpa.keys.");
Thread.sleep(1000);
}
}

// Rename ltpaFIPS.keys to ltpa.keys if ltpaFIPS.keys exists
if (ltpaFIPSKeys.exists()) {
if (!ltpaFIPSKeys.renameTo(ltpaKeys)) {
Log.info(this.getClass(), "startServerWithArgs", "Failed to rename ltpaFIPS.keys to ltpa.keys.");
} else {
Log.info(this.getClass(), "startServerWithArgs", "Waiting for 1 second after rename.");
Thread.sleep(1000);
}

// Log the content of ltpa.keys
String content = FileUtils.readFile(ltpaKeys.getAbsolutePath());
Log.info(this.getClass(), "printLtpaKeys", "Content of ltpa.keys: " + content);
}

} catch (Exception e) {
Log.info(this.getClass(), "startServerWithArgs", "Error during ltpa.keys handling: " + e.getMessage());
}
}
}
configureLTPAKeys();

// Create a marker file to indicate that we're trying to start a server
createServerMarkerFile();
Expand Down Expand Up @@ -7848,7 +7802,7 @@ private boolean isEE11OrLaterEnabled() throws Exception {
}

//FIPS 140-3
public boolean isFIPS140_3EnabledAndSupported() throws Exception {
public boolean isFIPS140_3EnabledAndSupported() throws IOException {
String methodName = "isFIPS140_3EnabledAndSupported";
JavaInfo serverJavaInfo = JavaInfo.forServer(this);
boolean isIBMJVM8 = (serverJavaInfo.majorVersion() == 8) && (serverJavaInfo.VENDOR == Vendor.IBM);
Expand Down Expand Up @@ -8064,4 +8018,74 @@ public String getOpenLibertyVersion() {
public String getEnvVar(String var) {
return envVars.get(var);
}

public void configureLTPAKeys() throws IOException, InterruptedException {

if (isFIPS140_3EnabledAndSupported()) {
String serverSecurityDir = serverRoot + File.separator + "resources" + File.separator + "security";
File ltpaFIPSKeys = new File(serverSecurityDir, "ltpaFIPS.keys");
File ltpaKeys = new File(serverSecurityDir, "ltpa.keys");
String serverName = getServerName();
boolean fipsKeyExists = ltpaFIPSKeys.exists();

if (!ltpaKeys.exists() && !fipsKeyExists) {
Log.info(this.getClass(), "configureLTPAKeys",
"FIPS 140-3 global build properties are set for server " + serverName
+ ", but neither ltpa.keys nor ltpaFIPS.keys is found in " + serverSecurityDir);
} else {

Log.info(this.getClass(), "configureLTPAKeys",
"FIPS 140-3 global build properties are set for server " + serverName
+ ", swapping ltpaFIPS.keys into ltpa.keys");
}

if (fipsKeyExists) {
Files.move(ltpaFIPSKeys.toPath(), ltpaKeys.toPath(), StandardCopyOption.REPLACE_EXISTING);
Log.info(this.getClass(), "configureLTPAKeys",
"Waiting for 2 seconds after updating ltpa.keys ...");
Thread.sleep(2000);
}

if (ltpaKeys.exists()) {
// Log the content of ltpa.keys
String content = FileUtils.readFile(ltpaKeys.getAbsolutePath());
Log.info(this.getClass(), "configureLTPAKeys", "Content of ltpa.keys: " + content);
}
}
}

public Map<String, String> getFipsJvmOptions() throws IOException {
return getFipsJvmOptions(JavaInfo.forServer(this), true);
}

public Map<String, String> getFipsJvmOptions(JavaInfo info, boolean includeGlobalArgs) throws IOException {
Map<String, String> opts = new HashMap<>();
if (isFIPS140_3EnabledAndSupported()) {
Log.info(c, "getFipsJvmOptions",
"Liberty server is running JDK version: " + info.majorVersion() + " and vendor: " + info.VENDOR);

if (info.majorVersion() == 17) {
Log.info(c, "getFipsJvmOptions",
"FIPS 140-3 global build properties is set for server " + getServerName()
+ " with IBM Java 17, adding required JVM arguments to run with FIPS 140-3 enabled");
opts.put("-Dsemeru.fips", "true");
opts.put("-Dsemeru.customprofile", "OpenJCEPlusFIPS.FIPS140-3-withPKCS12");
opts.put("-Dcom.ibm.fips.mode", "140-3");
} else if (info.majorVersion() == 8) {
Log.info(c, "getFipsJvmOptions", "FIPS 140-3 global build properties is set for server "
+ getServerName()
+ " with IBM Java 8, adding JVM arguments -Xenablefips140-3, ..., to run with FIPS 140-3 enabled");
opts.put("-Xenablefips140-3", null);
opts.put("-Dcom.ibm.jsse2.usefipsprovider", "true");
opts.put("-Dcom.ibm.jsse2.usefipsProviderName", "IBMJCEPlusFIPS");
opts.put("-Dcom.ibm.fips.mode", "140-3");

}
if (includeGlobalArgs) {
opts.put("-Dglobal.fips_140-3", "true");
opts.put("-Dcom.ibm.ws.beta.edition", "true");
}
}
return opts;
}
}

0 comments on commit d968747

Please sign in to comment.