diff --git a/dev/fattest.simplicity/src/componenttest/topology/impl/LibertyServer.java b/dev/fattest.simplicity/src/componenttest/topology/impl/LibertyServer.java index 1c43a2e7f52..90473f18c08 100644 --- a/dev/fattest.simplicity/src/componenttest/topology/impl/LibertyServer.java +++ b/dev/fattest.simplicity/src/componenttest/topology/impl/LibertyServer.java @@ -36,6 +36,9 @@ import java.net.InetSocketAddress; import java.net.ServerSocket; import java.nio.charset.Charset; +import java.nio.file.CopyOption; +import java.nio.file.Files; +import java.nio.file.StandardCopyOption; import java.security.AccessController; import java.security.KeyStore; import java.security.PrivilegedAction; @@ -62,6 +65,7 @@ import java.util.Properties; import java.util.Scanner; import java.util.Set; +import java.util.StringJoiner; import java.util.StringTokenizer; import java.util.TreeSet; import java.util.concurrent.BlockingQueue; @@ -1722,25 +1726,18 @@ public ProgramOutput startServerWithArgs(boolean preClean, boolean cleanStart, //FIPS 140-3 // if we have FIPS 140-3 enabled, and the matched java/platform, add JVM Arg if (isFIPS140_3EnabledAndSupported()) { - Log.info(c, "startServerWithArgs", "Liberty server is running JDK version: " + info.majorVersion() + " and vendor: " + info.VENDOR); - - if (info.majorVersion() == 17){ - Log.info(c, "startServerWithArgs", "FIPS 140-3 global build properties is set for server " + getServerName() - + " with IBM Java 17, adding required JVM arguments to run with FIPS 140-3 enabled"); - JVM_ARGS += " -Dsemeru.fips=true"; - JVM_ARGS += " -Dsemeru.customprofile=OpenJCEPlusFIPS.FIPS140-3-withPKCS12"; - JVM_ARGS += " -Dcom.ibm.fips.mode=140-3"; - // JVM_ARGS += " -Djavax.net.debug=all"; // Uncomment as needed for additional debugging - } - else if (info.majorVersion() == 8) { - Log.info(c, "startServerWithArgs", "FIPS 140-3 global build properties is set for server " + getServerName() - + " with IBM Java 8, adding JVM arguments -Xenablefips140-3, ..., to run with FIPS 140-3 enabled"); - JVM_ARGS += " -Xenablefips140-3"; - JVM_ARGS += " -Dcom.ibm.jsse2.usefipsprovider=true"; - JVM_ARGS += " -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS"; - JVM_ARGS += " -Dcom.ibm.fips.mode=140-3"; - // JVM_ARGS += " -Djavax.net.debug=all"; // Uncomment as needed for additional debugging + Log.info(c, "startServerWithArgs", + "Liberty server is running JDK version: " + info.majorVersion() + " and vendor: " + info.VENDOR); + Map fipsOpts = getFipsJvmOptions(info, false); + StringJoiner joiner = new StringJoiner(" ", " ", ""); + for (String key : fipsOpts.keySet()) { + if (fipsOpts.get(key) != null) { + joiner.add(String.format("%s=%s", key, fipsOpts.get(key))); + } else { + joiner.add(key); + } } + JVM_ARGS += joiner.toString(); } Properties bootstrapProperties = getBootstrapProperties(); @@ -1817,50 +1814,7 @@ else if (info.majorVersion() == 8) { Log.finer(c, method, "Starting Server with command: " + cmd); - if (isFIPS140_3EnabledAndSupported()) { - String serverSecurityDir = serverRoot + File.separator + "resources" + File.separator + "security"; - File ltpaFIPSKeys = new File(serverSecurityDir, "ltpaFIPS.keys"); - File ltpaKeys = new File(serverSecurityDir, "ltpa.keys"); - - if (!ltpaKeys.exists() && !ltpaFIPSKeys.exists()) { - Log.info(this.getClass(), "startServerWithArgs", - "FIPS 140-3 global build properties are set for server " + getServerName() - + ", but neither ltpa.keys nor ltpaFIPS.keys is found in " + serverSecurityDir); - } else { - Log.info(this.getClass(), "startServerWithArgs", - "FIPS 140-3 global build properties are set for server " + getServerName() - + ", swapping ltpaFIPS.keys into ltpa.keys"); - - try { - // Delete ltpa.keys if it exists - if (ltpaKeys.exists()) { - if (!ltpaKeys.delete()) { - Log.info(this.getClass(), "startServerWithArgs", "Failed to delete existing ltpa.keys."); - } else { - Log.info(this.getClass(), "startServerWithArgs", "Waiting for 1 second after deleting ltpa.keys."); - Thread.sleep(1000); - } - } - - // Rename ltpaFIPS.keys to ltpa.keys if ltpaFIPS.keys exists - if (ltpaFIPSKeys.exists()) { - if (!ltpaFIPSKeys.renameTo(ltpaKeys)) { - Log.info(this.getClass(), "startServerWithArgs", "Failed to rename ltpaFIPS.keys to ltpa.keys."); - } else { - Log.info(this.getClass(), "startServerWithArgs", "Waiting for 1 second after rename."); - Thread.sleep(1000); - } - - // Log the content of ltpa.keys - String content = FileUtils.readFile(ltpaKeys.getAbsolutePath()); - Log.info(this.getClass(), "printLtpaKeys", "Content of ltpa.keys: " + content); - } - - } catch (Exception e) { - Log.info(this.getClass(), "startServerWithArgs", "Error during ltpa.keys handling: " + e.getMessage()); - } - } - } + configureLTPAKeys(); // Create a marker file to indicate that we're trying to start a server createServerMarkerFile(); @@ -7848,7 +7802,7 @@ private boolean isEE11OrLaterEnabled() throws Exception { } //FIPS 140-3 - public boolean isFIPS140_3EnabledAndSupported() throws Exception { + public boolean isFIPS140_3EnabledAndSupported() throws IOException { String methodName = "isFIPS140_3EnabledAndSupported"; JavaInfo serverJavaInfo = JavaInfo.forServer(this); boolean isIBMJVM8 = (serverJavaInfo.majorVersion() == 8) && (serverJavaInfo.VENDOR == Vendor.IBM); @@ -8064,4 +8018,74 @@ public String getOpenLibertyVersion() { public String getEnvVar(String var) { return envVars.get(var); } + + public void configureLTPAKeys() throws IOException, InterruptedException { + + if (isFIPS140_3EnabledAndSupported()) { + String serverSecurityDir = serverRoot + File.separator + "resources" + File.separator + "security"; + File ltpaFIPSKeys = new File(serverSecurityDir, "ltpaFIPS.keys"); + File ltpaKeys = new File(serverSecurityDir, "ltpa.keys"); + String serverName = getServerName(); + boolean fipsKeyExists = ltpaFIPSKeys.exists(); + + if (!ltpaKeys.exists() && !fipsKeyExists) { + Log.info(this.getClass(), "configureLTPAKeys", + "FIPS 140-3 global build properties are set for server " + serverName + + ", but neither ltpa.keys nor ltpaFIPS.keys is found in " + serverSecurityDir); + } else { + + Log.info(this.getClass(), "configureLTPAKeys", + "FIPS 140-3 global build properties are set for server " + serverName + + ", swapping ltpaFIPS.keys into ltpa.keys"); + } + + if (fipsKeyExists) { + Files.move(ltpaFIPSKeys.toPath(), ltpaKeys.toPath(), StandardCopyOption.REPLACE_EXISTING); + Log.info(this.getClass(), "configureLTPAKeys", + "Waiting for 2 seconds after updating ltpa.keys ..."); + Thread.sleep(2000); + } + + if (ltpaKeys.exists()) { + // Log the content of ltpa.keys + String content = FileUtils.readFile(ltpaKeys.getAbsolutePath()); + Log.info(this.getClass(), "configureLTPAKeys", "Content of ltpa.keys: " + content); + } + } + } + + public Map getFipsJvmOptions() throws IOException { + return getFipsJvmOptions(JavaInfo.forServer(this), true); + } + + public Map getFipsJvmOptions(JavaInfo info, boolean includeGlobalArgs) throws IOException { + Map opts = new HashMap<>(); + if (isFIPS140_3EnabledAndSupported()) { + Log.info(c, "getFipsJvmOptions", + "Liberty server is running JDK version: " + info.majorVersion() + " and vendor: " + info.VENDOR); + + if (info.majorVersion() == 17) { + Log.info(c, "getFipsJvmOptions", + "FIPS 140-3 global build properties is set for server " + getServerName() + + " with IBM Java 17, adding required JVM arguments to run with FIPS 140-3 enabled"); + opts.put("-Dsemeru.fips", "true"); + opts.put("-Dsemeru.customprofile", "OpenJCEPlusFIPS.FIPS140-3-withPKCS12"); + opts.put("-Dcom.ibm.fips.mode", "140-3"); + } else if (info.majorVersion() == 8) { + Log.info(c, "getFipsJvmOptions", "FIPS 140-3 global build properties is set for server " + + getServerName() + + " with IBM Java 8, adding JVM arguments -Xenablefips140-3, ..., to run with FIPS 140-3 enabled"); + opts.put("-Xenablefips140-3", null); + opts.put("-Dcom.ibm.jsse2.usefipsprovider", "true"); + opts.put("-Dcom.ibm.jsse2.usefipsProviderName", "IBMJCEPlusFIPS"); + opts.put("-Dcom.ibm.fips.mode", "140-3"); + + } + if (includeGlobalArgs) { + opts.put("-Dglobal.fips_140-3", "true"); + opts.put("-Dcom.ibm.ws.beta.edition", "true"); + } + } + return opts; + } }