Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CLOUD-294 Keystore key password for SSL #124

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CLOUD-294 Keystore key password for SSL #124

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion os-amq-launch/added/configure.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,9 +115,13 @@ function configureSSL() {
keyStorePath="$sslDir/$keyStoreFile"
trustStorePath="$sslDir/$trustStoreFile"

if [ -n "$AMQ_KEY_PASSWORD" ]; then
keyPassword="keyStoreKeyPassword=\"$AMQ_KEY_PASSWORD\""
fi

sslElement="<sslContext>\n\
<sslContext keyStore=\"file:$keyStorePath\"\n\
keyStorePassword=\"$keyStorePassword\"\n\
keyStorePassword=\"$keyStorePassword\" $keyPassword \n\
trustStore=\"file:$trustStorePath\"\n\
trustStorePassword=\"$trustStorePassword\" />\n\
</sslContext>"
Expand Down
16 changes: 14 additions & 2 deletions os-datavirt/added/launch/teiid.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,15 @@ function prepareEnv() {
unset DATAVIRT_TRANSPORT_KEY_ALIAS
unset DATAVIRT_TRANSPORT_KEYSTORE
unset DATAVIRT_TRANSPORT_KEYSTORE_PASSWORD
unset DATAVIRT_TRANSPORT_KEY_PASSWORD
unset DATAVIRT_TRANSPORT_KEYSTORE_TYPE
unset DATAVIRT_TRANSPORT_KEYSTORE_DIR
unset HTTPS_NAME
unset HTTPS_PASSWORD
unset HTTPS_KEY_PASSWORD
unset HTTPS_KEYSTORE_DIR
unset HTTPS_KEYSTORE
unset HTTPS_KEYSTORE_TYPE
unset DATAVIRT_USERS
unset DATAVIRT_USER_PASSWORDS
unset DATAVIRT_USER_GROUPS
Expand Down Expand Up @@ -69,6 +76,7 @@ function add_secure_transport(){
local key_alias=${DATAVIRT_TRANSPORT_KEY_ALIAS}
local keystore=${DATAVIRT_TRANSPORT_KEYSTORE-$HTTPS_KEYSTORE}
local keystore_pwd=${DATAVIRT_TRANSPORT_KEYSTORE_PASSWORD-$HTTPS_PASSWORD}
local key_pwd=${DATAVIRT_TRANSPORT_KEY_PASSWORD-$HTTPS_KEY_PASSWORD}
local keystore_type=${DATAVIRT_TRANSPORT_KEYSTORE_TYPE-$HTTPS_KEYSTORE_TYPE}
local keystore_dir=${DATAVIRT_TRANSPORT_KEYSTORE_DIR-$HTTPS_KEYSTORE_DIR}
local auth_mode=${DATAVIRT_TRANSPORT_AUTHENTICATION_MODE}
Expand All @@ -91,11 +99,15 @@ function add_secure_transport(){
fi
fi

if [ -n "$key_pwd" ]; then
key_password="key-password=\"${key_pwd}\""
fi

# JDBC
transport="<transport name=\"secure-jdbc\" socket-binding=\"secure-teiid-jdbc\" protocol=\"teiid\"><authentication security-domain=\"teiid-security\"/><ssl mode=\"enabled\" authentication-mode=\"$auth_mode\" ssl-protocol=\"TLSv1.2\" keymanagement-algorithm=\"SunX509\">"

if [ "$auth_mode" != "anonymous" ]; then
transport="$transport <keystore name=\"${keystore_dir}/${keystore}\" password=\"$DATAVIRT_TRANSPORT_KEYSTORE_PASSWORD\" type=\"$keystore_type\" key-alias=\"$key_alias\"/><truststore name=\"${keystore_dir}/${keystore}\" password=\"$keystore_pwd\"/>"
transport="$transport <keystore name=\"${keystore_dir}/${keystore}\" password=\"$keystore_pwd\" type=\"$keystore_type\" key-alias=\"$key_alias\" ${key_password} /><truststore name=\"${keystore_dir}/${keystore}\" password=\"$keystore_pwd\"/>"
fi

transport="$transport </ssl></transport>"
Expand All @@ -104,7 +116,7 @@ function add_secure_transport(){
transport="$transport <transport name=\"secure-odbc\" socket-binding=\"secure-teiid-odbc\" protocol=\"pg\"><authentication security-domain=\"teiid-security\"/><ssl mode=\"enabled\" authentication-mode=\"$auth_mode\" ssl-protocol=\"TLSv1.2\" keymanagement-algorithm=\"SunX509\">"

if [ "$auth_mode" != "anonymous" ]; then
transport="$transport <keystore name=\"${keystore_dir}/${keystore}\" password=\"$DATAVIRT_TRANSPORT_KEYSTORE_PASSWORD\" type=\"$keystore_type\" key-alias=\"$key_alias\"/><truststore name=\"${keystore_dir}/${keystore}\" password=\"$keystore_pwd\"/>"
transport="$transport <keystore name=\"${keystore_dir}/${keystore}\" password=\"$keystore_pwd\" type=\"$keystore_type\" key-alias=\"$key_alias\" ${key_password} /><truststore name=\"${keystore_dir}/${keystore}\" password=\"$keystore_pwd\"/>"
fi

transport="$transport </ssl></transport>"
Expand Down
2 changes: 1 addition & 1 deletion os-eap64-launch/added/launch/https.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ function configure_https() {
fi

https="<connector name=\"https\" protocol=\"HTTP/1.1\" socket-binding=\"https\" scheme=\"https\" secure=\"true\"> \
<ssl name=\"${HTTPS_NAME}\" password=\"${HTTPS_PASSWORD}\" certificate-key-file=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\" ${keystore_type}/> \
<ssl name=\"${HTTPS_NAME}\" key-alias=\"${HTTPS_NAME}\" password=\"${HTTPS_PASSWORD}\" certificate-key-file=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\" ${keystore_type} /> \
</connector>"
elif [ -n "${HTTPS_NAME}" -o -n "${HTTPS_PASSWORD}" -o -n "${HTTPS_KEYSTORE_DIR}" -o -n "${HTTPS_KEYSTORE}" ] ; then
echo "WARNING! Partial HTTPS configuration, the https connector WILL NOT be configured."
Expand Down
10 changes: 9 additions & 1 deletion os-eap7-launch/added/launch/https.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
function prepareEnv() {
unset HTTPS_NAME
unset HTTPS_PASSWORD
unset HTTPS_KEY_PASSWORD
unset HTTPS_KEYSTORE_DIR
unset HTTPS_KEYSTORE
unset HTTPS_KEYSTORE_TYPE
Expand All @@ -25,9 +26,16 @@ function configure_https() {
if [ -n "$HTTPS_KEYSTORE_TYPE" ]; then
keystore_provider="provider=\"${HTTPS_KEYSTORE_TYPE}\""
fi
if [ -n "$HTTPS_NAME" ]; then
keystore_alias="alias=\"${HTTPS_NAME}\""
fi
if [ -n "$HTTPS_KEY_PASSWORD" ]; then
key_password="key-password=\"${HTTPS_KEY_PASSWORD}\""
fi

ssl="<server-identities>\n\
<ssl>\n\
<keystore ${keystore_provider} path=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\" keystore-password=\"${HTTPS_PASSWORD}\"/>\n\
<keystore ${keystore_provider} path=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\" keystore-password=\"${HTTPS_PASSWORD}\" ${keystore_alias} ${key_password} />\n\
</ssl>\n\
</server-identities>"

Expand Down
15 changes: 14 additions & 1 deletion os-jdg7-launch/added/launch/authentication-config.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,12 @@ function prepareEnv() {
unset SECDOMAIN_LOGIN_MODULE
unset SECDOMAIN_REALM
unset REST_SECURITY_DOMAIN
unset HTTPS_NAME
unset HTTPS_PASSWORD
unset HTTPS_KEY_PASSWORD
unset HTTPS_KEYSTORE_DIR
unset HTTPS_KEYSTORE
unset HTTPS_KEYSTORE_TYPE
}

function configure() {
Expand Down Expand Up @@ -79,9 +85,16 @@ function add_realm_domain_mapping() {
if [ -n "$HTTPS_KEYSTORE_TYPE" ]; then
keystore_provider="provider=\"${HTTPS_KEYSTORE_TYPE}\""
fi
if [ -n "$HTTPS_NAME" ]; then
keystore_alias="alias=\"${HTTPS_NAME}\""
fi
if [ -n "$HTTPS_KEY_PASSWORD" ]; then
key_password="key-password=\"${HTTPS_KEY_PASSWORD}\""
fi

ssl="<server-identities>\n\
<ssl>\n\
<keystore ${keystore_provider} path=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\" keystore-password=\"${HTTPS_PASSWORD}\"/>\n\
<keystore ${keystore_provider} path=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\" keystore-password=\"${HTTPS_PASSWORD}\" ${keystore_alias} ${key_password} />\n\
</ssl>\n\
</server-identities>"
fi
Expand Down
5 changes: 5 additions & 0 deletions os-jdg7-launch/added/launch/infinispan-config.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,10 +139,15 @@ function configure_server_identities() {
fi
if [ -n "$SSL_KEYSTORE_ALIAS" ]; then
keystore_alias="alias=\"$SSL_KEYSTORE_ALIAS\""
elif [ -n "$HTTPS_NAME" ]; then
keystore_alias="alias=\"$HTTPS_NAME\""
fi
if [ -n "$SSL_KEY_PASSWORD" ]; then
key_password="key-password=\"$SSL_KEY_PASSWORD\""
elif [ -n "$HTTPS_KEY_PASSWORD" ]; then
key_password="key-password=\"$HTTPS_KEY_PASSWORD\""
fi

ssl="\
<ssl $ssl_protocol>\
<keystore path=\"$keystore_path\" keystore-password=\"$keystore_password\" $keystore_relative_to $keystore_alias $key_password/>\
Expand Down
2 changes: 2 additions & 0 deletions tests/features/amq/amq-common.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,10 +81,12 @@ Feature: Openshift AMQ tests
| AMQ_KEYSTORE_TRUSTSTORE_DIR | /opt/amq/conf |
| AMQ_KEYSTORE | broker.ks |
| AMQ_KEYSTORE_PASSWORD | password |
| AMQ_KEY_PASSWORD | keypass |
| AMQ_TRUSTSTORE | broker.ts |
| AMQ_TRUSTSTORE_PASSWORD | password |
Then XML file /opt/amq/conf/activemq.xml should contain value file:/opt/amq/conf/broker.ks on XPath //amq:sslContext/@keyStore
And XML file /opt/amq/conf/activemq.xml should contain value password on XPath //amq:sslContext/@keyStorePassword
And XML file /opt/amq/conf/activemq.xml should contain value keypass on XPath //amq:sslContext/@keyStoreKeyPassword
And XML file /opt/amq/conf/activemq.xml should contain value file:/opt/amq/conf/broker.ts on XPath //amq:sslContext/@trustStore
And XML file /opt/amq/conf/activemq.xml should contain value password on XPath //amq:sslContext/@trustStorePassword

Expand Down
21 changes: 21 additions & 0 deletions tests/features/datagrid/7.1/datagrid_variable_expansion.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
@jboss-datagrid-7
Feature: Check correct JDG variable expansion used
Scenario: Check HTTPS basic config
When container is started with env
| variable | value |
| USERNAME | tombrady |
| PASSWORD | ringsix6! |
| HTTPS_NAME | jboss |
| HTTPS_PASSWORD | mykeystorepass |
| HTTPS_KEY_PASSWORD | mykeypass |
| HTTPS_KEYSTORE_DIR | /etc/eap-secret-volume |
| HTTPS_KEYSTORE | keystore.jks |
Then XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='security-realm'][@name='ApplicationRealm']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@path
And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='security-realm'][@name='ApplicationRealm']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@keystore-password
And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value mykeypass on XPath //*[local-name()='security-realm'][@name='ApplicationRealm']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password
And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value jboss on XPath //*[local-name()='security-realm'][@name='ApplicationRealm']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@alias
Then XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='security-realm'][@name='jdg-openshift']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@path
And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='security-realm'][@name='jdg-openshift']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@keystore-password
And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value mykeypass on XPath //*[local-name()='security-realm'][@name='jdg-openshift']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password
And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value jboss on XPath //*[local-name()='security-realm'][@name='jdg-openshift']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@alias

26 changes: 26 additions & 0 deletions tests/features/datavirt/datavirt_variable_expansion.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
@jboss-datavirt-6
Feature: Check correct JDV variable expansion used
Scenario: Check HTTPS basic config
When container is started with env
| variable | value |
| DATAVIRT_TRANSPORT_KEY_ALIAS | jboss |
| HTTPS_PASSWORD | mykeystorepass |
| HTTPS_KEY_PASSWORD | mykeypass |
| HTTPS_KEYSTORE_DIR | /etc/eap-secret-volume |
| HTTPS_KEYSTORE | keystore.jks |
| HTTPS_KEYSTORE_TYPE | JKS |
Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@name
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@password
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value JKS on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@type
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeypass on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value jboss on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@key-alias
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='truststore']/@name
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='truststore']/@password
Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@name
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@password
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value JKS on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@type
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeypass on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value jboss on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@key-alias
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='truststore']/@name
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='truststore']/@password

13 changes: 13 additions & 0 deletions tests/features/eap/6.4/eap_variable_expansion.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,3 +113,16 @@ Feature: Check correct variable expansion used
| ns | urn:jboss:domain:security:1.2 |
Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should have 1 elements on XPath //ns:security-domain[@name='eap-secdomain-name']/ns:authentication/ns:login-module/ns:module-option[@name='password-stacking']

Scenario: Check HTTPS basic config
When container is started with env
| variable | value |
| HTTPS_NAME | jboss |
| HTTPS_PASSWORD | mykeystorepass |
| HTTPS_KEYSTORE_DIR | /etc/eap-secret-volume |
| HTTPS_KEYSTORE | keystore.jks |
| HTTPS_KEYSTORE_TYPE | JKS |
Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='connector']/*[local-name()='ssl']/@certificate-key-file
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='connector']/*[local-name()='ssl']/@password
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value jboss on XPath //*[local-name()='connector']/*[local-name()='ssl']/@key-alias
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value JKS on XPath //*[local-name()='connector']/*[local-name()='ssl']/@keystore-type

17 changes: 17 additions & 0 deletions tests/features/eap/7/eap_variable_expansion.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
@jboss-eap-7
Feature: Check correct variable expansion used
Scenario: Check HTTPS basic config
When container is started with env
| variable | value |
| HTTPS_NAME | jboss |
| HTTPS_PASSWORD | mykeystorepass |
| HTTPS_KEY_PASSWORD | mykeypass |
| HTTPS_KEYSTORE_DIR | /etc/eap-secret-volume |
| HTTPS_KEYSTORE | keystore.jks |
| HTTPS_KEYSTORE_TYPE | JKS |
Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@path
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@keystore-password
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value jboss on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@alias
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeypass on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password
And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value JKS on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@provider