wildfly · emmartins · Mar 25, 2024 · Oct 5, 2023 · Dec 20, 2023 · emmartins
@@ -0,0 +1,17 @@
+name: WildFly helloworld-mutual-ssl Quickstart CI
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    paths:
+      - 'helloworld-mutual-ssl/**'
+      - '.github/workflows/quickstart_ci.yml'
+
+jobs:
+  call-quickstart_ci:
+    uses: ./.github/workflows/quickstart_ci.yml
+    with:
+      QUICKSTART_PATH: helloworld-mutual-ssl
+      SERVER_PROVISIONING_SERVER_HOST: https://localhost:8443/
+      TEST_PROVISIONED_SERVER: true
+      TEST_OPENSHIFT: false
@@ -28,74 +28,13 @@ include::../shared-doc/system-requirements.adoc[leveloffset=+1]
 include::../shared-doc/use-of-jboss-home-name.adoc[leveloffset=+1]
 
 [[set_up_client_keystore_using_java_keytool]]
-== Set Up the Client Keystore Using Java Keytool
-
-. Open a terminal and navigate to the {productName} server `configuration` directory:
-+
-[source,subs="+quotes,attributes+",options="nowrap"]
-----
-$ cd __{jbossHomeName}__/standalone/configuration/
-----
+== Set Up the Client Keystore
 
 . Create the client certificate, which is used to authenticate against the server when accessing a resource through TLS.
 +
-[source,options="nowrap"]
-----
-$>keytool -genkey -keystore client.keystore -storepass secret -validity 365 -keyalg RSA -keysize 2048 -storetype pkcs12
-
-What is your first and last name?
-    [Unknown]:  quickstartUser
-What is the name of your organizational unit?
-    [Unknown]:  Sales
-What is the name of your organization?
-    [Unknown]:  My Company
-What is the name of your City or Locality?
-    [Unknown]:  Sao Paulo
-What is the name of your State or Province?
-    [Unknown]:  Sao Paulo
-What is the two-letter country code for this unit?
-    [Unknown]:  BR
-Is CN=quickstartUser, OU=Sales, O=My Company, L=Sao Paulo, ST=Sao Paulo, C=BR correct?
-    [no]:  yes
-----
-
-. Export the client certificate and create a truststore by importing this certificate:
-+
-[source,options="nowrap"]
-----
-$>keytool -exportcert -keystore client.keystore  -storetype pkcs12 -storepass secret -keypass secret -file client.crt
-$>keytool -import -file client.crt -alias quickstartUser -keystore client.truststore -storepass secret
-
-Owner: CN=quickstartUser, OU=Sales, O=My Company, L=Sao Paulo, ST=Sao Paulo, C=BR
-Issuer: CN=quickstartUser, OU=Sales, O=My Company, L=Sao Paulo, ST=Sao Paulo, C=BR
-Serial number: 7fd95ce4
-Valid from: Mon Jul 24 16:14:03 BRT 2017 until: Tue Jul 24 16:14:03 BRT 2018
-Certificate fingerprints:
-     MD5:  87:41:C5:CC:E6:79:91:F0:9D:90:AD:9E:DD:57:81:80
-     SHA1: 55:35:CA:B0:DC:DD:4F:E6:B8:9F:45:4B:4B:98:93:B5:3B:7C:55:84
-     SHA256: 0A:FC:93:B6:25:5A:74:42:B8:A1:C6:5F:69:88:72:7F:27:A9:81:B0:17:0C:F1:AF:3D:DE:B7:E5:F1:69:66:4B
-     Signature algorithm name: SHA256withRSA
-     Version: 3
-
-Extensions:
-
-#1: ObjectId: 2.5.29.14 Criticality=false
-SubjectKeyIdentifier [
-KeyIdentifier [
-0000: 95 84 BE C6 32 BB 2B 13   4C 7F 5D D4 C4 C8 22 12  ....2.+.L.]...".
-0010: CB 09 39 09                                        ..9.
-]
-]
-
-Trust this certificate? [no]:  yes
-Certificate was added to keystore
-----
-
-. Export client certificate to pkcs12 format
-+
-[source,options="nowrap"]
+[source,subs="+quotes,attributes+",options="nowrap"]
 ----
-$>keytool -importkeystore -srckeystore client.keystore -srcstorepass secret -destkeystore clientCert.p12 -srcstoretype PKCS12 -deststoretype PKCS12 -deststorepass secret
+$ __{jbossHomeName}__/bin/jboss-cli.sh --connect --file=configure-client-cert.cli
 ----
 
 . The certificate and keystore are now properly configured.
@@ -185,15 +124,15 @@ If it is configured correctly, you should be asked to trust the server certifica
 [[import_the_client_certificate_into_your_browser]]
 == Import the Client Certificate into Your Browser
 
-Before you access the application, you must import the _clientCert.p12_, which holds the client certificate, into your browser.
+Before you access the application, you must import the _client.keystore.P12_, which holds the client certificate, into your browser.
 
 [[import_the_client_certificate_into_google_chrome]]
 === Import the Client Certificate into Google Chrome
 
 . Click the Chrome menu icon (3 dots) in the upper right on the browser toolbar and choose *Settings*. This takes you to `link:`chrome://settings/`.
 . Click on *Privacy and security* and then on *Security*.
 . Scroll down to the *Advanced* section and on the *Manage certificates* screen, select the *Your Certificates* tab and click on the *Import* button.
-. Select the *clientCert.p12* file. You will be prompted to enter the password: `secret`.
+. Select the *client.keystore.P12* file. You will be prompted to enter the password: `secret`.
 . The client certificate is now installed in the Google Chrome browser.
 
 [[import_the_client_certificate_into_mozilla_firefox]]
@@ -203,7 +142,7 @@ Before you access the application, you must import the _clientCert.p12_, which h
 . A new window will open. Click on *Privacy & Security* and scroll down to the *Certificates* section.
 . Click the *View Certificates* button.
 . A new window will open. Select the *Your Certificates* tab and click the *Import* button.
-. Select the *clientCert.p12* file. You will be prompted to enter the password: `secret`.
+. Select the *client.keystore.P12* file. You will be prompted to enter the password: `secret`.
 . The certificate is now installed in the Mozilla Firefox browser.
 
 // Build and Deploy the Quickstart
@@ -232,6 +171,8 @@ DHo1uoz5/dzXZz0EjjWCPJk+LVEhEvH0GcWAp3x3irpNU4hRZLd0XomY0Z4NnUt7VMBNYDOxVxgT9qcL
 aEWK4zhPVFynfnMaOxI67FC2QzhfzERyKqHj47WuwN0xWbS/1gBypS2nUwvItyxaEQG2X5uQY8j8QoY9wcMzIIkP2Mk14gJGHUnA8=
 ----
 
+// Server Distribution Testing
+include::../shared-doc/run-integration-tests-with-server-distribution.adoc[leveloffset=+2]
 // Undeploy the Quickstart
 include::../shared-doc/undeploy-the-quickstart.adoc[leveloffset=+1]
 // Restore the {productName} Standalone Server Configuration
@@ -253,14 +194,16 @@ include::../shared-doc/restore-standalone-server-configuration-manual.adoc[level
 
 == Remove the keystores and certificates created for this quickstart
 
-. Open a terminal and navigate to the {productName} server `configuration` directory:
+. Run the CLI script for restoring client cert configuration: 
 +
 [source,subs="+quotes,attributes+",options="nowrap"]
 ----
-$ cd __{jbossHomeName}__/standalone/configuration/
+$ __{jbossHomeName}__/bin/jboss-cli.sh --connect --file=restore-client-cert.cli
 ----
++
+NOTE: For Windows, use the `__{jbossHomeName}__\bin\jboss-cli.bat` script.
 
-. Remove the `clientCert.p12`, `client.crt`, `client.keystore`, and `client.truststore` files that
+. Remove the `client.keystore.P12`, `clientCert.crt`, `client.keystore`, and `client.truststore` files that
 were generated for this quickstart.
 
 [[remove_the_client_certificate_from_your_browser]]
@@ -288,6 +231,7 @@ After you are done with this quickstart, remember to remove the certificate that
 // Run the Quickstart in Red Hat  Studio or Eclipse
 include::../shared-doc/run-the-quickstart-in-jboss-developer-studio.adoc[leveloffset=+1]
 
+
 // Additional Red Hat CodeReady Studio instructions
 * Make sure you configure the keystore and client certificate as described under xref:set_up_client_keystore_using_java_keytool[Set Up the Client Keystore Using Java Keytool].
 * Depending on the browser you choose, make sure you either xref:import_the_client_certificate_into_google_chrome[import the certificate into Google Chrome] or xref:import_the_client_certificate_into_mozilla_firefox[import the certificate into Mozilla Firefox].
@@ -309,6 +253,12 @@ $ mvn dependency:resolve -Dclassifier=javadoc
 //*************************************************
 // Product Release content only
 //*************************************************
+// Build and run sections for other environments/builds
+ifndef::ProductRelease,EAPXPRelease[]
+:server_provisioning_server_host: https://localhost:8443
+include::../shared-doc/build-and-run-the-quickstart-with-provisioned-server.adoc[leveloffset=+1]
+endif::[]
+
 ifdef::ProductRelease[]
 
 // Quickstart not compatible with OpenShift

@@ -0,0 +1,19 @@
+# Configure the client's keystore. This will be used to generate the client's certificate. 
+# The path to the keystore file doesn’t actually have to exist yet.
+/subsystem=elytron/key-store=clientKS:add(path=client.keystore.P12, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=PKCS12)
+
+# Generate a new key pair for the client. We'll use an RSA key of size 2048 and we'll use CN=quickstartUser
+/subsystem=elytron/key-store=clientKS:generate-key-pair(alias=quickstartUser, algorithm=RSA, key-size=2048, validity=365, credential-reference={clear-text=secret}, distinguished-name="cn=quickstartUser")
+
+# Export the client's certificate to a file called clientCert.crt
+/subsystem=elytron/key-store=clientKS:export-certificate(alias=quickstartUser, path=clientCert.crt, relative-to=jboss.server.config.dir, pem=true)
+
+# Create the server's truststore
+/subsystem=elytron/key-store=serverTS:add(path=server.truststore, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=PKCS12)
+
+# Import the client certificate into the server's truststore
+/subsystem=elytron/key-store=serverTS:import-certificate(alias=quickstartUser, path=clientCert.crt, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, validate=false)
+
+# Persist the changes we've made to the client's keystore and the server's truststore
+/subsystem=elytron/key-store=serverTS:store()
+/subsystem=elytron/key-store=clientKS:store()
@@ -4,17 +4,22 @@
 batch
 
 # Add the keystore and trust manager configuration in the elytron subsystem
-/subsystem=elytron/key-store=qsTrustStore:add(path=client.truststore,relative-to=jboss.server.config.dir,type=JKS,credential-reference={clear-text=secret})
-/subsystem=elytron/trust-manager=qsTrustManager:add(key-store=qsTrustStore)
+/subsystem=elytron/trust-manager=qsTrustManager:add(key-store=serverTS)
 
 # Update the default server-ssl-context to reference the new trust-manager and require client auth
 /subsystem=elytron/server-ssl-context=applicationSSC:write-attribute(name=trust-manager, value=qsTrustManager)
 /subsystem=elytron/server-ssl-context=applicationSSC:write-attribute(name=need-client-auth, value=true)
 
+# Generate the server's certificate
+/subsystem=elytron/key-store=applicationKS:generate-key-pair(alias=server, algorithm=RSA, key-size=2048, validity=365, credential-reference={clear-text=password}, distinguished-name="cn=localhost")
+
+# Store the key-pair in a keystore file
+/subsystem=elytron/key-store=applicationKS:store()
+
 # Run the batch commands
 run-batch
 
 # Reload the server configuration
-reload
+#reload
 
 
@@ -29,6 +29,16 @@
         <version>6</version>
         <relativePath/>
     </parent>
+
+    <properties>
+        <!-- the version for the Server -->
+        <version.server>31.0.0.Beta1</version.server>
+        <!-- The versions for BOMs, Packs and Plugins -->
+        <version.bom.ee>${version.server}</version.bom.ee>
+        <version.pack.cloud>5.0.0.Beta1</version.pack.cloud>
+        <version.plugin.wildfly>4.2.1.Final</version.plugin.wildfly>
+    </properties>
+
     <artifactId>helloworld-mutual-ssl</artifactId>
     <version>31.0.0.Final-SNAPSHOT</version>
     <packaging>war</packaging>
@@ -43,11 +53,6 @@
         </license>
     </licenses>
 
-    <properties>
-        <!-- The versions for BOMs, Dependencies and Plugins -->
-        <version.server.bom>31.0.0.Beta1</version.server.bom>
-    </properties>
-
     <repositories>
         <repository>
             <id>jboss-public-maven-repository</id>
@@ -109,15 +114,14 @@
             <dependency>
                 <groupId>org.wildfly.bom</groupId>
                 <artifactId>wildfly-ee-with-tools</artifactId>
-                <version>${version.server.bom}</version>
+                <version>${version.bom.ee}</version>
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
         </dependencies>
     </dependencyManagement>
 
     <dependencies>
-
         <!-- Import the CDI API, we use provided scope as the API is included in JBoss WildFly -->
         <dependency>
             <groupId>jakarta.enterprise</groupId>
@@ -140,5 +144,100 @@
             <scope>provided</scope>
         </dependency>
 
+        <!-- For tests -->
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+        <!-- https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient -->
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpclient</artifactId>
+            <version>4.5.13</version>
+        </dependency>
     </dependencies>
+
+    <build>
+      <pluginManagement>
+          <plugins>
+              <plugin>
+                  <groupId>org.wildfly.plugins</groupId>
+                  <artifactId>wildfly-maven-plugin</artifactId>
+                  <version>${version.plugin.wildfly}</version>
+              </plugin>
+          </plugins>
+      </pluginManagement>
+    </build>
+
+    <profiles>
+        <profile>
+            <id>provisioned-server</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.wildfly.plugins</groupId>
+                        <artifactId>wildfly-maven-plugin</artifactId>
+                        <configuration>
+                            <feature-packs>
+                                <feature-pack>                                    
+                                    <location>org.wildfly:wildfly-galleon-pack:${version.server}</location>
+                                </feature-pack>
+                            </feature-packs>
+                            <layers>
+                                <!-- layers may be used to customize the server to provision-->
+                                <layer>cloud-server</layer>
+                                <layer>undertow-https</layer>
+                            </layers>
+                            <!-- use cli script(s) to configure the server -->
+                            <packaging-scripts>
+                                <packaging-script>
+                                    <scripts>
+                                        <script>${basedir}/configure-client-cert.cli</script>
+                                        <script>${basedir}/configure-ssl.cli</script>
+                                    </scripts>
+                                    <!-- Expressions resolved during server execution -->
+                                    <resolve-expressions>false</resolve-expressions>
+                                </packaging-script>
+                            </packaging-scripts>
+                            <!-- deploys the quickstart on root web context -->
+                            <name>ROOT.war</name>
+                        </configuration>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>package</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+        <profile>
+            <id>integration-testing</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-failsafe-plugin</artifactId>
+                        <configuration>
+                            <includes>
+                                <include>**/BasicRuntimeIT</include>
+                            </includes>
+                        </configuration>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>integration-test</goal>
+                                    <goal>verify</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
 </project>
@@ -0,0 +1,7 @@
+# Remove the keypairs and certificates from the keystore and truststore
+/subsystem=elytron/key-store=serverTS:remove-alias(alias=quickstartUser)
+/subsystem=elytron/key-store=clientKS:remove-alias(alias=quickstartUser)
+
+# Remove the keystore and truststore
+/subsystem=elytron/key-store=serverTS:remove
+/subsystem=elytron/key-store=clientKS:remove
@@ -3,13 +3,16 @@
 # Start batching commands
 batch
 
+# Remove the keypair with the alias server from the application keystore
+/subsystem=elytron/key-store=applicationKS:remove-alias(alias=server)
+/subsystem=elytron/key-store=applicationKS:store()
+
 # Remove the changes that were made to the default server-ssl-context
 /subsystem=elytron/server-ssl-context=applicationSSC:undefine-attribute(name=trust-manager)
 /subsystem=elytron/server-ssl-context=applicationSSC:undefine-attribute(name=need-client-auth)
 
 # Remove the trust manager and keystore configuration from the elytron subsystem
 /subsystem=elytron/trust-manager=qsTrustManager:remove
-/subsystem=elytron/key-store=qsTrustStore:remove
 
 # Run the batch commands
 run-batch