diff options
author | Michael Mokry <mm117s@att.com> | 2018-08-22 11:07:09 -0500 |
---|---|---|
committer | Michael Mokry <mm117s@att.com> | 2018-08-22 11:07:09 -0500 |
commit | e1f88b91981a22cc63019d1d6b73089566425383 (patch) | |
tree | cccbd84ca14392fe6eba31ebaa450a0dc2937af1 | |
parent | c25e4d412eb573de020ba4e5da48f48451217f52 (diff) |
policy/engine changes to support PE https
Enabled https connector in server.xml and modified the docker-install.sh
to fix the default variable name for policy truststore
Change-Id: I6db6a6d2353130c91c1f344ea7927d187150adca
Issue-ID: POLICY-781
Signed-off-by: Michael Mokry <mm117s@att.com>
4 files changed, 22 insertions, 23 deletions
diff --git a/packages/base/src/files/install/servers/common/tomcat/conf/server.xml b/packages/base/src/files/install/servers/common/tomcat/conf/server.xml index 02c548c80..7bd6ca3d2 100644 --- a/packages/base/src/files/install/servers/common/tomcat/conf/server.xml +++ b/packages/base/src/files/install/servers/common/tomcat/conf/server.xml @@ -105,16 +105,18 @@ <!-- Use http instead of https Setting the keystore and truststore in the connector, overrides the javax.net.ssl system properties - passed in to the tomcat JVM: + passed in to the tomcat JVM: --> <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}" truststoreFile="${{POLICY_HOME}}/etc/ssl/policy-truststore" truststorePass="${{TRUSTSTORE_PASSWD}}"/> - --> + + + <!-- Use http instead of https <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol" - maxThreads="150" /> + maxThreads="150" />--> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="${{SSL_AJP_CONNECTOR_PORT}}" protocol="AJP/1.3" redirectPort="${{SSL_AJP_CONNECTOR_REDIRECT_PORT}}" /> diff --git a/packages/base/src/files/install/servers/configs/conf/server.xml b/packages/base/src/files/install/servers/configs/conf/server.xml index 3bccc6ffb..9c45721b9 100644 --- a/packages/base/src/files/install/servers/configs/conf/server.xml +++ b/packages/base/src/files/install/servers/configs/conf/server.xml @@ -87,10 +87,11 @@ Define a non-SSL/TLS HTTP/1.1 Connector on port 8080 --> - <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="HTTP/1.1" + <!-- Use http instead of https --> +<!-- <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="${{SSL_HTTP_CONNECTOR_REDIRECT_PORT}}" /> - + --> <!-- A "Connector" using the shared thread pool--> <!-- <Connector executor="tomcatThreadPool" @@ -104,24 +105,25 @@ OpenSSL style configuration is required as described in the APR/native documentation --> - <!-- + <!--Use https instead of http Setting the keystore and truststore in the connector, overrides the javax.net.ssl system properties - passed in to the tomcat JVM: + passed in to the tomcat JVM: --> <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" - clientAuth="false" sslProtocol="TLS" + clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}" truststoreFile="${{POLICY_HOME}}/etc/ssl/policy-truststore" truststorePass="${{TRUSTSTORE_PASSWD}}"/> - --> - + <!-- Use http instead of https + <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol" + maxThreads="150" /> --> + <!-- Define an AJP 1.3 Connector on port 8009 --> <!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> --> - <!-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them diff --git a/packages/base/src/files/install/servers/console/conf/server.xml b/packages/base/src/files/install/servers/console/conf/server.xml index 5e6226742..dbeb6396d 100644 --- a/packages/base/src/files/install/servers/console/conf/server.xml +++ b/packages/base/src/files/install/servers/console/conf/server.xml @@ -107,25 +107,21 @@ --> <!-- ONAP portal currently using http instead of https - Setting the keystore and truststore in the connector, overrides the javax.net.ssl system properties - passed in to the tomcat JVM: - + passed in to the tomcat JVM: --> + <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}" - truststoreFile="${{POLICY_HOME}}/etc/ssl/policy-truststore" truststorePass="${{TRUSTSTORE_PASSWD}}"/> - --> - <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol" - maxThreads="150" /> - - + truststoreFile="${{POLICY_HOME}}/etc/ssl/policy-truststore" truststorePass="${{TRUSTSTORE_PASSWD}}" /> + +<!--<Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol" + maxThreads="150" /> --> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="${{SSL_AJP_CONNECTOR_PORT}}" protocol="AJP/1.3" redirectPort="${{SSL_AJP_CONNECTOR_REDIRECT_PORT}}" /> - <!-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them diff --git a/packages/docker/src/main/docker/docker-install.sh b/packages/docker/src/main/docker/docker-install.sh index 7176abf20..3700e5731 100644 --- a/packages/docker/src/main/docker/docker-install.sh +++ b/packages/docker/src/main/docker/docker-install.sh @@ -405,11 +405,10 @@ function configure_keystore() { set -x fi - local DEFAULT_KEYSTORE_PASSWORD="Pol1cy_0nap" local DEFAULT_KEYSTORE_PASSWORD='Pol1cy_0nap' if [[ -n ${TRUSTSTORE_PASSWD} ]]; then - keytool -storepasswd -storepass "${DEFAULT_TRUSTSTORE_PASSWORD}" -keystore "${POLICY_HOME}/etc/ssl/policy-truststore" -new "${TRUSTSTORE_PASSWD}" + keytool -storepasswd -storepass "${DEFAULT_KEYSTORE_PASSWORD}" -keystore "${POLICY_HOME}/etc/ssl/policy-truststore" -new "${TRUSTSTORE_PASSWD}" keytool -list -keystore "${POLICY_HOME}/etc/ssl/policy-truststore" -storepass "${TRUSTSTORE_PASSWD}" fi |