diff options
author | Jorge Hernandez <jh1730@att.com> | 2018-08-17 16:23:07 -0500 |
---|---|---|
committer | Jorge Hernandez <jh1730@att.com> | 2018-08-17 16:31:12 -0500 |
commit | a7ad88d23b2a59a16c098b156c430a2fe3558023 (patch) | |
tree | 8056ad9763c6c34b30fe0a8dc0412d597e2c3d6f | |
parent | 84df4a428ded309f750f52ac1c104ac84e426fc0 (diff) |
https certs with aaf+pe containers compatibility
Change-Id: I21ed7a0fea5ea7d62857a077fa2568da4af99d26
Issue-ID: POLICY-1057
Signed-off-by: Jorge Hernandez <jh1730@att.com>
-rw-r--r-- | packages/base/src/files/etc/profile.d/env.sh | 4 | ||||
-rw-r--r-- | packages/base/src/files/etc/ssl/ca-aaf.crt | 31 | ||||
-rw-r--r-- | packages/base/src/files/etc/ssl/policy-keystore | bin | 114865 -> 4535 bytes | |||
-rw-r--r-- | packages/base/src/files/etc/ssl/policy-truststore | bin | 0 -> 124180 bytes | |||
-rw-r--r-- | packages/base/src/files/install/servers/brmsgw/init.d/brmsgw | 4 | ||||
-rw-r--r-- | packages/base/src/files/install/servers/common/tomcat/bin/setenv.sh | 5 | ||||
-rw-r--r-- | packages/base/src/files/install/servers/common/tomcat/conf/server.xml | 6 | ||||
-rw-r--r-- | packages/base/src/files/install/servers/configs/conf/server.xml | 10 | ||||
-rw-r--r-- | packages/base/src/files/install/servers/console/conf/server.xml | 9 | ||||
-rw-r--r-- | packages/docker/src/main/docker/do-start.sh | 7 | ||||
-rw-r--r-- | packages/docker/src/main/docker/docker-install.sh | 11 | ||||
-rw-r--r-- | packages/install/src/files/base.conf | 3 |
12 files changed, 75 insertions, 15 deletions
diff --git a/packages/base/src/files/etc/profile.d/env.sh b/packages/base/src/files/etc/profile.d/env.sh index 2484bbc42..90533bf89 100644 --- a/packages/base/src/files/etc/profile.d/env.sh +++ b/packages/base/src/files/etc/profile.d/env.sh @@ -1,8 +1,9 @@ +#!/usr/bin/env bash ### # ============LICENSE_START======================================================= # ONAP Policy Engine # ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. +# Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,6 +24,7 @@ export POLICY_USER=${{POLICY_USER}} export POLICY_GROUP=${{POLICY_GROUP}} export POLICY_LOGS=${{POLICY_LOGS}} export KEYSTORE_PASSWD=${{KEYSTORE_PASSWD}} +export TRUSTSTORE_PASSWD=${{TRUSTSTORE_PASSWD}} export JAVA_HOME=${{JAVA_HOME}} export PATH=${PATH}:${{POLICY_HOME}}/bin diff --git a/packages/base/src/files/etc/ssl/ca-aaf.crt b/packages/base/src/files/etc/ssl/ca-aaf.crt new file mode 100644 index 000000000..e9a50d7ea --- /dev/null +++ b/packages/base/src/files/etc/ssl/ca-aaf.crt @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFPjCCAyagAwIBAgIJAJ6u7cCnzrWdMA0GCSqGSIb3DQEBCwUAMCwxDjAMBgNV +BAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJVUzAeFw0xODA0MDUx +NDE1MjhaFw0zODAzMzExNDE1MjhaMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQK +DARPTkFQMQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC +ggIBAMA5pkgRs7NhGG4ew5JouhyYakgYUyFaG121+/h8qbSdt0hVQv56+EA41Yq7 +XGie7RYDQK9NmAFF3gruE+6X7wvJiChp+Cyd7sFMnb65uWhxEdxWTM2BJFrgfzUn +H8ZCxgaCo3XH4PzlKRy2LQQJEJECwl/RZmRCXijMt5e9h8XoZY/fKkKcZZUsWNCM +pTo266wjvA9MXLmdgReRj0+vrCjrNqy+htwJDztoiHWiYPqT6o8EvGcgjNqjlZx7 +NUNf8MfLDByqKF6+wRbHv1GKjn3/Vijd45Fv8riyRYROiFanvbV6jIfBkv8PZbXg +2VDWsYsgp8NAvMxK+iV8cO+Ck3lBI2GOPZbCEqpPVTYbLUz6sczAlCXwQoPzDIZY +wYa3eR/gYLY1gP2iEVHORag3bLPap9ZX5E8DZkzTNTjovvLk8KaCmfcaUMJsBtDd +ApcUitz10cnRyZc1sX3gE1f3DpzQM6t9C5sOVyRhDcSrKqqwb9m0Ss04XAS9FsqM +P3UWYQyqDXSxlUAYaX892u8mV1hxnt2gjb22RloXMM6TovM3sSrJS0wH+l1nznd6 +aFXftS/G4ZVIVZ/LfT1is4StoyPWZCwwwly1z8qJQ/zhip5NgZTxQw4mi7ww35DY +PdAQOCoajfSvFjqslQ/cPRi/MRCu079heVb5fQnnzVtnpFQRAgMBAAGjYzBhMB0G +A1UdDgQWBBRTVTPyS+vQUbHBeJrBKDF77+rtSTAfBgNVHSMEGDAWgBRTVTPyS+vQ +UbHBeJrBKDF77+rtSTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN +BgkqhkiG9w0BAQsFAAOCAgEAPx/IaK94n02wPxpnYTy+LVLIxwdq/kawNd6IbiMz +L87zmNMDmHcGbfoRCj8OkhuggX9Lx1/CkhpXimuYsZOFQi5blr/u+v4mIbsgbmi9 +7j+cUHDP0zLycvSvxKHty51LwmaX9a4wkJl5zBU4O1sd/H9tWcEmwJ39ltKoBKBx +c94Zc3iMm5ytRWGj+0rKzLDAXEWpoZ5bE5PLJauA6UDCxDLfs3FwhbS7uDggxYvf +jySF5FCNET94oJ+m8s7VeHvoa8iPGKvXrIqdd7XDHnqJJlVKr7m9S0fMbyEB8ci2 +RtOXDt93ifY1uhoEtEykn4dqBSp8ezvNMnwoXdYPDvTd9uCAFeWFLVreBAWxd25h +PsBTkZA5hpa/rA+mKv6Af4VBViYr8cz4dZCsFChuioVebe9ighrfjB//qKepFjPF +CyjzKN1u0JKm/2x/ORqxkTONG8p3uDwoIOyimUcTtTMv42bfYD88RKakqSFXE9G+ +Z0LlaKABqfjK49o/tsAp+c5LoNlYllKhnetO3QAdraHwdmC36BhoghzR1jpX751A +cZn2VH3Q4XKyp01cJNCJIrua+A+bx6zh3RyW6zIIkbRCbET+UD+4mr8WIcSE3mtR +ZVlnhUDO4z9//WKMVzwS9Rh8/kuszrGFI1KQozXCHLrce3YP6RYZfOed79LXaRwX +dYY= +-----END CERTIFICATE----- diff --git a/packages/base/src/files/etc/ssl/policy-keystore b/packages/base/src/files/etc/ssl/policy-keystore Binary files differindex c3890965b..b92217cf6 100644 --- a/packages/base/src/files/etc/ssl/policy-keystore +++ b/packages/base/src/files/etc/ssl/policy-keystore diff --git a/packages/base/src/files/etc/ssl/policy-truststore b/packages/base/src/files/etc/ssl/policy-truststore Binary files differnew file mode 100644 index 000000000..8834ac257 --- /dev/null +++ b/packages/base/src/files/etc/ssl/policy-truststore diff --git a/packages/base/src/files/install/servers/brmsgw/init.d/brmsgw b/packages/base/src/files/install/servers/brmsgw/init.d/brmsgw index c951b12a4..837b7b96e 100644 --- a/packages/base/src/files/install/servers/brmsgw/init.d/brmsgw +++ b/packages/base/src/files/install/servers/brmsgw/init.d/brmsgw @@ -42,8 +42,8 @@ function um_start() { JVM_JAVA_OPTS=("-Xms${COMPONENT_X_MS_MB}M" "-Xmx${COMPONENT_X_MX_MB}M") JVM_SECURITY+=("-Djavax.net.ssl.keyStore=${POLICY_HOME}/etc/ssl/policy-keystore") JVM_SECURITY+=("-Djavax.net.ssl.keyStorePassword=${KEYSTORE_PASSWD}") - JVM_SECURITY+=("-Djavax.net.ssl.trustStore=${POLICY_HOME}/etc/ssl/policy-keystore") - JVM_SECURITY+=("-Djavax.net.ssl.trustStorePassword=${KEYSTORE_PASSWD}") + JVM_SECURITY+=("-Djavax.net.ssl.trustStore=${POLICY_HOME}/etc/ssl/policy-truststore") + JVM_SECURITY+=("-Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PASSWD}") CMD_JAVA_OPTS+=("-DPOLICY_LOGS=${POLICY_LOGS}") JAVA_OPTS=("${JVM_JAVA_OPTS[@]}" "${JMX_JAVA_OPTS[@]}" "${JVM_SECURITY[@]}" "${CMD_JAVA_OPTS[@]}") diff --git a/packages/base/src/files/install/servers/common/tomcat/bin/setenv.sh b/packages/base/src/files/install/servers/common/tomcat/bin/setenv.sh index dc9bfbc36..d86f737f2 100644 --- a/packages/base/src/files/install/servers/common/tomcat/bin/setenv.sh +++ b/packages/base/src/files/install/servers/common/tomcat/bin/setenv.sh @@ -1,3 +1,4 @@ +#!/usr/bin/env bash ### # ============LICENSE_START======================================================= # ONAP Policy Engine @@ -24,8 +25,8 @@ CATALINA_OPTS="${CATALINA_OPTS} -Dcom.sun.management.jmxremote.ssl=false" CATALINA_OPTS="${CATALINA_OPTS} -Dcom.sun.management.jmxremote.authenticate=false" CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.keyStore=${POLICY_HOME}/etc/ssl/policy-keystore" CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.keyStorePassword=${KEYSTORE_PASSWD}" -CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.trustStore=${POLICY_HOME}/etc/ssl/policy-keystore" -CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.trustStorePassword=${KEYSTORE_PASSWD}" +CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.trustStore=${POLICY_HOME}/etc/ssl/policy-truststore" +CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PASSWD}" CATALINA_OPTS="${CATALINA_OPTS} -DPOLICY_LOGS=${POLICY_LOGS}" CATALINA_OPTS="${CATALINA_OPTS} -Xms${{TOMCAT_X_MS_MB}}M" CATALINA_OPTS="${CATALINA_OPTS} -Xmx${{TOMCAT_X_MX_MB}}M" diff --git a/packages/base/src/files/install/servers/common/tomcat/conf/server.xml b/packages/base/src/files/install/servers/common/tomcat/conf/server.xml index a78dfc82e..02c548c80 100644 --- a/packages/base/src/files/install/servers/common/tomcat/conf/server.xml +++ b/packages/base/src/files/install/servers/common/tomcat/conf/server.xml @@ -104,10 +104,14 @@ documentation --> <!-- Use http instead of https + Setting the keystore and truststore in the connector, overrides the javax.net.ssl system properties + passed in to the tomcat JVM: + <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" - keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}"/> + keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}" + truststoreFile="${{POLICY_HOME}}/etc/ssl/policy-truststore" truststorePass="${{TRUSTSTORE_PASSWD}}"/> --> <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" /> diff --git a/packages/base/src/files/install/servers/configs/conf/server.xml b/packages/base/src/files/install/servers/configs/conf/server.xml index ecbeb6e4d..3bccc6ffb 100644 --- a/packages/base/src/files/install/servers/configs/conf/server.xml +++ b/packages/base/src/files/install/servers/configs/conf/server.xml @@ -104,12 +104,16 @@ OpenSSL style configuration is required as described in the APR/native documentation --> - <!-- + <!-- + Setting the keystore and truststore in the connector, overrides the javax.net.ssl system properties + passed in to the tomcat JVM: + <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" - keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}"/> - --> + keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}" + truststoreFile="${{POLICY_HOME}}/etc/ssl/policy-truststore" truststorePass="${{TRUSTSTORE_PASSWD}}"/> + --> <!-- Define an AJP 1.3 Connector on port 8009 --> diff --git a/packages/base/src/files/install/servers/console/conf/server.xml b/packages/base/src/files/install/servers/console/conf/server.xml index 618a6a99a..5e6226742 100644 --- a/packages/base/src/files/install/servers/console/conf/server.xml +++ b/packages/base/src/files/install/servers/console/conf/server.xml @@ -106,11 +106,16 @@ documentation --> - <!-- ONAP portal currently using http instead of https + <!-- ONAP portal currently using http instead of https + + Setting the keystore and truststore in the connector, overrides the javax.net.ssl system properties + passed in to the tomcat JVM: + <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" - keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}"/> + keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}" + truststoreFile="${{POLICY_HOME}}/etc/ssl/policy-truststore" truststorePass="${{TRUSTSTORE_PASSWD}}"/> --> <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" /> diff --git a/packages/docker/src/main/docker/do-start.sh b/packages/docker/src/main/docker/do-start.sh index 0179fad70..c655ce90a 100644 --- a/packages/docker/src/main/docker/do-start.sh +++ b/packages/docker/src/main/docker/do-start.sh @@ -64,11 +64,16 @@ else . /opt/app/policy/etc/profile.d/env.sh + # override the policy keystore and truststore if present + if [[ -f config/policy-keystore ]]; then - # install policy keystore cp config/policy-keystore $POLICY_HOME/etc/ssl fi + if [[ -f config/policy-truststore ]]; then + cp -f config/policy-trustore ${POLICY_HOME}/etc/ssl + fi + if [[ -f config/$container-tweaks.sh ]] ; then # file may not be executable; running it as an # argument to bash avoids needing execute perms. diff --git a/packages/docker/src/main/docker/docker-install.sh b/packages/docker/src/main/docker/docker-install.sh index 09cba6e96..7176abf20 100644 --- a/packages/docker/src/main/docker/docker-install.sh +++ b/packages/docker/src/main/docker/docker-install.sh @@ -169,6 +169,7 @@ function configure_component() { SED_LINE+=" -e 's!\${{POLICY_USER}}!${POLICY_USER}!g' " SED_LINE+=" -e 's!\${{POLICY_GROUP}}!${POLICY_GROUP}!g' " SED_LINE+=" -e 's!\${{KEYSTORE_PASSWD}}!${KEYSTORE_PASSWD}!g' " + SED_LINE+=" -e 's!\${{TRUSTSTORE_PASSWD}}!${TRUSTSTORE_PASSWD}!g' " SED_LINE+=" -e 's!\${{JAVA_HOME}}!${JAVA_HOME}!g' " SED_LINE+=" -e 's!\${{COMPONENT_TYPE}}!${COMPONENT_TYPE}!g' " SED_LINE+=" -e 's!\${{POLICY_LOGS}}!${POLICY_LOGS}!g' " @@ -405,10 +406,16 @@ function configure_keystore() { fi local DEFAULT_KEYSTORE_PASSWORD="Pol1cy_0nap" + local DEFAULT_KEYSTORE_PASSWORD='Pol1cy_0nap' + + if [[ -n ${TRUSTSTORE_PASSWD} ]]; then + keytool -storepasswd -storepass "${DEFAULT_TRUSTSTORE_PASSWORD}" -keystore "${POLICY_HOME}/etc/ssl/policy-truststore" -new "${TRUSTSTORE_PASSWD}" + keytool -list -keystore "${POLICY_HOME}/etc/ssl/policy-truststore" -storepass "${TRUSTSTORE_PASSWD}" + fi if [[ -n ${KEYSTORE_PASSWD} ]]; then - keytool -storepasswd -storepass ${DEFAULT_KEYSTORE_PASSWORD} -keystore ${POLICY_HOME}/etc/ssl/policy-keystore -new ${KEYSTORE_PASSWD} - keytool -list -keystore ${POLICY_HOME}/etc/ssl/policy-keystore -storepass ${KEYSTORE_PASSWD} + keytool -storepasswd -storepass "${DEFAULT_KEYSTORE_PASSWORD}" -keystore "${POLICY_HOME}/etc/ssl/policy-keystore" -new "${KEYSTORE_PASSWD}" + keytool -list -keystore "${POLICY_HOME}/etc/ssl/policy-keystore" -storepass "${KEYSTORE_PASSWD}" fi } diff --git a/packages/install/src/files/base.conf b/packages/install/src/files/base.conf index 25a2a355d..dbf5da79c 100644 --- a/packages/install/src/files/base.conf +++ b/packages/install/src/files/base.conf @@ -21,7 +21,8 @@ JAVA_HOME=/usr/lib/jvm/java-8-oracle POLICY_HOME=/opt/app/policy POLICY_LOGS=/opt/app/policy/logs -KEYSTORE_PASSWD=PolicyR0ck$ +KEYSTORE_PASSWD=Pol1cy_0nap +TRUSTSTORE_PASSWD=Pol1cy_0nap JDBC_DRIVER=org.mariadb.jdbc.Driver JDBC_URL=jdbc:mariadb://localhost:3306/onap_sdk |