https certs with aaf+pe containers compatibility

Change-Id: I21ed7a0fea5ea7d62857a077fa2568da4af99d26 Issue-ID: POLICY-1057 Signed-off-by: Jorge Hernandez <jh1730@att.com>
author: Jorge Hernandez <jh1730@att.com> 2018-08-17 16:23:07 -0500
committer: Jorge Hernandez <jh1730@att.com> 2018-08-17 16:31:12 -0500
commit: a7ad88d23b2a59a16c098b156c430a2fe3558023 (patch)
tree: 8056ad9763c6c34b30fe0a8dc0412d597e2c3d6f /packages/base/src
parent: 84df4a428ded309f750f52ac1c104ac84e426fc0 (diff)
9 files changed, 58 insertions, 11 deletions
diff --git a/packages/base/src/files/etc/profile.d/env.sh b/packages/base/src/files/etc/profile.d/env.sh
index 2484bbc42..90533bf89 100644
--- a/packages/base/src/files/etc/profile.d/env.sh
+++ b/packages/base/src/files/etc/profile.d/env.sh
@@ -1,8 +1,9 @@
+#!/usr/bin/env bash
 ###
 # ============LICENSE_START=======================================================
 # ONAP Policy Engine
 # ================================================================================
-# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+# Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved.
 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -23,6 +24,7 @@ export POLICY_USER=${{POLICY_USER}}
 export POLICY_GROUP=${{POLICY_GROUP}}
 export POLICY_LOGS=${{POLICY_LOGS}}
 export KEYSTORE_PASSWD=${{KEYSTORE_PASSWD}}
+export TRUSTSTORE_PASSWD=${{TRUSTSTORE_PASSWD}}
 
 export JAVA_HOME=${{JAVA_HOME}}
 export PATH=${PATH}:${{POLICY_HOME}}/bin
diff --git a/packages/base/src/files/etc/ssl/ca-aaf.crt b/packages/base/src/files/etc/ssl/ca-aaf.crt
new file mode 100644
index 000000000..e9a50d7ea
--- /dev/null
+++ b/packages/base/src/files/etc/ssl/ca-aaf.crt
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFPjCCAyagAwIBAgIJAJ6u7cCnzrWdMA0GCSqGSIb3DQEBCwUAMCwxDjAMBgNV
+BAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJVUzAeFw0xODA0MDUx
+NDE1MjhaFw0zODAzMzExNDE1MjhaMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQK
+DARPTkFQMQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBAMA5pkgRs7NhGG4ew5JouhyYakgYUyFaG121+/h8qbSdt0hVQv56+EA41Yq7
+XGie7RYDQK9NmAFF3gruE+6X7wvJiChp+Cyd7sFMnb65uWhxEdxWTM2BJFrgfzUn
+H8ZCxgaCo3XH4PzlKRy2LQQJEJECwl/RZmRCXijMt5e9h8XoZY/fKkKcZZUsWNCM
+pTo266wjvA9MXLmdgReRj0+vrCjrNqy+htwJDztoiHWiYPqT6o8EvGcgjNqjlZx7
+NUNf8MfLDByqKF6+wRbHv1GKjn3/Vijd45Fv8riyRYROiFanvbV6jIfBkv8PZbXg
+2VDWsYsgp8NAvMxK+iV8cO+Ck3lBI2GOPZbCEqpPVTYbLUz6sczAlCXwQoPzDIZY
+wYa3eR/gYLY1gP2iEVHORag3bLPap9ZX5E8DZkzTNTjovvLk8KaCmfcaUMJsBtDd
+ApcUitz10cnRyZc1sX3gE1f3DpzQM6t9C5sOVyRhDcSrKqqwb9m0Ss04XAS9FsqM
+P3UWYQyqDXSxlUAYaX892u8mV1hxnt2gjb22RloXMM6TovM3sSrJS0wH+l1nznd6
+aFXftS/G4ZVIVZ/LfT1is4StoyPWZCwwwly1z8qJQ/zhip5NgZTxQw4mi7ww35DY
+PdAQOCoajfSvFjqslQ/cPRi/MRCu079heVb5fQnnzVtnpFQRAgMBAAGjYzBhMB0G
+A1UdDgQWBBRTVTPyS+vQUbHBeJrBKDF77+rtSTAfBgNVHSMEGDAWgBRTVTPyS+vQ
+UbHBeJrBKDF77+rtSTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN
+BgkqhkiG9w0BAQsFAAOCAgEAPx/IaK94n02wPxpnYTy+LVLIxwdq/kawNd6IbiMz
+L87zmNMDmHcGbfoRCj8OkhuggX9Lx1/CkhpXimuYsZOFQi5blr/u+v4mIbsgbmi9
+7j+cUHDP0zLycvSvxKHty51LwmaX9a4wkJl5zBU4O1sd/H9tWcEmwJ39ltKoBKBx
+c94Zc3iMm5ytRWGj+0rKzLDAXEWpoZ5bE5PLJauA6UDCxDLfs3FwhbS7uDggxYvf
+jySF5FCNET94oJ+m8s7VeHvoa8iPGKvXrIqdd7XDHnqJJlVKr7m9S0fMbyEB8ci2
+RtOXDt93ifY1uhoEtEykn4dqBSp8ezvNMnwoXdYPDvTd9uCAFeWFLVreBAWxd25h
+PsBTkZA5hpa/rA+mKv6Af4VBViYr8cz4dZCsFChuioVebe9ighrfjB//qKepFjPF
+CyjzKN1u0JKm/2x/ORqxkTONG8p3uDwoIOyimUcTtTMv42bfYD88RKakqSFXE9G+
+Z0LlaKABqfjK49o/tsAp+c5LoNlYllKhnetO3QAdraHwdmC36BhoghzR1jpX751A
+cZn2VH3Q4XKyp01cJNCJIrua+A+bx6zh3RyW6zIIkbRCbET+UD+4mr8WIcSE3mtR
+ZVlnhUDO4z9//WKMVzwS9Rh8/kuszrGFI1KQozXCHLrce3YP6RYZfOed79LXaRwX
+dYY=
+-----END CERTIFICATE-----
diff --git a/packages/base/src/files/etc/ssl/policy-keystore b/packages/base/src/files/etc/ssl/policy-keystore
index c3890965b..b92217cf6 100644
--- a/packages/base/src/files/etc/ssl/policy-keystore
+++ b/packages/base/src/files/etc/ssl/policy-keystore
diff --git a/packages/base/src/files/etc/ssl/policy-truststore b/packages/base/src/files/etc/ssl/policy-truststore
new file mode 100644
index 000000000..8834ac257
--- /dev/null
+++ b/packages/base/src/files/etc/ssl/policy-truststore
diff --git a/packages/base/src/files/install/servers/brmsgw/init.d/brmsgw b/packages/base/src/files/install/servers/brmsgw/init.d/brmsgw
index c951b12a4..837b7b96e 100644
--- a/packages/base/src/files/install/servers/brmsgw/init.d/brmsgw
+++ b/packages/base/src/files/install/servers/brmsgw/init.d/brmsgw
@@ -42,8 +42,8 @@ function um_start() {
 	JVM_JAVA_OPTS=("-Xms${COMPONENT_X_MS_MB}M" "-Xmx${COMPONENT_X_MX_MB}M") 
 	JVM_SECURITY+=("-Djavax.net.ssl.keyStore=${POLICY_HOME}/etc/ssl/policy-keystore") 
 	JVM_SECURITY+=("-Djavax.net.ssl.keyStorePassword=${KEYSTORE_PASSWD}") 
-	JVM_SECURITY+=("-Djavax.net.ssl.trustStore=${POLICY_HOME}/etc/ssl/policy-keystore") 
-	JVM_SECURITY+=("-Djavax.net.ssl.trustStorePassword=${KEYSTORE_PASSWD}") 
+	JVM_SECURITY+=("-Djavax.net.ssl.trustStore=${POLICY_HOME}/etc/ssl/policy-truststore") 
+	JVM_SECURITY+=("-Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PASSWD}") 
 	CMD_JAVA_OPTS+=("-DPOLICY_LOGS=${POLICY_LOGS}") 
  
 	JAVA_OPTS=("${JVM_JAVA_OPTS[@]}" "${JMX_JAVA_OPTS[@]}" "${JVM_SECURITY[@]}" "${CMD_JAVA_OPTS[@]}") 
diff --git a/packages/base/src/files/install/servers/common/tomcat/bin/setenv.sh b/packages/base/src/files/install/servers/common/tomcat/bin/setenv.sh
index dc9bfbc36..d86f737f2 100644
--- a/packages/base/src/files/install/servers/common/tomcat/bin/setenv.sh
+++ b/packages/base/src/files/install/servers/common/tomcat/bin/setenv.sh
@@ -1,3 +1,4 @@
+#!/usr/bin/env bash
 ###
 # ============LICENSE_START=======================================================
 # ONAP Policy Engine
@@ -24,8 +25,8 @@ CATALINA_OPTS="${CATALINA_OPTS} -Dcom.sun.management.jmxremote.ssl=false"
 CATALINA_OPTS="${CATALINA_OPTS} -Dcom.sun.management.jmxremote.authenticate=false"
 CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.keyStore=${POLICY_HOME}/etc/ssl/policy-keystore"
 CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.keyStorePassword=${KEYSTORE_PASSWD}"
-CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.trustStore=${POLICY_HOME}/etc/ssl/policy-keystore"
-CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.trustStorePassword=${KEYSTORE_PASSWD}"
+CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.trustStore=${POLICY_HOME}/etc/ssl/policy-truststore"
+CATALINA_OPTS="${CATALINA_OPTS} -Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PASSWD}"
 CATALINA_OPTS="${CATALINA_OPTS} -DPOLICY_LOGS=${POLICY_LOGS}"
 CATALINA_OPTS="${CATALINA_OPTS} -Xms${{TOMCAT_X_MS_MB}}M"
 CATALINA_OPTS="${CATALINA_OPTS} -Xmx${{TOMCAT_X_MX_MB}}M"
diff --git a/packages/base/src/files/install/servers/common/tomcat/conf/server.xml b/packages/base/src/files/install/servers/common/tomcat/conf/server.xml
index a78dfc82e..02c548c80 100644
--- a/packages/base/src/files/install/servers/common/tomcat/conf/server.xml
+++ b/packages/base/src/files/install/servers/common/tomcat/conf/server.xml
@@ -104,10 +104,14 @@
          documentation -->
 
     <!-- Use http instead of https
+    Setting the keystore and truststore in the connector, overrides the javax.net.ssl system properties
+    passed in to the tomcat JVM:
+
     <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol"
                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
-               keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}"/>
+               keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}"
+               truststoreFile="${{POLICY_HOME}}/etc/ssl/policy-truststore" truststorePass="${{TRUSTSTORE_PASSWD}}"/>
     -->
     <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol"
                maxThreads="150" />
diff --git a/packages/base/src/files/install/servers/configs/conf/server.xml b/packages/base/src/files/install/servers/configs/conf/server.xml
index ecbeb6e4d..3bccc6ffb 100644
--- a/packages/base/src/files/install/servers/configs/conf/server.xml
+++ b/packages/base/src/files/install/servers/configs/conf/server.xml
@@ -104,12 +104,16 @@
          OpenSSL style configuration is required as described in the APR/native
          documentation -->
 
-	<!--  
+	<!--
+	Setting the keystore and truststore in the connector, overrides the javax.net.ssl system properties
+	passed in to the tomcat JVM:
+
     <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol"
                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                clientAuth="false" sslProtocol="TLS"
-               keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}"/>
-	-->         
+               keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}"
+               truststoreFile="${{POLICY_HOME}}/etc/ssl/policy-truststore" truststorePass="${{TRUSTSTORE_PASSWD}}"/>
+	-->
 
 
     <!-- Define an AJP 1.3 Connector on port 8009 -->
diff --git a/packages/base/src/files/install/servers/console/conf/server.xml b/packages/base/src/files/install/servers/console/conf/server.xml
index 618a6a99a..5e6226742 100644
--- a/packages/base/src/files/install/servers/console/conf/server.xml
+++ b/packages/base/src/files/install/servers/console/conf/server.xml
@@ -106,11 +106,16 @@
          documentation
 	-->
 
-    <!-- ONAP portal currently using http instead of https 
+    <!-- ONAP portal currently using http instead of https
+
+    Setting the keystore and truststore in the connector, overrides the javax.net.ssl system properties
+    passed in to the tomcat JVM:
+
     <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol"
                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
-               keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}"/>
+               keystoreFile="${{POLICY_HOME}}/etc/ssl/policy-keystore" keystorePass="${{KEYSTORE_PASSWD}}"
+               truststoreFile="${{POLICY_HOME}}/etc/ssl/policy-truststore" truststorePass="${{TRUSTSTORE_PASSWD}}"/>
     -->
     <Connector port="${{SSL_HTTP_CONNECTOR_PORT}}" protocol="org.apache.coyote.http11.Http11NioProtocol"
                maxThreads="150" />
author	Jorge Hernandez <jh1730@att.com>	2018-08-17 16:23:07 -0500
committer	Jorge Hernandez <jh1730@att.com>	2018-08-17 16:31:12 -0500
commit	a7ad88d23b2a59a16c098b156c430a2fe3558023 (patch)
tree	8056ad9763c6c34b30fe0a8dc0412d597e2c3d6f /packages/base/src
parent	84df4a428ded309f750f52ac1c104ac84e426fc0 (diff)