summaryrefslogtreecommitdiffstats
path: root/catalog-fe
diff options
context:
space:
mode:
authorMichaelMorris <michael.morris@est.tech>2023-10-03 09:58:40 +0100
committerMichael Morris <michael.morris@est.tech>2023-10-26 15:43:18 +0000
commit95c95b08ae8fa2592852168ec11b9aff3a6a31d5 (patch)
treec1236ae2fa93b900ce39e685122ceab677127582 /catalog-fe
parent0ce40cecbce00104be54871ce87ca99cef2aa480 (diff)
TLS support in sdc-fe
Signed-off-by: MichaelMorris <michael.morris@est.tech> Issue-ID: SDC-4642 Change-Id: I960c0a114889c7b5c1c7924cefff93168132e2b6
Diffstat (limited to 'catalog-fe')
-rw-r--r--catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/files/default/org.onap.sdc.p12bin4443 -> 0 bytes
-rw-r--r--catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/files/default/org.onap.sdc.trust.jksbin1413 -> 0 bytes
-rw-r--r--catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_6_locate_keystore.rb21
-rw-r--r--catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_6_setup_key_and_trust_store.rb21
-rw-r--r--catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_7_create_jetty_modules.rb7
-rw-r--r--catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/ssl-ini.erb27
-rw-r--r--catalog-fe/sdc-frontend/chef-solo/roles/catalog-fe.json2
-rw-r--r--catalog-fe/src/main/java/org/openecomp/sdc/fe/impl/HealthCheckScheduledTask.java23
-rw-r--r--catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/SSLProxyServlet.java13
9 files changed, 77 insertions, 37 deletions
diff --git a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/files/default/org.onap.sdc.p12 b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/files/default/org.onap.sdc.p12
deleted file mode 100644
index 446856071b..0000000000
--- a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/files/default/org.onap.sdc.p12
+++ /dev/null
Binary files differ
diff --git a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/files/default/org.onap.sdc.trust.jks b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/files/default/org.onap.sdc.trust.jks
deleted file mode 100644
index e6686cc08c..0000000000
--- a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/files/default/org.onap.sdc.trust.jks
+++ /dev/null
Binary files differ
diff --git a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_6_locate_keystore.rb b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_6_locate_keystore.rb
deleted file mode 100644
index 50cb2639e8..0000000000
--- a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_6_locate_keystore.rb
+++ /dev/null
@@ -1,21 +0,0 @@
-directory "Jetty_etcdir_creation" do
- path "#{ENV['JETTY_BASE']}/etc"
- owner "#{ENV['JETTY_USER']}"
- group "#{ENV['JETTY_GROUP']}"
- mode '0755'
- action :create
-end
-
-cookbook_file "#{ENV['JETTY_BASE']}/etc/org.onap.sdc.p12" do
- source "org.onap.sdc.p12"
- owner "#{ENV['JETTY_USER']}"
- group "#{ENV['JETTY_GROUP']}"
- mode 0755
-end
-
-cookbook_file "#{ENV['JETTY_BASE']}/etc/org.onap.sdc.trust.jks" do
- source "org.onap.sdc.trust.jks"
- owner "#{ENV['JETTY_USER']}"
- group "#{ENV['JETTY_GROUP']}"
- mode 0755
-end
diff --git a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_6_setup_key_and_trust_store.rb b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_6_setup_key_and_trust_store.rb
new file mode 100644
index 0000000000..2585d1b449
--- /dev/null
+++ b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_6_setup_key_and_trust_store.rb
@@ -0,0 +1,21 @@
+#Set the http module option
+if node['FE'][:tls_cert]
+ execute "generate-keystore" do
+ command "openssl pkcs12 -inkey #{node['FE'][:tls_key]} -in #{node['FE'][:tls_cert]} -export -out /tmp/keystore.pkcs12 -passin pass:#{node['FE'][:tls_password]} -passout pass:#{node['FE'][:tls_password]}"
+ end
+
+ execute "import-keystore" do
+ command "keytool -importkeystore -srcstoretype PKCS12 -srckeystore /tmp/keystore.pkcs12 -srcstorepass #{node['FE'][:tls_password]} -destkeystore #{ENV['JETTY_BASE']}/#{node['FE'][:keystore_path]} -deststorepass #{node['FE'][:keystore_password]} -noprompt"
+ end
+end
+
+if node['FE'][:ca_cert]
+ execute "delete-existing-ca-alias" do
+ command "keytool -delete -alias sdc-be -storepass #{node['FE'][:truststore_password]} -keystore #{ENV['JETTY_BASE']}/#{node['FE'][:truststore_path]}"
+ returns [0, 1]
+ end
+
+ execute "generate-truststore" do
+ command "keytool -import -alias sdc-be -file #{node['FE'][:ca_cert]} -storetype JKS -keystore #{ENV['JETTY_BASE']}/#{node['FE'][:truststore_path]} -storepass #{node['FE'][:truststore_password]} -noprompt"
+ end
+end
diff --git a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_7_create_jetty_modules.rb b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_7_create_jetty_modules.rb
index 734c05ae02..3a7433e9df 100644
--- a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_7_create_jetty_modules.rb
+++ b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_7_create_jetty_modules.rb
@@ -49,8 +49,9 @@ template "ssl-ini" do
mode "0755"
variables({
:https_port => "#{node['FE'][:https_port]}" ,
- :jetty_keystore_pwd => "#{node['jetty'][:keystore_pwd]}" ,
- :jetty_keymanager_pwd => "#{node['jetty'][:keymanager_pwd]}" ,
- :jetty_truststore_pwd => "#{node['jetty'][:truststore_pwd]}"
+ :keystore_path => "#{node['FE'][:keystore_path]}" ,
+ :keystore_password => "#{node['FE'][:keystore_password]}" ,
+ :truststore_path => "#{node['FE'][:truststore_path]}" ,
+ :truststore_password => "#{node['FE'][:truststore_password]}"
})
end
diff --git a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/ssl-ini.erb b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/ssl-ini.erb
index 278fdea2ae..d3c8bc187c 100644
--- a/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/ssl-ini.erb
+++ b/catalog-fe/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/ssl-ini.erb
@@ -42,33 +42,42 @@ jetty.ssl.port=<%= @https_port %>
## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html
## Keystore file path (relative to $jetty.base)
-jetty.sslContext.keyStorePath=etc/org.onap.sdc.p12
+<% unless @keystore_path.nil? || @keystore_path.strip.empty? -%>
+jetty.sslContext.keyStorePath=<%= @keystore_path %>
+<% end -%>
## Truststore file path (relative to $jetty.base)
-jetty.sslContext.trustStorePath=etc/org.onap.sdc.trust.jks
+<% unless @truststore_path.nil? || @truststore_path.strip.empty? -%>
+jetty.sslContext.trustStorePath=<%= @truststore_path %>
+<% end -%>
## Keystore password
-# jetty.sslContext.keyStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
-jetty.sslContext.keyStorePassword=<%= @jetty_keystore_pwd %>
+<% unless @keystore_password.nil? || @keystore_password.strip.empty? -%>
+jetty.sslContext.keyStorePassword=<%= @keystore_password %>
+<% end -%>
## Keystore type and provider
# jetty.sslContext.keyStoreType=JKS
# jetty.sslContext.keyStoreProvider=
## KeyManager password
-# jetty.sslContext.keyManagerPassword=OBF:1u2u1wml1z7s1z7a1wnl1u2g
-jetty.sslContext.keyManagerPassword=<%= @jetty_keymanager_pwd %>
+<% unless @keystore_password.nil? || @keystore_password.strip.empty? -%>
+jetty.sslContext.keyManagerPassword=<%= @keystore_password %>
+<% end -%>
## Truststore password
-# jetty.sslContext.trustStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
-jetty.sslContext.trustStorePassword=<%= @jetty_truststore_pwd %>
+# tp<%= @truststore_password %>end
+# kp<%= @keystore_password %>end
+<% unless @truststore_password.nil? || @truststore_password.strip.empty? -%>
+jetty.sslContext.trustStorePassword=<%= @truststore_password %>
+<% end -%>
## Truststore type and provider
# jetty.sslContext.trustStoreType=JKS
# jetty.sslContext.trustStoreProvider=
## whether client certificate authentication is required
-# jetty.sslContext.needClientAuth=false
+jetty.sslContext.needClientAuth=<%= !@truststore_password.nil? && !@truststore_password.strip.empty? %>
## Whether client certificate authentication is desired
# jetty.sslContext.wantClientAuth=false
diff --git a/catalog-fe/sdc-frontend/chef-solo/roles/catalog-fe.json b/catalog-fe/sdc-frontend/chef-solo/roles/catalog-fe.json
index 44bb56b5be..815a38c39a 100644
--- a/catalog-fe/sdc-frontend/chef-solo/roles/catalog-fe.json
+++ b/catalog-fe/sdc-frontend/chef-solo/roles/catalog-fe.json
@@ -15,7 +15,7 @@
"recipe[sdc-catalog-fe::FE_3_errors_config]",
"recipe[sdc-catalog-fe::FE_4_logback]",
"recipe[sdc-catalog-fe::FE_5_rest_configuration]",
- "recipe[sdc-catalog-fe::FE_6_locate_keystore]",
+ "recipe[sdc-catalog-fe::FE_6_setup_key_and_trust_store]",
"recipe[sdc-catalog-fe::FE_7_create_jetty_modules]",
"recipe[sdc-catalog-fe::FE_8_prepareProbeFile]"
],
diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/impl/HealthCheckScheduledTask.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/impl/HealthCheckScheduledTask.java
index 2d99f84b9a..0db9fe9a44 100644
--- a/catalog-fe/src/main/java/org/openecomp/sdc/fe/impl/HealthCheckScheduledTask.java
+++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/impl/HealthCheckScheduledTask.java
@@ -37,15 +37,22 @@ import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
+
+import javax.servlet.ServletException;
+
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpStatus;
+import org.eclipse.jetty.client.HttpClient;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
+import org.onap.config.api.JettySSLUtils;
import org.openecomp.sdc.common.api.Constants;
import org.openecomp.sdc.common.api.HealthCheckInfo;
import org.openecomp.sdc.common.api.HealthCheckWrapper;
import org.openecomp.sdc.common.config.EcompErrorEnum;
import org.openecomp.sdc.common.http.client.api.HttpRequest;
import org.openecomp.sdc.common.http.client.api.HttpResponse;
+import org.openecomp.sdc.common.http.config.ClientCertificate;
import org.openecomp.sdc.common.http.config.HttpClientConfig;
import org.openecomp.sdc.common.http.config.Timeouts;
import org.openecomp.sdc.common.impl.ExternalConfiguration;
@@ -116,7 +123,9 @@ public class HealthCheckScheduledTask implements Runnable {
if (healthCheckUrl != null) {
ObjectMapper mapper = new ObjectMapper();
try {
- HttpResponse<String> response = HttpRequest.get(healthCheckUrl, new HttpClientConfig(new Timeouts(connectTimeoutMs, readTimeoutMs)));
+ HttpClientConfig clientConfig = new HttpClientConfig(new Timeouts(connectTimeoutMs, readTimeoutMs), getHttpClientCertificate());
+
+ HttpResponse<String> response = HttpRequest.get(healthCheckUrl, clientConfig);
int beStatus = response.getStatusCode();
if (beStatus == HttpStatus.SC_OK || beStatus == HttpStatus.SC_INTERNAL_SERVER_ERROR) {
String beJsonResponse = response.getResponse();
@@ -135,6 +144,15 @@ public class HealthCheckScheduledTask implements Runnable {
String compName = requestedByBE ? Constants.HC_COMPONENT_FE : baseComponent;
return Collections.singletonList(new HealthCheckInfo(compName, HealthCheckInfo.HealthCheckStatus.DOWN, null, description.toString()));
}
+
+ private ClientCertificate getHttpClientCertificate() {
+ ClientCertificate clientCertificate = new ClientCertificate();
+ clientCertificate.setKeyStore(JettySSLUtils.getSSLConfig().getKeystorePath());
+ clientCertificate.setKeyStorePassword(JettySSLUtils.getSSLConfig().getKeystorePass(), false);
+ clientCertificate.setTrustStore(JettySSLUtils.getSSLConfig().getTruststorePath());
+ clientCertificate.setTrustStorePassword(JettySSLUtils.getSSLConfig().getTruststorePass());
+ return clientCertificate;
+ }
private String getExternalComponentHcUri(String baseComponent) {
String healthCheckUri = null;
@@ -197,7 +215,8 @@ public class HealthCheckScheduledTask implements Runnable {
ErrorLogOptionalData errorLogOptionalData = ErrorLogOptionalData.newBuilder().targetEntity(LOG_TARGET_ENTITY_BE)
.targetServiceName(LOG_SERVICE_NAME).build();
try {
- HttpResponse<String> response = HttpRequest.get(redirectedUrl, new HttpClientConfig(new Timeouts(connectTimeoutMs, readTimeoutMs)));
+ HttpClientConfig clientConfig = new HttpClientConfig(new Timeouts(connectTimeoutMs, readTimeoutMs), getHttpClientCertificate());
+ HttpResponse<String> response = HttpRequest.get(redirectedUrl, clientConfig);
log.debug("HC call to BE - status code is {}", response.getStatusCode());
String beJsonResponse = response.getResponse();
feAggHealthCheck = getFeHealthCheckInfos(gson, beJsonResponse);
diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/SSLProxyServlet.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/SSLProxyServlet.java
index 891bc4ae34..0923716bd0 100644
--- a/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/SSLProxyServlet.java
+++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/SSLProxyServlet.java
@@ -20,9 +20,11 @@
package org.openecomp.sdc.fe.servlets;
import javax.servlet.ServletException;
+
import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.proxy.ProxyServlet;
import org.eclipse.jetty.util.ssl.SslContextFactory;
+import org.onap.config.api.JettySSLUtils;
import org.openecomp.sdc.common.api.Constants;
import org.openecomp.sdc.fe.config.Configuration;
import org.openecomp.sdc.fe.config.ConfigurationManager;
@@ -52,8 +54,17 @@ public abstract class SSLProxyServlet extends ProxyServlet {
}
private HttpClient getSecureHttpClient() throws ServletException {
+ final JettySSLUtils.JettySslConfig sslConfig = JettySSLUtils.getSSLConfig();
+ SslContextFactory sslContextFactory = new SslContextFactory.Client();
+ sslContextFactory.setKeyStorePath(sslConfig.getKeystorePath());
+ sslContextFactory.setKeyStorePassword(sslConfig.getKeystorePass());
+ sslContextFactory.setKeyManagerPassword(sslConfig.getKeystorePass());
+ sslContextFactory.setTrustStorePath(sslConfig.getTruststorePath());
+ sslContextFactory.setTrustStorePassword(sslConfig.getTruststorePass());
+ sslContextFactory.setKeyStorePath(sslConfig.getKeystorePath());
+
// Instantiate HttpClient with the SslContextFactory
- final var httpClient = new HttpClient(new SslContextFactory.Client(true));
+ final var httpClient = new HttpClient(sslContextFactory);
// Configure HttpClient, for example:
httpClient.setFollowRedirects(false);
// Start HttpClient