From 0ce40cecbce00104be54871ce87ca99cef2aa480 Mon Sep 17 00:00:00 2001 From: MichaelMorris Date: Tue, 19 Sep 2023 09:48:04 +0100 Subject: sdc-BE TLS support Signed-off-by: MichaelMorris Issue-ID: SDC-4639 Change-Id: Id97c5331b52650f5da25caff4e9ad0166f39202a --- .../sdc-catalog-be/recipes/BE_4_jetty_Modules.rb | 16 +++++++++++++ .../sdc-catalog-be/templates/default/ssl-ini.erb | 27 ++++++++++++++-------- 2 files changed, 34 insertions(+), 9 deletions(-) (limited to 'catalog-be/src/main/docker/backend') diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_jetty_Modules.rb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_jetty_Modules.rb index f029fb07fe..172888c773 100644 --- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_jetty_Modules.rb +++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_jetty_Modules.rb @@ -41,3 +41,19 @@ template "https-ini" do mode "0755" variables :https_port => "#{node['BE'][:https_port]}" end + +template "ssl-ini" do + path "#{ENV['JETTY_BASE']}/start.d/ssl.ini" + source "ssl-ini.erb" + owner "#{ENV['JETTY_USER']}" + group "#{ENV['JETTY_GROUP']}" + mode "0755" + variables ({ + :https_port => "#{node['BE'][:https_port]}" , + :keystore_path => "#{node['BE'][:keystore_path]}" , + :keystore_password => "#{node['BE'][:keystore_password]}" , + :truststore_path => "#{node['BE'][:truststore_path]}" , + :truststore_password => "#{node['BE'][:truststore_password]}" + }) +end + diff --git a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/ssl-ini.erb b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/ssl-ini.erb index 278fdea2ae..d3c8bc187c 100644 --- a/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/ssl-ini.erb +++ b/catalog-be/src/main/docker/backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/ssl-ini.erb @@ -42,33 +42,42 @@ jetty.ssl.port=<%= @https_port %> ## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html ## Keystore file path (relative to $jetty.base) -jetty.sslContext.keyStorePath=etc/org.onap.sdc.p12 +<% unless @keystore_path.nil? || @keystore_path.strip.empty? -%> +jetty.sslContext.keyStorePath=<%= @keystore_path %> +<% end -%> ## Truststore file path (relative to $jetty.base) -jetty.sslContext.trustStorePath=etc/org.onap.sdc.trust.jks +<% unless @truststore_path.nil? || @truststore_path.strip.empty? -%> +jetty.sslContext.trustStorePath=<%= @truststore_path %> +<% end -%> ## Keystore password -# jetty.sslContext.keyStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 -jetty.sslContext.keyStorePassword=<%= @jetty_keystore_pwd %> +<% unless @keystore_password.nil? || @keystore_password.strip.empty? -%> +jetty.sslContext.keyStorePassword=<%= @keystore_password %> +<% end -%> ## Keystore type and provider # jetty.sslContext.keyStoreType=JKS # jetty.sslContext.keyStoreProvider= ## KeyManager password -# jetty.sslContext.keyManagerPassword=OBF:1u2u1wml1z7s1z7a1wnl1u2g -jetty.sslContext.keyManagerPassword=<%= @jetty_keymanager_pwd %> +<% unless @keystore_password.nil? || @keystore_password.strip.empty? -%> +jetty.sslContext.keyManagerPassword=<%= @keystore_password %> +<% end -%> ## Truststore password -# jetty.sslContext.trustStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 -jetty.sslContext.trustStorePassword=<%= @jetty_truststore_pwd %> +# tp<%= @truststore_password %>end +# kp<%= @keystore_password %>end +<% unless @truststore_password.nil? || @truststore_password.strip.empty? -%> +jetty.sslContext.trustStorePassword=<%= @truststore_password %> +<% end -%> ## Truststore type and provider # jetty.sslContext.trustStoreType=JKS # jetty.sslContext.trustStoreProvider= ## whether client certificate authentication is required -# jetty.sslContext.needClientAuth=false +jetty.sslContext.needClientAuth=<%= !@truststore_password.nil? && !@truststore_password.strip.empty? %> ## Whether client certificate authentication is desired # jetty.sslContext.wantClientAuth=false -- cgit 1.2.3-korg