From 7890e823b1ffc4e494fb581610aad9a82bac6b66 Mon Sep 17 00:00:00 2001 From: "k.kedron" Date: Wed, 21 Aug 2019 13:31:02 +0200 Subject: Fully HTTPS support in the webseal-simulator Updated the HTTPS configuration: -Added truststore certificate. -Updated configuration to use JETTY_BASE env value instead hardcoded variable -Updated jvm configuration to support call to the SDC components using HTTPS. -Added support for the disableHttp flag. Issue-ID: SDC-2517 Signed-off-by: Krystian Kedron Change-Id: Ib7f4c7a6762c56c8031ba6734f02d388aaefd722 --- .../files/default/org.onap.sdc.trust.jks | Bin 0 -> 1413 bytes .../recipes/SDC_Simulator_1_cleanup_jettydir.rb | 8 ++- .../recipes/SDC_Simulator_2_setup_configuration.rb | 4 +- .../recipes/SDC_Simulator_3_logback.rb | 4 +- .../recipes/SDC_Simulator_4_locate_keystore.rb | 13 +++-- .../SDC_Simulator_5_create_jetty_modules.rb | 58 +++++++++++++++------ .../templates/default/SDC-Simulator-http-ini.erb | 29 +++++++++++ .../templates/default/SDC-Simulator-ssl-ini.erb | 6 +-- 8 files changed, 87 insertions(+), 35 deletions(-) create mode 100644 utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/files/default/org.onap.sdc.trust.jks create mode 100644 utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-http-ini.erb (limited to 'utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks') diff --git a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/files/default/org.onap.sdc.trust.jks b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/files/default/org.onap.sdc.trust.jks new file mode 100644 index 0000000000..342c4f2ad7 Binary files /dev/null and b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/files/default/org.onap.sdc.trust.jks differ diff --git a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_1_cleanup_jettydir.rb b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_1_cleanup_jettydir.rb index bb67b8cdbc..c02aa7e58d 100644 --- a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_1_cleanup_jettydir.rb +++ b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_1_cleanup_jettydir.rb @@ -1,7 +1,5 @@ -jetty_base="/var/lib/jetty" - directory "SDC_Simulator_tempdir_creation" do - path "#{jetty_base}/temp" + path "#{ENV['JETTY_BASE']}/temp" owner 'jetty' group 'jetty' mode '0755' @@ -10,7 +8,7 @@ end directory "SDC_Simulator_create_config_dir" do - path "#{jetty_base}/config" + path "#{ENV['JETTY_BASE']}/config" owner 'jetty' group 'jetty' mode '0755' @@ -19,7 +17,7 @@ end directory "SDC_Simulator_create_sdc-simulator" do - path "#{jetty_base}/config/sdc-simulator" + path "#{ENV['JETTY_BASE']}/config/sdc-simulator" owner 'jetty' group 'jetty' mode '0755' diff --git a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb index 62f95a7e9e..bf859f13a3 100644 --- a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb +++ b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_2_setup_configuration.rb @@ -1,5 +1,3 @@ -jetty_base="/var/lib/jetty" - if ENV['FE_URL'] && !ENV['FE_URL'].empty? fe_url="#{ENV['FE_URL']}" elsif node['disableHttp'] @@ -10,7 +8,7 @@ end template "webseal.conf" do - path "#{jetty_base}/config/sdc-simulator/webseal.conf" + path "#{ENV['JETTY_BASE']}/config/sdc-simulator/webseal.conf" source "SDC-Simulator-webseal.conf.erb" owner "jetty" group "jetty" diff --git a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_3_logback.rb b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_3_logback.rb index 7a2069ddfb..06151fe1fc 100644 --- a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_3_logback.rb +++ b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_3_logback.rb @@ -1,7 +1,5 @@ -jetty_base="/var/lib/jetty" - cookbook_file "log4j.properties" do - path "#{jetty_base}/config/sdc-simulator/log4j.properties" + path "#{ENV['JETTY_BASE']}/config/sdc-simulator/log4j.properties" source "log4j.properties" owner "jetty" group "jetty" diff --git a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_4_locate_keystore.rb b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_4_locate_keystore.rb index 8358e28339..e0b106de72 100644 --- a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_4_locate_keystore.rb +++ b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_4_locate_keystore.rb @@ -1,16 +1,21 @@ -jetty_base="/var/lib/jetty" - directory "Jetty_etcdir_creation" do - path "/#{jetty_base}/etc" + path "#{ENV['JETTY_BASE']}/etc" owner 'jetty' group 'jetty' mode '0755' action :create end -cookbook_file "/#{jetty_base}/etc/org.onap.sdc.trust.jks" do +cookbook_file "#{ENV['JETTY_BASE']}/etc/org.onap.sdc.trust.jks" do source "org.onap.sdc.trust.jks" owner "jetty" group "jetty" mode 0755 end + +cookbook_file "#{ENV['JETTY_BASE']}/etc/org.onap.sdc.p12" do + source "org.onap.sdc.p12" + owner "jetty" + group "jetty" + mode 0755 +end diff --git a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_5_create_jetty_modules.rb b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_5_create_jetty_modules.rb index 4f7e710d63..71366a5148 100644 --- a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_5_create_jetty_modules.rb +++ b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/recipes/SDC_Simulator_5_create_jetty_modules.rb @@ -1,39 +1,63 @@ -jetty_base="/var/lib/jetty" -jetty_home="/usr/local/jetty" +# +# Set the http module option +if node['disableHttp'] + http_option = "#--module=http" +else + http_option = "--module=http" +end + bash "create-jetty-modules" do -cwd "#{jetty_base}" -code <<-EOH - cd "#{jetty_base}" - java -jar "/#{jetty_home}"/start.jar --add-to-start=deploy - java -jar "/#{jetty_home}"/start.jar --create-startd --add-to-start=http,https,console-capture,setuid -EOH + cwd "#{ENV['JETTY_BASE']}" + code <<-EOH + cd "#{ENV['JETTY_BASE']}" + java -jar "#{ENV['JETTY_HOME']}"/start.jar --add-to-start=deploy + java -jar "#{ENV['JETTY_HOME']}"/start.jar --create-startd --add-to-start=http,https,console-capture,setuid + EOH end -template "ssl-ini" do - path "/#{jetty_base}/start.d/ssl.ini" - source "SDC-Simulator-ssl-ini.erb" + +template "http-ini" do + path "#{ENV['JETTY_BASE']}/start.d/http.ini" + source "SDC-Simulator-http-ini.erb" owner "jetty" group "jetty" mode "0755" variables({ - :https_port => "8443", - :jetty_keystore_pwd => "rTIS;B4kM]2GHcNK2c3B4&Ng", - :jetty_keymanager_pwd => "rTIS;B4kM]2GHcNK2c3B4&Ng" + :http_option => http_option, + :http_port => "8080" }) end + template "https-ini" do - path "/#{jetty_base}/start.d/https.ini" + path "#{ENV['JETTY_BASE']}/start.d/https.ini" source "SDC-Simulator-https-ini.erb" owner "jetty" group "jetty" mode "0755" - variables ({ - :https_port => "8443" + variables({ + :https_port => "8443" }) end +# TO CHANGE THE KEYSTORE/TRUSTSTORE CERT THE JVM CONFIGURATION +# MUST BE ALSO CHANGE IN THE startup.sh FILE +template "ssl-ini" do + path "#{ENV['JETTY_BASE']}/start.d/ssl.ini" + source "SDC-Simulator-ssl-ini.erb" + owner "jetty" + group "jetty" + mode "0755" + variables({ + :https_port => "8443", + :jetty_truststore_pwd => "Y,f975ZNJfVZhV*{+Y[}pA?0", + :jetty_keystore_pwd => "rTIS;B4kM]2GHcNK2c3B4&Ng", + :jetty_keymanager_pwd => "rTIS;B4kM]2GHcNK2c3B4&Ng", + }) +end + + bash "echo status" do code <<-EOH echo "DOCKER STARTED" diff --git a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-http-ini.erb b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-http-ini.erb new file mode 100644 index 0000000000..8f2669032b --- /dev/null +++ b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-http-ini.erb @@ -0,0 +1,29 @@ +# --------------------------------------- +# Module: http +<%= @http_option %> + +### HTTP Connector Configuration + +## Connector host/address to bind to +# jetty.http.host=0.0.0.0 + +## Connector port to listen on +jetty.http.port=<%= @http_port %> + +## Connector idle timeout in milliseconds +jetty.http.idleTimeout=30000 + +## Connector socket linger time in seconds (-1 to disable) +# jetty.http.soLingerTime=-1 + +## Number of acceptors (-1 picks default based on number of cores) +# jetty.http.acceptors=-1 + +## Number of selectors (-1 picks default based on number of cores) +# jetty.http.selectors=-1 + +## ServerSocketChannel backlog (0 picks platform default) +# jetty.http.acceptorQueueSize=0 + +## Thread priority delta to give to acceptor threads +# jetty.http.acceptorPriorityDelta=0 diff --git a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-ssl-ini.erb b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-ssl-ini.erb index 86848bf282..278fdea2ae 100644 --- a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-ssl-ini.erb +++ b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/templates/default/SDC-Simulator-ssl-ini.erb @@ -42,10 +42,10 @@ jetty.ssl.port=<%= @https_port %> ## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html ## Keystore file path (relative to $jetty.base) -# jetty.sslContext.keyStorePath=etc/keystore +jetty.sslContext.keyStorePath=etc/org.onap.sdc.p12 ## Truststore file path (relative to $jetty.base) -# jetty.sslContext.trustStorePath=etc/keystore +jetty.sslContext.trustStorePath=etc/org.onap.sdc.trust.jks ## Keystore password # jetty.sslContext.keyStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 @@ -61,7 +61,7 @@ jetty.sslContext.keyManagerPassword=<%= @jetty_keymanager_pwd %> ## Truststore password # jetty.sslContext.trustStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 -#jetty.sslContext.trustStorePassword=<%= @jetty_truststore_pwd %> +jetty.sslContext.trustStorePassword=<%= @jetty_truststore_pwd %> ## Truststore type and provider # jetty.sslContext.trustStoreType=JKS -- cgit 1.2.3-korg