summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorpriyanshu <pagarwal@amdocs.com>2019-03-14 21:18:06 +0530
committerpriyanshu <pagarwal@amdocs.com>2019-03-15 11:12:21 +0530
commit91d1f6c223464dbc62fbca330110c7c46ac2028e (patch)
tree4e3196e75c75b71aab9f921764a9dd5658b451f9
parentee0b26c61e4eb9251fb3a2fcc31fb276dcae7865 (diff)
Secure cassandra support on WF BE
1. Added support for secure cassandra on WF BE. 2. By default the SSL is not enabled. 3. updated ReadMe. Change-Id: I2ddb5ebf091fd70c9693e7cc325fb44d03949dd6 Issue-ID: SDC-2194 Signed-off-by: priyanshu <pagarwal@amdocs.com>
-rw-r--r--README.md22
-rw-r--r--workflow-designer-be/src/main/java/org/onap/sdc/workflow/server/config/ZusammenConfig.java58
-rw-r--r--workflow-designer-be/src/main/resources/application-dev.properties11
-rw-r--r--workflow-designer-be/src/main/resources/application.properties13
4 files changed, 84 insertions, 20 deletions
diff --git a/README.md b/README.md
index 87b980cb..a391684b 100644
--- a/README.md
+++ b/README.md
@@ -98,8 +98,11 @@ messages. You can also see the logs of the initialization container using `docke
`docker run -d -e SDC_PROTOCL=http/https -e SDC_ENDPOINT=<sdc-host>:<sdc-port> -e SDC_USER=<sdc-username>
-e SDC_PASSWORD=<sdc-password> -e CS_HOSTS=<cassandra-hosts> -e CS_PORT=<cassandra-port>
-e CS_AUTHENTICATE=true/false -e CS_USER=<cassandra-user> -e CS_PASSWORD=<cassandra-password>
--e SSL_ENABLED=true/false -e SSL_KEY_PASSWORD=<ssl_key_password> -e SSL_KEYSTORE_PATH=<ssl_keystore_path>
--e SSL_KEYSTORE_TYPE=<ssl_keystore_type> -e JAVA_OPTIONS=<jvm-options> nexus3.onap.org:10001/onap/workflow-backend:latest`
+-e CS_SSL_ENABLED=true/false --volume <cassandra-truststore-path_container>:<cassandra-truststore-path_local>
+-e CS_TRUST_STORE_PATH=<cassandra-truststore-path_container> -e CS_TRUST_STORE_PASSWORD=<cassandra-truststore-password>
+-e SERVER_SSL_ENABLED=true/false -e SERVER_SSL_KEY_PASSWORD=<ssl_key_password>
+-e SERVER_SSL_KEYSTORE_PATH=<ssl_keystore_path> -e SERVER_SSL_KEYSTORE_TYPE=<ssl_keystore_type>
+-e JAVA_OPTIONS=<jvm-options> nexus3.onap.org:10001/onap/workflow-backend:latest`
### Environment Variables
@@ -123,14 +126,21 @@ assumed if this variable is not specified.
- CS_PASSWORD &mdash; Cassandra password if CS_AUTHENTICATE is *true*.
-- SSL_ENABLED &mdash; whether ssl authentication must be used to connect to application. A *false* will be
+- CS_SSL_ENABLED &mdash; whether ssl authentication must be used to connect to Cassandra. A *false* will be
assumed if this variable is not specified.
-- SSL_KEY_PASSWORD &mdash; SSL key password if SSL_ENABLED is *true*.
+- CS_TRUST_STORE_PATH &mdash; Cassandra Truststore path if CS_SSL_ENABLED is *true*.
-- SSL_KEYSTORE_PATH &mdash; SSL Keystore path if SSL_ENABLED is *true*.
+- CS_TRUST_STORE_PASSWORD &mdash; Cassandra Truststore password if CS_SSL_ENABLED is *true*.
-- SSL_KEYSTORE_TYPE &mdash; SSL Keystore type if SSL_ENABLED is *true*.
+- SERVER_SSL_ENABLED &mdash; whether ssl authentication must be used to connect to application. A *false* will be
+assumed if this variable is not specified.
+
+- SERVER_SSL_KEY_PASSWORD &mdash; SSL key password if SERVER_SSL_ENABLED is *true*.
+
+- SERVER_SSL_KEYSTORE_PATH &mdash; SSL Keystore path if SERVER_SSL_ENABLED is *true*.
+
+- SERVER_SSL_KEYSTORE_TYPE &mdash; SSL Keystore type if SERVER_SSL_ENABLED is *true*.
- JAVA_OPTIONS &mdash; optionally, JVM (Java Virtual Machine) arguments.
diff --git a/workflow-designer-be/src/main/java/org/onap/sdc/workflow/server/config/ZusammenConfig.java b/workflow-designer-be/src/main/java/org/onap/sdc/workflow/server/config/ZusammenConfig.java
index 23e8643b..700b1b9f 100644
--- a/workflow-designer-be/src/main/java/org/onap/sdc/workflow/server/config/ZusammenConfig.java
+++ b/workflow-designer-be/src/main/java/org/onap/sdc/workflow/server/config/ZusammenConfig.java
@@ -16,23 +16,44 @@
package org.onap.sdc.workflow.server.config;
+import com.datastax.driver.core.RemoteEndpointAwareJdkSSLOptions;
+import com.datastax.driver.core.SSLOptions;
+import java.io.FileInputStream;
+import java.security.KeyStore;
+import java.security.SecureRandom;
import javax.annotation.PostConstruct;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+import org.springframework.beans.factory.BeanCreationException;
import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.cassandra.ClusterBuilderCustomizer;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class ZusammenConfig {
- @Value("${zusammen-tenant:workflow}")
+ @Value("${spring.data.cassandra.keyspace-name}")
private String tenant;
- @Value("${spring.data.cassandra.contact-points:localhost}")
+ @Value("${spring.data.cassandra.contact-points}")
private String cassandraAddress;
- @Value("${spring.data.cassandra.username:}")
+ @Value("${spring.data.cassandra.username}")
private String cassandraUser;
- @Value("${spring.data.cassandra.password:}")
+ @Value("${spring.data.cassandra.password}")
private String cassandraPassword;
- @Value("${zusammen.cassandra.isAuthenticate:false}")
+ @Value("${zusammen.cassandra.isAuthenticate}")
private String cassandraAuth;
+ @Value("${spring.data.cassandra.ssl}")
+ private String cassandraSSL;
+ @Value("${zusammen.cassandra.trustStorePath}")
+ private String cassandraTrustStorePath;
+ @Value("${zusammen.cassandra.trustStorePassword}")
+ private String cassandraTrustStorePassword;
+
+ private static final String[] CIPHER_SUITES = {"TLS_RSA_WITH_AES_128_CBC_SHA"};
+ private static final String KEYSTORE_TYPE = "JKS";
+ private static final String SECURE_SOCKET_PROTOCOL = "SSL";
@PostConstruct
public void init() {
@@ -40,9 +61,36 @@ public class ZusammenConfig {
System.setProperty("cassandra.user", cassandraUser);
System.setProperty("cassandra.password", cassandraPassword);
System.setProperty("cassandra.authenticate", Boolean.toString(Boolean.valueOf(cassandraAuth)));
+ System.setProperty("cassandra.ssl", Boolean.toString(Boolean.valueOf(cassandraSSL)));
+ System.setProperty("cassandra.truststore", cassandraTrustStorePath);
+ System.setProperty("cassandra.truststore.password", cassandraTrustStorePassword);
}
public String getTenant() {
return tenant;
}
+
+ @Bean
+ @ConditionalOnProperty("spring.data.cassandra.ssl")
+ ClusterBuilderCustomizer clusterBuilderCustomizer() {
+ SSLOptions sslOptions = RemoteEndpointAwareJdkSSLOptions
+ .builder()
+ .withSSLContext(getSslContext())
+ .withCipherSuites(CIPHER_SUITES).build();
+ return builder -> builder.withSSL(sslOptions);
+ }
+
+ private SSLContext getSslContext() {
+ try (FileInputStream tsf = new FileInputStream(cassandraTrustStorePath)) {
+ SSLContext ctx = SSLContext.getInstance(SECURE_SOCKET_PROTOCOL);
+ KeyStore ts = KeyStore.getInstance(KEYSTORE_TYPE);
+ ts.load(tsf, cassandraTrustStorePassword.toCharArray());
+ TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ tmf.init(ts);
+ ctx.init(null, tmf.getTrustManagers(), new SecureRandom());
+ return ctx;
+ } catch (Exception ex) {
+ throw new BeanCreationException(ex.getMessage(), ex);
+ }
+ }
} \ No newline at end of file
diff --git a/workflow-designer-be/src/main/resources/application-dev.properties b/workflow-designer-be/src/main/resources/application-dev.properties
index 97d81ac3..98eda721 100644
--- a/workflow-designer-be/src/main/resources/application-dev.properties
+++ b/workflow-designer-be/src/main/resources/application-dev.properties
@@ -17,10 +17,10 @@ server.servlet.context-path=/
http.port=${HTTP_PORT:8080}
server.port=${SERVER_PORT:8443}
-server.ssl.enabled=${SSL_ENABLED:false}
-server.ssl.key-password=${SSL_KEY_PASSWORD:}
-server.ssl.key-store=${SSL_KEYSTORE_PATH:}
-server.ssl.key-store-type=${SSL_KEYSTORE_TYPE:}
+server.ssl.enabled=${SERVER_SSL_ENABLED:false}
+server.ssl.key-password=${SERVER_SSL_KEY_PASSWORD:}
+server.ssl.key-store=${SERVER_SSL_KEYSTORE_PATH:}
+server.ssl.key-store-type=${SERVER_SSL_KEYSTORE_TYPE:}
sdc.be.protocol=${SDC_PROTOCOL:}
sdc.be.endpoint=${SDC_ENDPOINT:}
@@ -34,6 +34,9 @@ spring.data.cassandra.port=${CS_PORT:9042}
spring.data.cassandra.username=${CS_USER:}
spring.data.cassandra.password=${CS_PASSWORD:}
zusammen.cassandra.isAuthenticate=${CS_AUTHENTICATE:false}
+spring.data.cassandra.ssl=${CS_SSL_ENABLED:false}
+zusammen.cassandra.trustStorePath=${CS_TRUST_STORE_PATH:}
+zusammen.cassandra.trustStorePassword=${CS_TRUST_STORE_PASSWORD:}
#Actuators
management.endpoint.health.show-details=always
diff --git a/workflow-designer-be/src/main/resources/application.properties b/workflow-designer-be/src/main/resources/application.properties
index 1ff8311a..d189fbb0 100644
--- a/workflow-designer-be/src/main/resources/application.properties
+++ b/workflow-designer-be/src/main/resources/application.properties
@@ -17,10 +17,10 @@ server.servlet.context-path=/
http.port=${HTTP_PORT:8080}
server.port=${SERVER_PORT:8443}
-server.ssl.enabled=${SSL_ENABLED:false}
-server.ssl.key-password=${SSL_KEY_PASSWORD:}
-server.ssl.key-store=${SSL_KEYSTORE_PATH:}
-server.ssl.key-store-type=${SSL_KEYSTORE_TYPE:}
+server.ssl.enabled=${SERVER_SSL_ENABLED:false}
+server.ssl.key-password=${SERVER_SSL_KEY_PASSWORD:}
+server.ssl.key-store=${SERVER_SSL_KEYSTORE_PATH:}
+server.ssl.key-store-type=${SERVER_SSL_KEYSTORE_TYPE:}
sdc.be.protocol=${SDC_PROTOCOL:}
sdc.be.endpoint=${SDC_ENDPOINT:}
@@ -33,7 +33,10 @@ spring.data.cassandra.keyspace-name=workflow
spring.data.cassandra.port=${CS_PORT:9042}
spring.data.cassandra.username=${CS_USER:}
spring.data.cassandra.password=${CS_PASSWORD:}
-zusammen.cassandra.isAuthenticate=${CS_AUTHENTICATE:true}
+zusammen.cassandra.isAuthenticate=${CS_AUTHENTICATE:false}
+spring.data.cassandra.ssl=${CS_SSL_ENABLED:false}
+zusammen.cassandra.trustStorePath=${CS_TRUST_STORE_PATH:}
+zusammen.cassandra.trustStorePassword=${CS_TRUST_STORE_PASSWORD:}
#Actuators
management.endpoint.health.show-details=always