CLOUD-294 Keystore key password for SSL

wdecoste · wdecoste · commit 35e7be3bdf95 · 2017-10-13T14:36:05.000-07:00
diff --git a/os-amq-launch/added/configure.sh b/os-amq-launch/added/configure.sh
@@ -115,9 +115,13 @@ function configureSSL() {
     keyStorePath="$sslDir/$keyStoreFile"
     trustStorePath="$sslDir/$trustStoreFile"
 
+    if [ -n "$AMQ_KEY_PASSWORD" ]; then
+      keyPassword="keyStoreKeyPassword=\"$AMQ_KEY_PASSWORD\""
+    fi
+
     sslElement="<sslContext>\n\
             <sslContext keyStore=\"file:$keyStorePath\"\n\
-                        keyStorePassword=\"$keyStorePassword\"\n\
+                        keyStorePassword=\"$keyStorePassword\" $keyPassword \n\
                         trustStore=\"file:$trustStorePath\"\n\
                         trustStorePassword=\"$trustStorePassword\" />\n\
         </sslContext>"
diff --git a/os-datavirt/added/launch/teiid.sh b/os-datavirt/added/launch/teiid.sh
@@ -11,8 +11,15 @@ function prepareEnv() {
   unset DATAVIRT_TRANSPORT_KEY_ALIAS
   unset DATAVIRT_TRANSPORT_KEYSTORE
   unset DATAVIRT_TRANSPORT_KEYSTORE_PASSWORD
+  unset DATAVIRT_TRANSPORT_KEY_PASSWORD
   unset DATAVIRT_TRANSPORT_KEYSTORE_TYPE
   unset DATAVIRT_TRANSPORT_KEYSTORE_DIR
+  unset HTTPS_NAME
+  unset HTTPS_PASSWORD
+  unset HTTPS_KEY_PASSWORD
+  unset HTTPS_KEYSTORE_DIR
+  unset HTTPS_KEYSTORE
+  unset HTTPS_KEYSTORE_TYPE
   unset DATAVIRT_USERS
   unset DATAVIRT_USER_PASSWORDS
   unset DATAVIRT_USER_GROUPS
@@ -69,6 +76,7 @@ function add_secure_transport(){
   local key_alias=${DATAVIRT_TRANSPORT_KEY_ALIAS}
   local keystore=${DATAVIRT_TRANSPORT_KEYSTORE-$HTTPS_KEYSTORE}
   local keystore_pwd=${DATAVIRT_TRANSPORT_KEYSTORE_PASSWORD-$HTTPS_PASSWORD}
+  local key_pwd=${DATAVIRT_TRANSPORT_KEY_PASSWORD-$HTTPS_KEY_PASSWORD}
   local keystore_type=${DATAVIRT_TRANSPORT_KEYSTORE_TYPE-$HTTPS_KEYSTORE_TYPE}
   local keystore_dir=${DATAVIRT_TRANSPORT_KEYSTORE_DIR-$HTTPS_KEYSTORE_DIR}
   local auth_mode=${DATAVIRT_TRANSPORT_AUTHENTICATION_MODE}
@@ -91,11 +99,15 @@ function add_secure_transport(){
       fi
     fi
 
+    if [ -n "$key_pwd" ]; then
+      key_password="key-password=\"${key_pwd}\""
+    fi
+
     # JDBC
     transport="<transport name=\"secure-jdbc\" socket-binding=\"secure-teiid-jdbc\" protocol=\"teiid\"><authentication security-domain=\"teiid-security\"/><ssl mode=\"enabled\" authentication-mode=\"$auth_mode\" ssl-protocol=\"TLSv1.2\" keymanagement-algorithm=\"SunX509\">"
 
     if [ "$auth_mode" != "anonymous" ]; then 
-      transport="$transport <keystore name=\"${keystore_dir}/${keystore}\" password=\"$DATAVIRT_TRANSPORT_KEYSTORE_PASSWORD\" type=\"$keystore_type\" key-alias=\"$key_alias\"/><truststore name=\"${keystore_dir}/${keystore}\" password=\"$keystore_pwd\"/>"
+      transport="$transport <keystore name=\"${keystore_dir}/${keystore}\" password=\"$keystore_pwd\" type=\"$keystore_type\" key-alias=\"$key_alias\" ${key_password} /><truststore name=\"${keystore_dir}/${keystore}\" password=\"$keystore_pwd\"/>"
     fi
 
     transport="$transport </ssl></transport>"
@@ -104,7 +116,7 @@ function add_secure_transport(){
     transport="$transport <transport name=\"secure-odbc\" socket-binding=\"secure-teiid-odbc\" protocol=\"pg\"><authentication security-domain=\"teiid-security\"/><ssl mode=\"enabled\" authentication-mode=\"$auth_mode\" ssl-protocol=\"TLSv1.2\" keymanagement-algorithm=\"SunX509\">"
 
     if [ "$auth_mode" != "anonymous" ]; then
-      transport="$transport <keystore name=\"${keystore_dir}/${keystore}\" password=\"$DATAVIRT_TRANSPORT_KEYSTORE_PASSWORD\" type=\"$keystore_type\" key-alias=\"$key_alias\"/><truststore name=\"${keystore_dir}/${keystore}\" password=\"$keystore_pwd\"/>"
+      transport="$transport <keystore name=\"${keystore_dir}/${keystore}\" password=\"$keystore_pwd\" type=\"$keystore_type\" key-alias=\"$key_alias\" ${key_password} /><truststore name=\"${keystore_dir}/${keystore}\" password=\"$keystore_pwd\"/>"
     fi
 
     transport="$transport </ssl></transport>"
diff --git a/os-eap64-launch/added/launch/https.sh b/os-eap64-launch/added/launch/https.sh
@@ -25,7 +25,7 @@ function configure_https() {
     fi
 
     https="<connector name=\"https\" protocol=\"HTTP/1.1\" socket-binding=\"https\" scheme=\"https\" secure=\"true\"> \
-                <ssl name=\"${HTTPS_NAME}\" password=\"${HTTPS_PASSWORD}\" certificate-key-file=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\" ${keystore_type}/> \
+                <ssl name=\"${HTTPS_NAME}\" key-alias=\"${HTTPS_NAME}\" password=\"${HTTPS_PASSWORD}\" certificate-key-file=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\" ${keystore_type} /> \
             </connector>"
   elif [ -n "${HTTPS_NAME}" -o -n "${HTTPS_PASSWORD}" -o -n "${HTTPS_KEYSTORE_DIR}" -o -n "${HTTPS_KEYSTORE}" ] ; then
     echo "WARNING! Partial HTTPS configuration, the https connector WILL NOT be configured."
diff --git a/os-eap7-launch/added/launch/https.sh b/os-eap7-launch/added/launch/https.sh
@@ -3,6 +3,7 @@
 function prepareEnv() {
   unset HTTPS_NAME
   unset HTTPS_PASSWORD
+  unset HTTPS_KEY_PASSWORD
   unset HTTPS_KEYSTORE_DIR
   unset HTTPS_KEYSTORE
   unset HTTPS_KEYSTORE_TYPE
@@ -25,9 +26,16 @@ function configure_https() {
     if [ -n "$HTTPS_KEYSTORE_TYPE" ]; then
       keystore_provider="provider=\"${HTTPS_KEYSTORE_TYPE}\""
     fi
+    if [ -n "$HTTPS_NAME" ]; then
+      keystore_alias="alias=\"${HTTPS_NAME}\""
+    fi
+    if [ -n "$HTTPS_KEY_PASSWORD" ]; then
+      key_password="key-password=\"${HTTPS_KEY_PASSWORD}\""
+    fi
+
     ssl="<server-identities>\n\
                     <ssl>\n\
-                        <keystore ${keystore_provider} path=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\" keystore-password=\"${HTTPS_PASSWORD}\"/>\n\
+                        <keystore ${keystore_provider} path=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\" keystore-password=\"${HTTPS_PASSWORD}\" ${keystore_alias} ${key_password} />\n\
                     </ssl>\n\
                 </server-identities>"
 
diff --git a/os-jdg7-launch/added/launch/authentication-config.sh b/os-jdg7-launch/added/launch/authentication-config.sh
@@ -9,6 +9,12 @@ function prepareEnv() {
   unset SECDOMAIN_LOGIN_MODULE
   unset SECDOMAIN_REALM
   unset REST_SECURITY_DOMAIN
+  unset HTTPS_NAME
+  unset HTTPS_PASSWORD
+  unset HTTPS_KEY_PASSWORD
+  unset HTTPS_KEYSTORE_DIR
+  unset HTTPS_KEYSTORE
+  unset HTTPS_KEYSTORE_TYPE
 }
 
 function configure() {
@@ -79,9 +85,16 @@ function add_realm_domain_mapping() {
     if [ -n "$HTTPS_KEYSTORE_TYPE" ]; then
       keystore_provider="provider=\"${HTTPS_KEYSTORE_TYPE}\""
     fi
+    if [ -n "$HTTPS_NAME" ]; then
+      keystore_alias="alias=\"${HTTPS_NAME}\""
+    fi
+    if [ -n "$HTTPS_KEY_PASSWORD" ]; then
+      key_password="key-password=\"${HTTPS_KEY_PASSWORD}\""
+    fi
+
     ssl="<server-identities>\n\
                     <ssl>\n\
-                        <keystore ${keystore_provider} path=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\" keystore-password=\"${HTTPS_PASSWORD}\"/>\n\
+                        <keystore ${keystore_provider} path=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\" keystore-password=\"${HTTPS_PASSWORD}\" ${keystore_alias} ${key_password} />\n\
                     </ssl>\n\
                 </server-identities>"
   fi
diff --git a/os-jdg7-launch/added/launch/infinispan-config.sh b/os-jdg7-launch/added/launch/infinispan-config.sh
@@ -139,10 +139,15 @@ function configure_server_identities() {
       fi
       if [ -n "$SSL_KEYSTORE_ALIAS" ]; then
         keystore_alias="alias=\"$SSL_KEYSTORE_ALIAS\""
+      elif [ -n "$HTTPS_NAME" ]; then
+        keystore_alias="alias=\"$HTTPS_NAME\""
       fi
       if [ -n "$SSL_KEY_PASSWORD" ]; then
         key_password="key-password=\"$SSL_KEY_PASSWORD\""
+      elif [ -n "$HTTPS_KEY_PASSWORD" ]; then
+        key_password="key-password=\"$HTTPS_KEY_PASSWORD\""
       fi
+
       ssl="\
           <ssl $ssl_protocol>\
             <keystore path=\"$keystore_path\" keystore-password=\"$keystore_password\" $keystore_relative_to $keystore_alias $key_password/>\
diff --git a/tests/features/amq/amq-common.feature b/tests/features/amq/amq-common.feature
@@ -81,10 +81,12 @@ Feature: Openshift AMQ tests
        | AMQ_KEYSTORE_TRUSTSTORE_DIR | /opt/amq/conf |
        | AMQ_KEYSTORE                | broker.ks     |
        | AMQ_KEYSTORE_PASSWORD       | password      |
+       | AMQ_KEY_PASSWORD            | keypass       |
        | AMQ_TRUSTSTORE              | broker.ts     |
        | AMQ_TRUSTSTORE_PASSWORD     | password      |
     Then XML file /opt/amq/conf/activemq.xml should contain value file:/opt/amq/conf/broker.ks on XPath //amq:sslContext/@keyStore
     And XML file /opt/amq/conf/activemq.xml should contain value password on XPath //amq:sslContext/@keyStorePassword
+    And XML file /opt/amq/conf/activemq.xml should contain value keypass on XPath //amq:sslContext/@keyStoreKeyPassword
     And XML file /opt/amq/conf/activemq.xml should contain value file:/opt/amq/conf/broker.ts on XPath //amq:sslContext/@trustStore
     And XML file /opt/amq/conf/activemq.xml should contain value password on XPath //amq:sslContext/@trustStorePassword
 
diff --git a/tests/features/datagrid/7.1/datagrid_variable_expansion.feature b/tests/features/datagrid/7.1/datagrid_variable_expansion.feature
@@ -0,0 +1,21 @@
+@jboss-datagrid-7 
+Feature: Check correct JDG variable expansion used
+  Scenario: Check HTTPS basic config
+    When container is started with env
+      | variable                      | value                        |
+      | USERNAME                      | tombrady                     |
+      | PASSWORD                      | ringsix6!                    |
+      | HTTPS_NAME                    | jboss                        |
+      | HTTPS_PASSWORD                | mykeystorepass               |
+      | HTTPS_KEY_PASSWORD            | mykeypass                    |
+      | HTTPS_KEYSTORE_DIR            | /etc/eap-secret-volume       |
+      | HTTPS_KEYSTORE                | keystore.jks                 |
+    Then XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='security-realm'][@name='ApplicationRealm']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@path
+    And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='security-realm'][@name='ApplicationRealm']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@keystore-password
+    And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value mykeypass on XPath //*[local-name()='security-realm'][@name='ApplicationRealm']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password
+    And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value jboss on XPath //*[local-name()='security-realm'][@name='ApplicationRealm']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@alias
+   Then XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='security-realm'][@name='jdg-openshift']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@path
+    And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='security-realm'][@name='jdg-openshift']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@keystore-password
+    And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value mykeypass on XPath //*[local-name()='security-realm'][@name='jdg-openshift']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password
+    And XML file /opt/datagrid/standalone/configuration/clustered-openshift.xml should contain value jboss on XPath //*[local-name()='security-realm'][@name='jdg-openshift']/*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@alias
+
diff --git a/tests/features/datavirt/datavirt_variable_expansion.feature b/tests/features/datavirt/datavirt_variable_expansion.feature
@@ -0,0 +1,26 @@
+@jboss-datavirt-6 
+Feature: Check correct JDV variable expansion used
+  Scenario: Check HTTPS basic config
+    When container is started with env
+      | variable                      | value                        |
+      | DATAVIRT_TRANSPORT_KEY_ALIAS  | jboss                        |
+      | HTTPS_PASSWORD                | mykeystorepass               |
+      | HTTPS_KEY_PASSWORD            | mykeypass                    |
+      | HTTPS_KEYSTORE_DIR            | /etc/eap-secret-volume       |
+      | HTTPS_KEYSTORE                | keystore.jks                 |
+      | HTTPS_KEYSTORE_TYPE           | JKS                          |
+    Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@name
+    And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@password
+    And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value JKS on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@type
+    And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeypass on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password
+    And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value jboss on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='keystore']/@key-alias
+    And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='truststore']/@name
+    And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='transport'][@name='secure-jdbc']/*[local-name()='ssl']/*[local-name()='truststore']/@password
+    Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@name
+    And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@password
+    And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value JKS on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@type
+    And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeypass on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password
+    And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value jboss on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='keystore']/@key-alias
+    And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='truststore']/@name
+    And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='transport'][@name='secure-odbc']/*[local-name()='ssl']/*[local-name()='truststore']/@password
+
diff --git a/tests/features/eap/6.4/eap_variable_expansion.feature b/tests/features/eap/6.4/eap_variable_expansion.feature
@@ -113,3 +113,16 @@ Feature: Check correct variable expansion used
       | ns     | urn:jboss:domain:security:1.2 |
     Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should have 1 elements on XPath //ns:security-domain[@name='eap-secdomain-name']/ns:authentication/ns:login-module/ns:module-option[@name='password-stacking']
 
+    Scenario: Check HTTPS basic config
+    When container is started with env
+      | variable               | value                        |
+      | HTTPS_NAME             | jboss                        |
+      | HTTPS_PASSWORD         | mykeystorepass               |
+      | HTTPS_KEYSTORE_DIR     | /etc/eap-secret-volume       |
+      | HTTPS_KEYSTORE         | keystore.jks                 |
+      | HTTPS_KEYSTORE_TYPE    | JKS                          |
+    Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='connector']/*[local-name()='ssl']/@certificate-key-file
+    And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='connector']/*[local-name()='ssl']/@password
+    And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value jboss on XPath //*[local-name()='connector']/*[local-name()='ssl']/@key-alias
+    And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value JKS on XPath //*[local-name()='connector']/*[local-name()='ssl']/@keystore-type
+
diff --git a/tests/features/eap/7/eap_variable_expansion.feature b/tests/features/eap/7/eap_variable_expansion.feature
@@ -0,0 +1,17 @@
+@jboss-eap-7 
+Feature: Check correct variable expansion used
+  Scenario: Check HTTPS basic config
+    When container is started with env
+      | variable               | value                        |
+      | HTTPS_NAME             | jboss                        |
+      | HTTPS_PASSWORD         | mykeystorepass               |
+      | HTTPS_KEY_PASSWORD     | mykeypass                    |
+      | HTTPS_KEYSTORE_DIR     | /etc/eap-secret-volume       |
+      | HTTPS_KEYSTORE         | keystore.jks                 |
+      | HTTPS_KEYSTORE_TYPE    | JKS                          |
+    Then XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value /etc/eap-secret-volume/keystore.jks on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@path
+    And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeystorepass on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@keystore-password
+    And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value jboss on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@alias
+    And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value mykeypass on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@key-password
+    And XML file /opt/eap/standalone/configuration/standalone-openshift.xml should contain value JKS on XPath //*[local-name()='server-identities']/*[local-name()='ssl']/*[local-name()='keystore']/@provider
+
