Jetty default ssl certificate fix

Recipes alignment for ssl.ini new keystore

Change-Id: Ibe5a04712b5fb7c3c7e0adfa0bcb23d260b77479
Issue-ID:SDC-264
Signed-off-by: Tal Gitelman <tg851x@intl.att.com>

diff --git a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_9_import_Normatives.rb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_10_import_Normatives.rb
similarity index 100%
rename from sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_9_import_Normatives.rb
rename to sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_10_import_Normatives.rb

diff --git a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb
index ac1614a..067642f 100644 (file)
--- a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb
+++ b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb
@@ -51,18 +51,3 @@ cookbook_file "ArtifactGenerator" do
    group "jetty"
    mode "0755"
 end
-
-directory "Jetty_etcdir_creation" do
-       path "/#{jetty_base}/etc"
-       owner 'jetty'
-       group 'jetty'
-       mode '0755'
-       action :create
-end
-       
-cookbook_file "/#{jetty_base}/etc/keystore" do
-   source "keystore"
-   owner "jetty"
-   group "jetty"
-   mode 0755
-end

diff --git a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_3_locate_keystore.rb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_3_locate_keystore.rb
new file mode 100644 (file)
index 0000000..148eaaf
--- /dev/null
+++ b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_3_locate_keystore.rb
@@ -0,0 +1,16 @@
+jetty_base="/var/lib/jetty"
+
+directory "Jetty_etcdir_creation" do
+       path "/#{jetty_base}/etc"
+       owner 'jetty'
+       group 'jetty'
+       mode '0755'
+       action :create
+end
+       
+cookbook_file "/#{jetty_base}/etc/keystore" do
+   source "keystore"
+   owner "jetty"
+   group "jetty"
+   mode 0755
+end

diff --git a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_3_create_DMaaP_keys.rb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_create_DMaaP_keys.rb
similarity index 100%
rename from sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_3_create_DMaaP_keys.rb
rename to sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_create_DMaaP_keys.rb

diff --git a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_jetty_Modules.rb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_5_jetty_Modules.rb
similarity index 65%
rename from sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_jetty_Modules.rb
rename to sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_5_jetty_Modules.rb
index 3ec16e8..046e3c6 100644 (file)
--- a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_jetty_Modules.rb
+++ b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_5_jetty_Modules.rb
@@ -12,4 +12,11 @@ EOH
 not_if "ls /#{jetty_base}/start.d/https.ini"
 end
 
-
+template "ssl-ini" do
+   path "/#{jetty_base}/start.d/ssl.ini"
+   source "ssl-ini.erb"
+   owner "jetty"
+   group "jetty"
+   mode "0755"
+   variables :https_port => "#{node['BE'][:https_port]}"
+end

diff --git a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_5_setup_elasticsearch.rb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_6_setup_elasticsearch.rb
similarity index 100%
rename from sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_5_setup_elasticsearch.rb
rename to sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_6_setup_elasticsearch.rb

diff --git a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_6_setup_portal_properties.rb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_7_setup_portal_properties.rb
similarity index 100%
rename from sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_6_setup_portal_properties.rb
rename to sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_7_setup_portal_properties.rb

diff --git a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_7_logback.rb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_8_logback.rb
similarity index 100%
rename from sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_7_logback.rb
rename to sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_8_logback.rb

diff --git a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_8_errors_config.rb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_9_errors_config.rb
similarity index 100%
rename from sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_8_errors_config.rb
rename to sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_9_errors_config.rb

diff --git a/sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-ssl-ini.erb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/ssl-ini.erb
similarity index 88%
rename from sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-ssl-ini.erb
rename to sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/ssl-ini.erb
index 426e0e4..effbfa7 100644 (file)
--- a/sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-ssl-ini.erb
+++ b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/ssl-ini.erb
@@ -8,7 +8,7 @@
 # jetty.ssl.host=0.0.0.0
 
 ## Connector port to listen on
-jetty.ssl.port=<%= @FE_https_port %>
+jetty.ssl.port=<%= @https_port %>
 
 ## Connector idle timeout in milliseconds
 # jetty.ssl.idleTimeout=30000
@@ -49,6 +49,7 @@ jetty.ssl.port=<%= @FE_https_port %>
 
 ## Keystore password
 # jetty.sslContext.keyStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
+jetty.sslContext.keyStorePassword=OBF:1cp61iuj194s194u194w194y1is31cok
 
 ## Keystore type and provider
 # jetty.sslContext.keyStoreType=JKS
@@ -56,9 +57,11 @@ jetty.ssl.port=<%= @FE_https_port %>
 
 ## KeyManager password
 # jetty.sslContext.keyManagerPassword=OBF:1u2u1wml1z7s1z7a1wnl1u2g
+jetty.sslContext.keyManagerPassword=OBF:1cp61iuj194s194u194w194y1is31cok
 
 ## Truststore password
 # jetty.sslContext.trustStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
+jetty.sslContext.trustStorePassword=OBF:1cp61iuj194s194u194w194y1is31cok
 
 ## Truststore type and provider
 # jetty.sslContext.trustStoreType=JKS
@@ -81,3 +84,7 @@ jetty.ssl.port=<%= @FE_https_port %>
 
 ## Set the timeout (in seconds) of the SslSession cache timeout
 # jetty.sslContext.sslSessionTimeout=-1
+
+## Allow SSL renegotiation
+# jetty.sslContext.renegotiationAllowed=true
+# jetty.sslContext.renegotiationLimit=5

diff --git a/sdc-os-chef/sdc-backend/chef-solo/roles/catalog-be.json b/sdc-os-chef/sdc-backend/chef-solo/roles/catalog-be.json
index 9fc7b8d..a05a283 100644 (file)
--- a/sdc-os-chef/sdc-backend/chef-solo/roles/catalog-be.json
+++ b/sdc-os-chef/sdc-backend/chef-solo/roles/catalog-be.json
@@ -12,11 +12,12 @@
   "run_list": [
     "recipe[sdc-catalog-be::BE_1_cleanup_jettydir]",
     "recipe[sdc-catalog-be::BE_2_setup_configuration]",
-    "recipe[sdc-catalog-be::BE_4_jetty_Modules]",
-    "recipe[sdc-catalog-be::BE_5_setup_elasticsearch]",
-    "recipe[sdc-catalog-be::BE_6_setup_portal_properties]",
-    "recipe[sdc-catalog-be::BE_7_logback]",
-    "recipe[sdc-catalog-be::BE_8_errors_config]"
+    "recipe[sdc-catalog-be::BE_3_locate_keystore]",
+    "recipe[sdc-catalog-be::BE_5_jetty_Modules]",
+    "recipe[sdc-catalog-be::BE_6_setup_elasticsearch]",
+    "recipe[sdc-catalog-be::BE_7_setup_portal_properties]",
+    "recipe[sdc-catalog-be::BE_8_logback]",
+    "recipe[sdc-catalog-be::BE_9_errors_config]"
   ],
   "env_run_lists": {
   }

diff --git a/sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_7_create_jetty_modules.rb b/sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_7_create_jetty_modules.rb
index 2800fd1..fc9dd86 100644 (file)
--- a/sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_7_create_jetty_modules.rb
+++ b/sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_7_create_jetty_modules.rb
@@ -34,12 +34,12 @@ template "FE-https-ini" do
 end
 
 
-template "FE-ssl-ini" do
+template "ssl-ini" do
    path "/#{jetty_base}/start.d/ssl.ini"
-   source "FE-ssl-ini.erb"
+   source "ssl-ini.erb"
    owner "jetty"
    group "jetty"
    mode "0755"
-   variables :FE_https_port => "#{node['FE'][:https_port]}"
+   variables :https_port => "#{node['FE'][:https_port]}"
 end
 

diff --git a/sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/ssl-ini.erb b/sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/ssl-ini.erb
new file mode 100644 (file)
index 0000000..effbfa7
--- /dev/null
+++ b/sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/ssl-ini.erb
@@ -0,0 +1,90 @@
+# ---------------------------------------
+# Module: ssl
+--module=ssl
+
+### TLS(SSL) Connector Configuration
+
+## Connector host/address to bind to
+# jetty.ssl.host=0.0.0.0
+
+## Connector port to listen on
+jetty.ssl.port=<%= @https_port %>
+
+## Connector idle timeout in milliseconds
+# jetty.ssl.idleTimeout=30000
+
+## Connector socket linger time in seconds (-1 to disable)
+# jetty.ssl.soLingerTime=-1
+
+## Number of acceptors (-1 picks default based on number of cores)
+# jetty.ssl.acceptors=-1
+
+## Number of selectors (-1 picks default based on number of cores)
+# jetty.ssl.selectors=-1
+
+## ServerSocketChannel backlog (0 picks platform default)
+# jetty.ssl.acceptorQueueSize=0
+
+## Thread priority delta to give to acceptor threads
+# jetty.ssl.acceptorPriorityDelta=0
+
+## Whether request host names are checked to match any SNI names
+# jetty.ssl.sniHostCheck=true
+
+## max age in seconds for a Strict-Transport-Security response header (default -1)
+# jetty.ssl.stsMaxAgeSeconds=31536000
+
+## include subdomain property in any Strict-Transport-Security header (default false)
+# jetty.ssl.stsIncludeSubdomains=true
+
+### SslContextFactory Configuration
+## Note that OBF passwords are not secure, just protected from casual observation
+## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html
+
+## Keystore file path (relative to $jetty.base)
+# jetty.sslContext.keyStorePath=etc/keystore
+
+## Truststore file path (relative to $jetty.base)
+# jetty.sslContext.trustStorePath=etc/keystore
+
+## Keystore password
+# jetty.sslContext.keyStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
+jetty.sslContext.keyStorePassword=OBF:1cp61iuj194s194u194w194y1is31cok
+
+## Keystore type and provider
+# jetty.sslContext.keyStoreType=JKS
+# jetty.sslContext.keyStoreProvider=
+
+## KeyManager password
+# jetty.sslContext.keyManagerPassword=OBF:1u2u1wml1z7s1z7a1wnl1u2g
+jetty.sslContext.keyManagerPassword=OBF:1cp61iuj194s194u194w194y1is31cok
+
+## Truststore password
+# jetty.sslContext.trustStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
+jetty.sslContext.trustStorePassword=OBF:1cp61iuj194s194u194w194y1is31cok
+
+## Truststore type and provider
+# jetty.sslContext.trustStoreType=JKS
+# jetty.sslContext.trustStoreProvider=
+
+## whether client certificate authentication is required
+# jetty.sslContext.needClientAuth=false
+
+## Whether client certificate authentication is desired
+# jetty.sslContext.wantClientAuth=false
+
+## Whether cipher order is significant (since java 8 only)
+# jetty.sslContext.useCipherSuitesOrder=true
+
+## To configure Includes / Excludes for Cipher Suites or Protocols see tweak-ssl.xml example at
+## https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites
+
+## Set the size of the SslSession cache
+# jetty.sslContext.sslSessionCacheSize=-1
+
+## Set the timeout (in seconds) of the SslSession cache timeout
+# jetty.sslContext.sslSessionTimeout=-1
+
+## Allow SSL renegotiation
+# jetty.sslContext.renegotiationAllowed=true
+# jetty.sslContext.renegotiationLimit=5

diff --git a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/files/default/keystore b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/files/default/keystore
index c408393..08f6cda 100644 (file)
Binary files a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/files/default/keystore and b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/files/default/keystore differ