From 6d7a7c1b6e82c92e37eb0b23b892418b82af026f Mon Sep 17 00:00:00 2001 From: Tal Gitelman Date: Thu, 31 Aug 2017 15:51:10 +0300 Subject: [PATCH] Jetty default ssl certificate fix Recipes alignment for ssl.ini new keystore Change-Id: Ibe5a04712b5fb7c3c7e0adfa0bcb23d260b77479 Issue-ID:SDC-264 Signed-off-by: Tal Gitelman --- ...rt_Normatives.rb => BE_10_import_Normatives.rb} | 0 .../recipes/BE_2_setup_configuration.rb | 15 ---- .../sdc-catalog-be/recipes/BE_3_locate_keystore.rb | 16 ++++ ...ate_DMaaP_keys.rb => BE_4_create_DMaaP_keys.rb} | 0 ...BE_4_jetty_Modules.rb => BE_5_jetty_Modules.rb} | 9 ++- ...lasticsearch.rb => BE_6_setup_elasticsearch.rb} | 0 ...operties.rb => BE_7_setup_portal_properties.rb} | 0 .../recipes/{BE_7_logback.rb => BE_8_logback.rb} | 0 ...BE_8_errors_config.rb => BE_9_errors_config.rb} | 0 .../sdc-catalog-be/templates/default/ssl-ini.erb} | 9 ++- .../sdc-backend/chef-solo/roles/catalog-be.json | 11 +-- .../recipes/FE_7_create_jetty_modules.rb | 6 +- .../sdc-catalog-fe/templates/default/ssl-ini.erb | 90 +++++++++++++++++++++ .../cookbooks/sdc-simulator/files/default/keystore | Bin 4255 -> 1416 bytes 14 files changed, 131 insertions(+), 25 deletions(-) rename sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/{BE_9_import_Normatives.rb => BE_10_import_Normatives.rb} (100%) create mode 100644 sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_3_locate_keystore.rb rename sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/{BE_3_create_DMaaP_keys.rb => BE_4_create_DMaaP_keys.rb} (100%) rename sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/{BE_4_jetty_Modules.rb => BE_5_jetty_Modules.rb} (65%) rename sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/{BE_5_setup_elasticsearch.rb => BE_6_setup_elasticsearch.rb} (100%) rename sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/{BE_6_setup_portal_properties.rb => BE_7_setup_portal_properties.rb} (100%) rename sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/{BE_7_logback.rb => BE_8_logback.rb} (100%) rename sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/{BE_8_errors_config.rb => BE_9_errors_config.rb} (100%) rename sdc-os-chef/{sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-ssl-ini.erb => sdc-backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/ssl-ini.erb} (88%) create mode 100644 sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/ssl-ini.erb diff --git a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_9_import_Normatives.rb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_10_import_Normatives.rb similarity index 100% rename from sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_9_import_Normatives.rb rename to sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_10_import_Normatives.rb diff --git a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb index ac1614a253..067642fed9 100644 --- a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb +++ b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_2_setup_configuration.rb @@ -51,18 +51,3 @@ cookbook_file "ArtifactGenerator" do group "jetty" mode "0755" end - -directory "Jetty_etcdir_creation" do - path "/#{jetty_base}/etc" - owner 'jetty' - group 'jetty' - mode '0755' - action :create -end - -cookbook_file "/#{jetty_base}/etc/keystore" do - source "keystore" - owner "jetty" - group "jetty" - mode 0755 -end diff --git a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_3_locate_keystore.rb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_3_locate_keystore.rb new file mode 100644 index 0000000000..148eaaf4d3 --- /dev/null +++ b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_3_locate_keystore.rb @@ -0,0 +1,16 @@ +jetty_base="/var/lib/jetty" + +directory "Jetty_etcdir_creation" do + path "/#{jetty_base}/etc" + owner 'jetty' + group 'jetty' + mode '0755' + action :create +end + +cookbook_file "/#{jetty_base}/etc/keystore" do + source "keystore" + owner "jetty" + group "jetty" + mode 0755 +end diff --git a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_3_create_DMaaP_keys.rb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_create_DMaaP_keys.rb similarity index 100% rename from sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_3_create_DMaaP_keys.rb rename to sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_create_DMaaP_keys.rb diff --git a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_jetty_Modules.rb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_5_jetty_Modules.rb similarity index 65% rename from sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_jetty_Modules.rb rename to sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_5_jetty_Modules.rb index 3ec16e8924..046e3c6919 100644 --- a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_4_jetty_Modules.rb +++ b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_5_jetty_Modules.rb @@ -12,4 +12,11 @@ EOH not_if "ls /#{jetty_base}/start.d/https.ini" end - +template "ssl-ini" do + path "/#{jetty_base}/start.d/ssl.ini" + source "ssl-ini.erb" + owner "jetty" + group "jetty" + mode "0755" + variables :https_port => "#{node['BE'][:https_port]}" +end diff --git a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_5_setup_elasticsearch.rb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_6_setup_elasticsearch.rb similarity index 100% rename from sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_5_setup_elasticsearch.rb rename to sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_6_setup_elasticsearch.rb diff --git a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_6_setup_portal_properties.rb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_7_setup_portal_properties.rb similarity index 100% rename from sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_6_setup_portal_properties.rb rename to sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_7_setup_portal_properties.rb diff --git a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_7_logback.rb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_8_logback.rb similarity index 100% rename from sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_7_logback.rb rename to sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_8_logback.rb diff --git a/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_8_errors_config.rb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_9_errors_config.rb similarity index 100% rename from sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_8_errors_config.rb rename to sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/recipes/BE_9_errors_config.rb diff --git a/sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-ssl-ini.erb b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/ssl-ini.erb similarity index 88% rename from sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-ssl-ini.erb rename to sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/ssl-ini.erb index 426e0e44b5..effbfa7918 100644 --- a/sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/FE-ssl-ini.erb +++ b/sdc-os-chef/sdc-backend/chef-repo/cookbooks/sdc-catalog-be/templates/default/ssl-ini.erb @@ -8,7 +8,7 @@ # jetty.ssl.host=0.0.0.0 ## Connector port to listen on -jetty.ssl.port=<%= @FE_https_port %> +jetty.ssl.port=<%= @https_port %> ## Connector idle timeout in milliseconds # jetty.ssl.idleTimeout=30000 @@ -49,6 +49,7 @@ jetty.ssl.port=<%= @FE_https_port %> ## Keystore password # jetty.sslContext.keyStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 +jetty.sslContext.keyStorePassword=OBF:1cp61iuj194s194u194w194y1is31cok ## Keystore type and provider # jetty.sslContext.keyStoreType=JKS @@ -56,9 +57,11 @@ jetty.ssl.port=<%= @FE_https_port %> ## KeyManager password # jetty.sslContext.keyManagerPassword=OBF:1u2u1wml1z7s1z7a1wnl1u2g +jetty.sslContext.keyManagerPassword=OBF:1cp61iuj194s194u194w194y1is31cok ## Truststore password # jetty.sslContext.trustStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 +jetty.sslContext.trustStorePassword=OBF:1cp61iuj194s194u194w194y1is31cok ## Truststore type and provider # jetty.sslContext.trustStoreType=JKS @@ -81,3 +84,7 @@ jetty.ssl.port=<%= @FE_https_port %> ## Set the timeout (in seconds) of the SslSession cache timeout # jetty.sslContext.sslSessionTimeout=-1 + +## Allow SSL renegotiation +# jetty.sslContext.renegotiationAllowed=true +# jetty.sslContext.renegotiationLimit=5 diff --git a/sdc-os-chef/sdc-backend/chef-solo/roles/catalog-be.json b/sdc-os-chef/sdc-backend/chef-solo/roles/catalog-be.json index 9fc7b8d1dc..a05a2830eb 100644 --- a/sdc-os-chef/sdc-backend/chef-solo/roles/catalog-be.json +++ b/sdc-os-chef/sdc-backend/chef-solo/roles/catalog-be.json @@ -12,11 +12,12 @@ "run_list": [ "recipe[sdc-catalog-be::BE_1_cleanup_jettydir]", "recipe[sdc-catalog-be::BE_2_setup_configuration]", - "recipe[sdc-catalog-be::BE_4_jetty_Modules]", - "recipe[sdc-catalog-be::BE_5_setup_elasticsearch]", - "recipe[sdc-catalog-be::BE_6_setup_portal_properties]", - "recipe[sdc-catalog-be::BE_7_logback]", - "recipe[sdc-catalog-be::BE_8_errors_config]" + "recipe[sdc-catalog-be::BE_3_locate_keystore]", + "recipe[sdc-catalog-be::BE_5_jetty_Modules]", + "recipe[sdc-catalog-be::BE_6_setup_elasticsearch]", + "recipe[sdc-catalog-be::BE_7_setup_portal_properties]", + "recipe[sdc-catalog-be::BE_8_logback]", + "recipe[sdc-catalog-be::BE_9_errors_config]" ], "env_run_lists": { } diff --git a/sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_7_create_jetty_modules.rb b/sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_7_create_jetty_modules.rb index 2800fd1808..fc9dd86f40 100644 --- a/sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_7_create_jetty_modules.rb +++ b/sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/recipes/FE_7_create_jetty_modules.rb @@ -34,12 +34,12 @@ template "FE-https-ini" do end -template "FE-ssl-ini" do +template "ssl-ini" do path "/#{jetty_base}/start.d/ssl.ini" - source "FE-ssl-ini.erb" + source "ssl-ini.erb" owner "jetty" group "jetty" mode "0755" - variables :FE_https_port => "#{node['FE'][:https_port]}" + variables :https_port => "#{node['FE'][:https_port]}" end diff --git a/sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/ssl-ini.erb b/sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/ssl-ini.erb new file mode 100644 index 0000000000..effbfa7918 --- /dev/null +++ b/sdc-os-chef/sdc-frontend/chef-repo/cookbooks/sdc-catalog-fe/templates/default/ssl-ini.erb @@ -0,0 +1,90 @@ +# --------------------------------------- +# Module: ssl +--module=ssl + +### TLS(SSL) Connector Configuration + +## Connector host/address to bind to +# jetty.ssl.host=0.0.0.0 + +## Connector port to listen on +jetty.ssl.port=<%= @https_port %> + +## Connector idle timeout in milliseconds +# jetty.ssl.idleTimeout=30000 + +## Connector socket linger time in seconds (-1 to disable) +# jetty.ssl.soLingerTime=-1 + +## Number of acceptors (-1 picks default based on number of cores) +# jetty.ssl.acceptors=-1 + +## Number of selectors (-1 picks default based on number of cores) +# jetty.ssl.selectors=-1 + +## ServerSocketChannel backlog (0 picks platform default) +# jetty.ssl.acceptorQueueSize=0 + +## Thread priority delta to give to acceptor threads +# jetty.ssl.acceptorPriorityDelta=0 + +## Whether request host names are checked to match any SNI names +# jetty.ssl.sniHostCheck=true + +## max age in seconds for a Strict-Transport-Security response header (default -1) +# jetty.ssl.stsMaxAgeSeconds=31536000 + +## include subdomain property in any Strict-Transport-Security header (default false) +# jetty.ssl.stsIncludeSubdomains=true + +### SslContextFactory Configuration +## Note that OBF passwords are not secure, just protected from casual observation +## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html + +## Keystore file path (relative to $jetty.base) +# jetty.sslContext.keyStorePath=etc/keystore + +## Truststore file path (relative to $jetty.base) +# jetty.sslContext.trustStorePath=etc/keystore + +## Keystore password +# jetty.sslContext.keyStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 +jetty.sslContext.keyStorePassword=OBF:1cp61iuj194s194u194w194y1is31cok + +## Keystore type and provider +# jetty.sslContext.keyStoreType=JKS +# jetty.sslContext.keyStoreProvider= + +## KeyManager password +# jetty.sslContext.keyManagerPassword=OBF:1u2u1wml1z7s1z7a1wnl1u2g +jetty.sslContext.keyManagerPassword=OBF:1cp61iuj194s194u194w194y1is31cok + +## Truststore password +# jetty.sslContext.trustStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 +jetty.sslContext.trustStorePassword=OBF:1cp61iuj194s194u194w194y1is31cok + +## Truststore type and provider +# jetty.sslContext.trustStoreType=JKS +# jetty.sslContext.trustStoreProvider= + +## whether client certificate authentication is required +# jetty.sslContext.needClientAuth=false + +## Whether client certificate authentication is desired +# jetty.sslContext.wantClientAuth=false + +## Whether cipher order is significant (since java 8 only) +# jetty.sslContext.useCipherSuitesOrder=true + +## To configure Includes / Excludes for Cipher Suites or Protocols see tweak-ssl.xml example at +## https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites + +## Set the size of the SslSession cache +# jetty.sslContext.sslSessionCacheSize=-1 + +## Set the timeout (in seconds) of the SslSession cache timeout +# jetty.sslContext.sslSessionTimeout=-1 + +## Allow SSL renegotiation +# jetty.sslContext.renegotiationAllowed=true +# jetty.sslContext.renegotiationLimit=5 diff --git a/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/files/default/keystore b/utils/webseal-simulator/sdc-simulator/chef-repo/cookbooks/sdc-simulator/files/default/keystore index c4083931dcdcc3783a781ab103c72a9f6843d77b..08f6cda8a7b0104236c37f3c06b4cda1d8fc58e6 100644 GIT binary patch literal 1416 zcmezO_TO6u1_mY|W&~r_tkjZ{N+3_R)UekNZbhDKH`EXUR-=hO7hY&y{H-e(+TowuJ*{`? zwVfT`ns@KmCLd9_H?QZ%#(VNFq-*~l&ib%)(Y!;gI{W`RJIFow^~EB{E~hHzXm8Qd z$+I3OFWL4l%D`0pEH}^DdFqAf_3vNy-07jRmW@8^t|?HpH{w+9zJZ0HTQ{GwgE`KsL0)*BinM>ExK{8V|s z_c83?=Ue&W%>UG?wT~>g^C-D5b6Kid$utMyOUY~8&RQ2O5Kv$6WA72RZCZOI`%XW7 zWGv*iET~D-A?Uf$)PkAXC#^&coOKW1)_jbSp1ybc*-Pg z*1AKX?hJ-g?<}Z|$~fj~%&Q)8GVXHmuY_w7iL*9Li<#ba=>(4shvkf&zalFllPfRmB({Gr>G+(AG{|j5^yi-$J^G%gy&!3%F`Y=?Z zqHag3(zm<4?6(-6S8caBa7ykAzsvLfb>|ds{`&FW?ULoW&INs`nHskiv_4^yUS(;u zwJG}=M=euvt`d*!{pAW3tsAR0lWEH+#d4(r%9_{jEh_BIde_H z2F(udYbrB!9Sz@xPFu0!#>2SI`Ssat!p3^(;?40Uy|?vOtS!3O8Zd1|F}L60tKCOm znylYEA@-w}ri%BqU%N_+XGl&zI@4*vv5nXG(`N27=6zy$WG5s+N9dUvSOODr2QVSG z7&I}yWn%FZKK#XimyJ`a&7GmI50%m z5h5xEN+4Za!qUF^MI{POiIob@`FX{qIVG8S=?VcQl?py3DTaIoJRnuv!mM7P3}z^0 zAOYet3k!lXoL(+aZ&G5VUVc%!ft)z6frX)=fw_T+k%h5YlsK=knSrs9DU>^yoZ2`a zIUIo{19M|9Ff2Qn8XFm!A3o&OeJrUOYjfQ^)giy{^|QK1CEP2QH%vD1Nc3MB^xmW4 z2fxzex2hhF*O)r=%WpirQ+H{vy7qk+o=56U7bdiMykRRo{_oVH)zDhW2yL+!vyn`wiA33|lR42Pgou}g~dvauF+U45K+=Wccj0}v( z&I3j>GtgZkrPhJg=H9<%l_$GC*-}{lrfI>Hv$DOvyPj6+9TS$eJZ37ao71_#A!EVD zCY$?z=d9ULtT&}=o8QIxpMTDAp0ptI@ccyM2W9WgVozM<*}KLmGg5O$WNJ zyVS~6#D7};!ib^4U#WeU%`4Hj5}6$f=N+nWnZl~&!Rl~+N3e&zOV1^_x z<;0%lJ~GkV7190XipiYaJ|;{=B_n;@w({};NI4l3OKk`G{4`4!*vf?h%UFY1X z<>3!(&OZTK7jxpSE#%OTnNR4UVjJ4;o4%7%?<%i;X$n`nu$HKrsmep{*^Ju7rc|}{ zi!rb2cQVG0_0{@8I^Ay-$tLC0gzD5l+mE@J-;ZRu`wx`vY8#x4sS>GF`CI9(DH7Wl z9CSF_d8XwT&Ni?xp!$i&ZNpsXKc2)X$>`0_?D33@YjTd?KF2NGW#F`a#4&HZ++3cY zHrWh#eYHOtAL&q1Hg!t6!o{sLjv$A7XJ(;TY5PXwXPG|LyH58dS!yia?J*pCS(@L(UWD0 zQYm-i4$ahHtD5uLQg3vf_6wWN#0F}}pU;xATRStb7egE5@i<+m_pu~0Gp@*?7`~<-;MIeI8dl2;`c+Xo&+vUdzJHrScQuqGN)?s50K zVWqp>zkVq0?)Ahmn#gQmh2*_56X)j{)h$P2j{Be0 zdw*VU+A|+F85l;%(Rrk=rIhrF(Y!-{M+VKlCuQE%wX#q$zd%zCQ{i`r&{004hhZ2s zkq0n4HnCH=hZNN!0&@C$D1FCzPyZc3@HueOSPq_Mak*vVz(5~&^`qD6r^wxG_r1`% zSs$pSAn7fo_VBM6IYNq+^*M7vS@y;h3FU>GE$1xd30*>6J)Vk-ZSuZJh7x;@UGr$K zBc#+-PF_{kHtE-ocsAGka-z6lj+T-}ak82{Kz>h~)bB7}5Gz4dl#sI{cAkH@=gWga zeZ0Y~Y`FOs?96IT`-j{{_nn`cDm5M-e^+tTI!UxA9$&op*s9{j34@9-eM5)D`S@2Y zgDQL6Zi2Q4pL^S0oM_!XT|ZF>(G8F9E(zR``qC-BxSnchEJ@_n-&MJpgz34xzS6cn z<;K)_*ryj7}%S2q9t%2;;%pPdrMI6 zpB%=nTtpTW!{C41qnamENYEX*V*_=+HU087=a$lj-uc>&+if0IqX*lZYxM>c-Nh`C zy%)@Ao?@}`YJDE%)1m8XRBvj#j>;?T)>5nvlF=@FIXmR0(-+*=ZWE;pRpG)qUYCp| z@|5mdOE@p9qcFvU2&`Z*5j5b4p!ljdQzQh3;Bc8eM{g%!9WzPnxLsL8Y!(|xiHI3y zI%m#EL6C$n45ShyfS8DoFG2(j_w^>I0%d_Aj>dQ=M^U3$Av7E*h7lXXpt9&O(FAp% zDj1eP%YPsCVZ<|8xQ!vK#27{d!4%*H0YYfq?*XJpDwByb$9ad);u#_Q8zUivfg{=D z@HnT{Kutl4KqQy}E3o|W=bILMbB&of(TZs057-BO{(-UpB`AQDM0(I^;q)+SGyx4{ z1ujuZaqpOTR(L2qBr=$w3={=UamiKoK0eDu>9i20G0r8LWJ=TQEVwuolq5ucd{BimCs1f2oC>Y-_4(C7+ zY_x2qJ&@yJaYA_VT`J|NCkNfyI#A)7)BF4T7dDr71ItOjdF(NnETMqn;|P<^DGk(% zj?=D@{e2ROnno|=RjX_wXwPkx#v}Gl3dKH~a(F{6f8*ufnD9`z_)&1eRn%}+!eEa2 ze2R>Q`R-sZ-rCdx&$7*padS)WKlYfd-Ii20&E{2R=BMA)X}OO_r=KzZrO^33T6Eay z1($2loJrIs58pGNJ7yTw1vf{AZP~_qyV+}OO=C{exx;_-Djm38i_}>dO(SxyzI)K( zMyiT=^&I6CmsaoOSYp(pd=Q^LSpLV6{Vxkuw!LoLvsy;9T_Yq}BGv`oHXJJHJ4W@i zhYLY4sF(xa1vv0TpwC}ZRat}vQ0M%YbrtlVDjER?Fh0upk0=OQLLh|T!bQvNrmBOG z2N)3~pYg)NqC(L3Cpe%A!f^a2{Sp0 z79@C+rnFcl(D@z&2Z~DnF^myQ1?qwlS_mwV--`*{@tAtVw=aW)`E`e3)pW{d5_S?8 z2?Ep++CUTFiqwi!GL-}s`30HGA1d+<8Y2>HUMUJe2shxu&;IRi0Vosw^St2Yp40sv z0RKM{v-mwI{OuIfnG8q35$rDr_9xg!SOTnPRMjX&YSRT=Hv2L=JT}$j@M-8-K-M8! z*~Yfov4)3&ULIKXk6L%GzU(*0g8T^~k74;~#JIAizmu`@#LMHK`+h_da2IcD; ze}h6W<+O+8w^_F<%GM0P%lB`&18-c79lp}JK&Cti8^v9%4(o92Q+!2vedn^(nqR-T z*_{rI+`7K1L0PfB`Z4<{=ghcdXqNo?JKS|v$RmZKH9ll|Mn~t=Elp1KLPx4IrtYbG zlX_1HVRl~)vTtLhetL<>^-`4)7O#`nP%AFR`f|3i_kyN-FN$Gev2>Sd(&$o=U`r}fxUjt=Unfe} zK6$!8h8Eyf`Y;84C9W`8$6A@SRf{;<#~!=MQRawgIF9(U;n)K&Nxw;<+_sp7ZynrM zpxOyrp@Xmu;0Ukb(*gI54qkTGS!-giu3l$<2;_+rEdAT+0d~vJ>Z<_c_}$LOgS1}= zgYHcai~gpl{{q9x0PbfnSc5f!nG$G%KFt7U27m=_CGwvXd>lB&FmP19g2yoEDIvkQ zcxDJLCOR^i-~dR1xk6~0l_|ItsCdQ)Mbc?FPX;}T%1FkMLKrN1D4n)UE1dm5xmd{p z)DV|ZV@?44?+R+n1SVKP&HpzF{~KPax`bO)Sa_a-pH-79S?u_*TbJa=@Uw;M^@Hw~ z0Pj>^S`k9mhJr4eAdXK+eT9r`BDQ}$-XLZL-4^A7* zHYEFfnOW$z4u6sD#xb{Fb@zeI!_MO=85&BO2q8U%Y?W|o9!lD4ueoXs@6l-Llb}lz z)w>|pB%L_g^31ku;>5|8L);D0It8wB$Im~Cg8Qf&?$qrUv8Fj+s&Q|R&+}YDn|8i< za}PUxwpnM}Czy4wu1Af5SR2Y#D@NXxEk8e%E_3%;1CP|flnP_0Q7)P zkyepLruvGc5`K{4SQ^zFA4Xi(<|&(k?9O&&N@J%7Jv-COE;fFD@;gCOcYEOboqA>>95q_vr9$ke~T2b$Usm`7QqM2 zc{QLyPy$%KgTF6iR}NdAZZ3ENo@l=MA8<+|%Q?Q13Up=n(U!d;a>BzhaBb)`#58Sd=%+v1_`}S)8|rG{VxzCF*~sjhKwjOb4X7 z74mQ+;x}G9$Vg)H3%8XFxaAIO|K_+Z