Merge pull request #2545 from smillidge/PAYARA-2615

PAYARA-2615 Add support for Payara Micro command line option --sslCert

appserver/extras/payara-micro/payara-micro-boot/src/main/java/fish/payara/micro/PayaraMicro.java

@@ -210,6 +210,10 @@ public boolean getSslAutoBind() {
     public int getSslPort() {
         return wrappee.getSslPort();
     }
+
+    public String getSslCert() {
+        return wrappee.getSslCert();
+    }
 
     public File getUberJar() {
         return wrappee.getUberJar();
@@ -362,6 +366,11 @@ public PayaraMicro setSslPort(int sslPort) {
         wrappee.setSslPort(sslPort);
         return this;
     }
+
+    public PayaraMicro setSslCert(String alias) {
+        wrappee.setSslCert(alias);
+        return this;
+    }
 
     public PayaraMicro setUserLogFile(String fileName) {
         wrappee.setUserLogFile(fileName);

appserver/extras/payara-micro/payara-micro-boot/src/main/java/fish/payara/micro/boot/PayaraMicroBoot.java

@@ -1,7 +1,7 @@
 /*
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
  *
- * Copyright (c) 2016 Payara Foundation and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016-2018 Payara Foundation and/or its affiliates. All rights reserved.
  *
  * The contents of this file are subject to the terms of either the GNU
  * General Public License Version 2 only ("GPL") or the Common Development
@@ -42,7 +42,6 @@
 import fish.payara.micro.BootstrapException;
 import fish.payara.micro.PayaraMicroRuntime;
 import java.io.File;
-import java.net.URL;
 
 /**
  *
@@ -227,6 +226,12 @@ public interface PayaraMicroBoot {
      * @return The HTTPS port
      */
     int getSslPort();
+
+    /**
+     * The name of the SSL certificate to use in the keystore
+     * @return 
+     */
+    String getSslCert();
 
     /**
      * The UberJar to create
@@ -466,6 +471,13 @@ public interface PayaraMicroBoot {
      * @return
      */
     PayaraMicroBoot setSslPort(int sslPort);
+
+    /**
+     * Sets the name of the certificate to use in the keystore
+     * @param alias the name of the certificate in the keystore
+     * @return 
+     */
+    PayaraMicroBoot setSslCert(String alias);
 
     /**
      * Set user defined file for the Log entries

appserver/extras/payara-micro/payara-micro-core/src/main/java/fish/payara/micro/cmd/options/RUNTIME_OPTION.java

@@ -40,8 +40,8 @@
 package fish.payara.micro.cmd.options;
 
 /**
- *
- * @author steve
+ * ENUM used for command line switches for Payara Micro
+ * @author Steve Millidge (Payara Services Limited)
  */
 public enum RUNTIME_OPTION {
     nocluster(false),
@@ -100,6 +100,7 @@ public enum RUNTIME_OPTION {
     unpackdir(true, new DirectoryValidator(true, true, true)),
     clustermode(true,new PrefixStringListValidator("tcpip","domain","multicast")),
     interfaces(true),
+    sslcert(true),
     help(false);
 
     private RUNTIME_OPTION(boolean hasValue) {

appserver/extras/payara-micro/payara-micro-core/src/main/java/fish/payara/micro/impl/PayaraMicroImpl.java

@@ -91,8 +91,6 @@
 import fish.payara.nucleus.hazelcast.HazelcastCore;
 import java.io.FileNotFoundException;
 import java.io.OutputStream;
-import java.lang.reflect.InvocationTargetException;
-import java.lang.reflect.Method;
 import java.util.Arrays;
 import java.util.concurrent.TimeUnit;
 import java.util.logging.Formatter;
@@ -178,6 +176,7 @@ public class PayaraMicroImpl implements PayaraMicroBoot {
     private String clustermode;
     private String interfaces;
     private String secretsDir;
+    private String sslCert;
     private boolean showServletMappings;
 
     /**
@@ -432,23 +431,23 @@ public PayaraMicroImpl setHttpPort(int httpPort) {
     }
 
     /**
-     * The configured port for HTTPS requests
+     * The UberJar to create
      *
-     * @return The HTTPS port
+     * @return
      */
     @Override
-    public int getSslPort() {
-        return sslPort;
+    public File getUberJar() {
+        return uberJar;
     }
-
+    
     /**
-     * The UberJar to create
+     * The configured port for HTTPS requests
      *
-     * @return
+     * @return The HTTPS port
      */
     @Override
-    public File getUberJar() {
-        return uberJar;
+    public int getSslPort() {
+        return sslPort;
     }
 
     /**
@@ -468,6 +467,22 @@ public PayaraMicroImpl setSslPort(int sslPort) {
         return this;
     }
 
+    /**
+     * Set the certificate alias in the keystore to use for the server cert
+     * @param alias name of the certificate in the keystore
+     * @return 
+     */
+    @Override
+    public PayaraMicroImpl setSslCert(String alias) {
+        sslCert = alias;
+        return this;
+    }
+
+    @Override
+    public String getSslCert() {
+        return sslCert;
+    }
+
     /**
      * Gets the logical name for this PayaraMicro Server within the server
      * cluster
@@ -1112,6 +1127,10 @@ private void scanArgs(String[] args) {
                         sslPort = Integer.parseInt(value);
                         break;
                     }
+                    case sslcert: {
+                        sslCert = value;
+                        break;
+                    }
                     case version: {
                         printVersion();
                         System.exit(1);
@@ -1422,7 +1441,7 @@ private void configureRequestTracingService() {
     }
 
     /**
-     * Process the user system properties in precendence
+     * Process the user system properties in precedence
      * 1st loads the properties from the uber jar location
      * then loads each command line system properties file which will override
      * uber jar properties
@@ -1827,6 +1846,10 @@ private void configurePorts() throws GlassFishException {
                 throw new GlassFishException("Could not bind SSL port");
             }
         }
+
+        if (sslCert != null) {
+            preBootCommands.add(new BootCommand("set", "configs.config.server-config.network-config.protocols.protocol.https-listener.ssl.cert-nickname=" + sslCert));            
+        }
     }
 
     private void configurePhoneHome() {
@@ -2101,6 +2124,7 @@ private void setArgumentsFromSystemProperties() {
         enableHealthCheck = getBooleanProperty("payaramicro.enableHealthCheck");
         httpPort = getIntegerProperty("payaramicro.port", Integer.MIN_VALUE);
         sslPort = getIntegerProperty("payaramicro.sslPort", Integer.MIN_VALUE);
+        sslCert = getProperty("payaramicro.sslCert");
         hzMulticastGroup = getProperty("payaramicro.mcAddress");
         hzPort = getIntegerProperty("payaramicro.mcPort", Integer.MIN_VALUE);
         hostAware = getBooleanProperty("payaramicro.hostAware","true");
@@ -2258,6 +2282,10 @@ private void packageUberJar() {
         if (secretsDir != null) {
             props.setProperty("payaramicro.secretsDir", secretsDir);
         }
+
+        if (sslCert != null) {
+            props.setProperty("payaramicro.sslCert", sslCert);
+        }
 
         props.setProperty("payaramicro.autoBindHttp", Boolean.toString(autoBindHttp));
         props.setProperty("payaramicro.autoBindSsl", Boolean.toString(autoBindSsl));

appserver/extras/payara-micro/payara-micro-core/src/main/java/fish/payara/micro/impl/UberJarCreator.java

@@ -216,6 +216,10 @@ public void buildUberJar() {
                         is = new FileInputStream(postDeployCommands);
                     }else if (entry.toString().contains("MICRO-INF/domain/domain.xml") && (domainXML != null)) {
                         is = new FileInputStream(domainXML);
+                    }else if (entry.toString().contains("MICRO-INF/domain/keystore.jks") && (System.getProperty("javax.net.ssl.keyStore") != null)) {
+                        is = new FileInputStream(System.getProperty("javax.net.ssl.keyStore"));
+                    }else if (entry.toString().contains("MICRO-INF/domain/cacerts.jks") && (System.getProperty("javax.net.ssl.trustStore") != null)) {
+                        is = new FileInputStream(System.getProperty("javax.net.ssl.trustStore"));
                     }
 
                     byte[] buffer = new byte[4096];

nucleus/security/core/src/main/java/com/sun/enterprise/security/ssl/GlassfishServerSocketFactory.java

@@ -71,6 +71,20 @@ protected KeyManager[] getKeyManagers(String algorithm, String keyAlias) throws
         if (logger.isLoggable(Level.FINE)) {
             logger.log(Level.FINE, "Keystore type= {0}", keystoreType);
         }
+
+        // validate that the alias is in one of the keystores otherwise emit warning
+        boolean aliasFound = false;
+        for (KeyStore keyStore : sslUtils.getKeyStores()) {
+            if (keyStore.isKeyEntry(keyAlias)) {
+                aliasFound = true;
+                break;
+            }
+        }
+
+        if (!aliasFound) {
+            logger.log(Level.WARNING, "Unable to find key pair alias {0} in any of the configured key stores, therefore the server may not be able to present a valid SSL Certificate", keyAlias);
+        }
+
         KeyManager[] kMgrs = sslUtils.getKeyManagers(algorithm);
         if (keyAlias != null && keyAlias.length() > 0 && kMgrs != null) {
             for (int i = 0; i < kMgrs.length; i++) {

nucleus/security/ssl-impl/src/main/java/com/sun/enterprise/security/ssl/impl/SecuritySupportImpl.java

@@ -248,6 +248,7 @@ protected synchronized static void loadStores(
             keyStorePasswords.add(Arrays.copyOf(keyStorePass, keyStorePass.length));
             tokenNames.add(tokenName);
         } catch (Exception ex) {
+            _logger.severe("Failed to load key stores " + ex.getMessage());
             throw new IllegalStateException(ex);
         }
     }