Skip to content

Commit

Permalink
[WFLY-18475] helloworld-mutual-ssl-secured Quickstart Common Enhancem…
Browse files Browse the repository at this point in the history
…ents CY2023Q3
  • Loading branch information
Prarthona Paul committed Dec 14, 2023
1 parent 13d664e commit 975c28d
Show file tree
Hide file tree
Showing 11 changed files with 358 additions and 31 deletions.
16 changes: 16 additions & 0 deletions .github/workflows/quickstart_helloworld-mutual-ssl-secured_ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
name: WildFly helloworld-mutual-ssl-secured Quickstart CI

on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
paths:
- 'helloworld-mutual-ssl-secured/**'
- '.github/workflows/quickstart_ci.yml'

jobs:
call-quickstart_ci:
uses: ./.github/workflows/quickstart_ci.yml
with:
QUICKSTART_PATH: helloworld-mutual-ssl-secured
TEST_PROVISIONED_SERVER: true
TEST_OPENSHIFT: false
35 changes: 11 additions & 24 deletions helloworld-mutual-ssl-secured/README.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ Notice that it sets the `first and last name` to `quickstartUser` and that this
[source,options="nowrap"]
----
$>keytool -exportcert -keystore client.keystore -storetype pkcs12 -storepass secret -keypass secret -file client.crt
$>keytool -import -file client.crt -alias quickstartUser -keystore client.truststore -storepass secret
$>keytool -import -file client.crt -alias quickstartUser -keystore server.truststore -storepass secret
Owner: CN=quickstartUser, OU=Sales, O=My Company, L=Sao Paulo, ST=Sao Paulo, C=BR
Issuer: CN=quickstartUser, OU=Sales, O=My Company, L=Sao Paulo, ST=Sao Paulo, C=BR
Expand Down Expand Up @@ -155,7 +155,7 @@ After stopping the server, open the `__{jbossHomeName}__/standalone/configuratio
<key-store name="qsTrustStore">
<credential-reference clear-text="secret"/>
<implementation type="JKS"/>
<file path="client.truststore" relative-to="jboss.server.config.dir"/>
<file path="server.truststore" relative-to="jboss.server.config.dir"/>
</key-store>
----

Expand Down Expand Up @@ -231,7 +231,7 @@ It maps the `client_cert_domain` from the quickstart application to the `http-au
[[test_the_server_ssl_configuration]]
== Test the Server TLS Configuration

To test the TLS configuration, access: https://localhost:8443
To test the TLS configuration, start {productName} and access: https://localhost:8443

If it is configured correctly, you should be asked to trust the server certificate.

Expand Down Expand Up @@ -290,6 +290,8 @@ dzXZz0EjjWCPJk+LVEhEvH0GcWAp3x3irpNU4hRZLd0XomY0Z4NnUt7VMBNYDOxVxgT9qcLnEaEpIfYU
ynfnMaOxI67FC2QzhfzERyKqHj47WuwN0xWbS/1gBypS2nUwvItyxaEQG2X5uQY8j8QoY9wcMzIIkP2Mk14gJGHUnA8=
----

// Server Distribution Testing
include::../shared-doc/run-integration-tests-with-server-distribution.adoc[leveloffset=+2]
// Undeploy the Quickstart
include::../shared-doc/undeploy-the-quickstart.adoc[leveloffset=+1]

Expand Down Expand Up @@ -320,7 +322,7 @@ $ cd __{jbossHomeName}__/standalone/configuration/
+
NOTE: For Windows, use the `__{jbossHomeName}__\bin\standalone.bat` script.

. Remove the `clientCert.p12`, `client.crt`, and `client.truststore` files that were generated for this quickstart.
. Remove the `clientCert.p12`, `client.crt`, and `server.truststore` files that were generated for this quickstart.

[[remove_the_client_certificate_from_your_browser]]
== Remove the Client Certificate from Your Browser
Expand All @@ -344,26 +346,11 @@ After you are done with this quickstart, remember to remove the certificate that
. Select the *quickstartUser* certificate and click the *Delete* button.
. The certificate has now been removed from the Mozilla Firefox browser.

// Run the Quickstart in Red Hat CodeReady Studio or Eclipse
include::../shared-doc/run-the-quickstart-in-jboss-developer-studio.adoc[leveloffset=+1]

// Additional Red Hat CodeReady Studio instructions
* Make sure you configure the keystores and client certificates as described under xref:set_up_client_keystore_using_java_keytool[Set Up the Client Keystore Using Java Keytool].
* Depending on the browser you choose, make sure you either xref:import_the_client_certificate_into_google_chrome[import the certificate into Google Chrome] or xref:import_the_client_certificate_into_mozilla_firefox[import the certificate into Mozilla Firefox].
* Make sure you configure the server by running the JBoss CLI commands as described above under xref:configure_the_server[Configure the Server]. Stop the server at the end of that step.
* In {JBDSProductName}, choose *Window* –> *Web Browser*, then select the browser you chose to import the certificate.
* To deploy the application, right-click on the *{artifactId}* project and choose *Run As* –> *Run on Server*.
* Make sure you xref:restore_the_server_configuration[restore the {productName} server configuration] when you have completed testing this quickstart.

// Debug the Application
include::../shared-doc/debug-the-application.adoc[leveloffset=+1]

//*************************************************
// Product Release content only
//*************************************************
ifdef::ProductRelease[]
// Build and run sections for other environments/builds
ifndef::ProductRelease,EAPXPRelease[]
:server_provisioning_server_host: https://localhost:8443
include::../shared-doc/build-and-run-the-quickstart-with-provisioned-server.adoc[leveloffset=+1]
endif::[]

// Quickstart not compatible with OpenShift
include::../shared-doc/openshift-incompatibility.adoc[leveloffset=+1]
endif::[]
19 changes: 19 additions & 0 deletions helloworld-mutual-ssl-secured/configure-client-certs.cli
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# Configure a key-store in the Elytron subsystem. The path to the keystore file doesn’t actually have to exist yet.
/subsystem=elytron/key-store=clientKS:add(path=client.keystore.P12, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=PKCS12)

# Generate a new key pair for the client. We'll use an RSA key of size 2048 and we'll use CN=quickstartUser
/subsystem=elytron/key-store=clientKS:generate-key-pair(alias=quickstartUser, algorithm=RSA, key-size=2048, validity=365, credential-reference={clear-text=secret}, distinguished-name="cn=quickstartUser")

# Export the certificate to a file called clientCert.crt
/subsystem=elytron/key-store=clientKS:export-certificate(alias=quickstartUser, path=clientCert.crt, relative-to=jboss.server.config.dir, pem=true)

# Create a the server's truststore
/subsystem=elytron/key-store=serverTS:add(path=server.truststore, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=PKCS12)

# Import a certificate into the server's truststore
/subsystem=elytron/key-store=serverTS:import-certificate(alias=quickstartUser, path=clientCert.crt, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, validate=false)

# Persist the changes we've made to the client's keystore and the server's truststore
/subsystem=elytron/key-store=serverTS:store()
/subsystem=elytron/key-store=clientKS:store()

11 changes: 11 additions & 0 deletions helloworld-mutual-ssl-secured/configure-client-truststore.cli
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Export the server's certificate to a file called serverCert.crt
/subsystem=elytron/key-store=applicationKS:export-certificate(alias=server, path=serverCert.crt, relative-to=jboss.server.config.dir, pem=true)

# create a truststore for the client called client.truststore and add it to the server config directory
/subsystem=elytron/key-store=clientTS:add(path=client.truststore, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=PKCS12)

# import that certificate into the client truststore
/subsystem=elytron/key-store=clientTS:import-certificate(alias=server, path=serverCert.crt, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, validate=false)

# Use the store function to save the truststore file
/subsystem=elytron/key-store=clientTS:store()
11 changes: 7 additions & 4 deletions helloworld-mutual-ssl-secured/configure-ssl.cli
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
batch

# Add the keystore and trust manager configuration in the elytron subsystem
/subsystem=elytron/key-store=qsTrustStore:add(path=client.truststore,relative-to=jboss.server.config.dir,type=JKS,credential-reference={clear-text=secret})
/subsystem=elytron/key-store=qsTrustStore:add(path=server.truststore,relative-to=jboss.server.config.dir,type=PKCS12,credential-reference={clear-text=secret})
/subsystem=elytron/trust-manager=qsTrustManager:add(key-store=qsTrustStore)

# Update the default server-ssl-context to reference the new trust-manager and require client auth
Expand All @@ -29,10 +29,13 @@ batch
# Add an application-security-domain in the undertow subsystem to map the client_cert_domain from the quickstart app to the http-authentication-factory
/subsystem=undertow/application-security-domain=client_cert_domain:add(http-authentication-factory=quickstart-http-authentication)

#generate the key pair that the server would use for its keystore
/subsystem=elytron/key-store=applicationKS:generate-key-pair(alias=server, algorithm=RSA, key-size=2048, validity=365, credential-reference={clear-text=password}, distinguished-name="cn=localhost")

/subsystem=elytron/key-store=applicationKS:store()

# Run the batch commands
run-batch

# Reload the server configuration
reload


#reload
106 changes: 103 additions & 3 deletions helloworld-mutual-ssl-secured/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,12 @@
</licenses>

<properties>
<!-- The versions for BOMs, Dependencies and Plugins -->
<version.server.bom>30.0.0.Final</version.server.bom>
<!-- Version for the server -->
<version.server>30.0.0.Final</version.server>
<!-- The versions for BOMs, Packs and Plugins -->
<version.bom.ee>${version.server}</version.bom.ee>
<version.pack.cloud>5.0.0.Final</version.pack.cloud>
<version.plugin.wildfly>4.2.0.Final</version.plugin.wildfly>
</properties>

<repositories>
Expand Down Expand Up @@ -109,7 +113,7 @@
<dependency>
<groupId>org.wildfly.bom</groupId>
<artifactId>wildfly-ee-with-tools</artifactId>
<version>${version.server.bom}</version>
<version>${version.bom.ee}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
Expand Down Expand Up @@ -139,5 +143,101 @@
<artifactId>jakarta.servlet-api</artifactId>
<scope>provided</scope>
</dependency>

<!-- Tests -->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<scope>test</scope>
</dependency>

<!-- https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient -->
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.5.13</version>
</dependency>

</dependencies>

<build>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.wildfly.plugins</groupId>
<artifactId>wildfly-maven-plugin</artifactId>
<version>${version.plugin.wildfly}</version>
</plugin>
</plugins>
</pluginManagement>
</build>
<profiles>
<profile>
<id>provisioned-server</id>
<build>
<plugins>
<plugin>
<groupId>org.wildfly.plugins</groupId>
<artifactId>wildfly-maven-plugin</artifactId>
<configuration>
<feature-packs>
<feature-pack>
<location>org.wildfly:wildfly-galleon-pack:${version.server}</location>
</feature-pack>
</feature-packs>
<layers>
<!-- layers may be used to customize the server to provision-->
<layer>cloud-server</layer>
<layer>undertow-https</layer>
</layers>
<!-- use cli script(s) to configure the server -->
<packaging-scripts>
<packaging-script>
<scripts>
<script>${basedir}/configure-client-certs.cli</script>
<script>${basedir}/configure-ssl.cli</script>
</scripts>
<!-- Expressions resolved during server execution -->
<resolve-expressions>false</resolve-expressions>
</packaging-script>
</packaging-scripts>
<!-- deploys the quickstart on root web context -->
<name>ROOT.war</name>
</configuration>
<executions>
<execution>
<goals>
<goal>package</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<profile>
<id>integration-testing</id>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<configuration>
<includes>
<include>**/BasicRuntimeIT</include>
</includes>
</configuration>
<executions>
<execution>
<goals>
<goal>integration-test</goal>
<goal>verify</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>
8 changes: 8 additions & 0 deletions helloworld-mutual-ssl-secured/restore-client-certs.cli
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#remove the keypairs and certificates from the keystore and truststore
/subsystem=elytron/key-store=serverTS:remove-alias(alias=quickstartUser)
/subsystem=elytron/key-store=clientKS:remove-alias(alias=quickstartUser)

#remove the keystore and truststore
/subsystem=elytron/key-store=serverTS:remove
/subsystem=elytron/key-store=clientKS:remove

2 changes: 2 additions & 0 deletions helloworld-mutual-ssl-secured/restore-client-truststore.cli
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
/subsystem=elytron/key-store=clientTS:remove-alias(alias=server)
/subsystem=elytron/key-store=clientTS:remove
3 changes: 3 additions & 0 deletions helloworld-mutual-ssl-secured/restore-configuration.cli
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@
# Start batching commands
batch

# Remove the keypair with the alias server from the application keystore
/subsystem=elytron/key-store:remove-alias(alias=server)

# Remove the application-security-domain mapping that was added for the quickstart
/subsystem=undertow/application-security-domain=client_cert_domain:remove

Expand Down
Loading

0 comments on commit 975c28d

Please sign in to comment.