-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WFLY-18475] helloworld-mutual-ssl-secured Quickstart Common Enhancements CY2023Q3 #729
[WFLY-18475] helloworld-mutual-ssl-secured Quickstart Common Enhancements CY2023Q3 #729
Conversation
Hi @PrarthonaPaul. Thanks for your PR. I'm waiting for a wildfly member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
c2ef03a
to
c5399b6
Compare
f21448f
to
abb9e1a
Compare
@@ -0,0 +1,19 @@ | |||
#configure a key-store in the Elytron subsystem. The path to the keystore file doesn’t actually have to exist yet. | |||
/subsystem=elytron/key-store=mutualKS:add(path=clientCert.P12, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=PKCS12) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should call it clientKS (just to make it more obvious that this is used for the client cert)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The path could be client.keystore or something like that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thats true, I will change it to clientKS.
WRT the path, I named it clientCert.p12 to make it consistent with the naming from the README file. In case someone wanted to use the cli script while going through the QS interactively. But I can change it too. Feel free to let me know what you think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just checked the README. Looks like we are using "client.keystore" for the path there (see keytool -genkey -keystore client.keystore ...
)
/subsystem=elytron/key-store=mutualKS:export-certificate(alias=example, path=clientCert.crt, relative-to=jboss.server.config.dir, pem=true) | ||
|
||
#Create a truststore in the elytron subsystem. | ||
/subsystem=elytron/key-store=mutualTS:add(path=client.keystore, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=PKCS12) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should call this serverTS (just to make it more obvious that this is used for the server's trust store)
The path could be server.truststore or something like that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above, I only named it client.keystore to keep it consistent with the README naming
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just checked the README, you're right, we were using client.truststore before but I think server.truststore is a better name that reflects the purpose of this file.
For the resource name, we're actually using qsTrustStore
in the README so we can either update that to serverTS or just use qsTrustStore here to be consistent.
/subsystem=elytron/key-store=mutualTS:add(path=client.keystore, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=PKCS12) | ||
|
||
# Import a certificate into a truststore | ||
/subsystem=elytron/key-store=mutualTS:import-certificate(alias=example, path=clientCert.crt, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, trust-cacerts=true, validate=false) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need trust-cacerts to be specified or can we just use the default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it seemed okay without it. I will update the script to remove it.
Thanks for pointing out
100814d
to
f917738
Compare
f917738
to
3b50b5f
Compare
.github/workflows/quickstart_helloworld-mutual-ssl-secured_ci.yml
Outdated
Show resolved
Hide resolved
shared-doc/build-and-run-the-quickstart-with-provisioned-server.adoc
Outdated
Show resolved
Hide resolved
660802c
to
d3b2a32
Compare
...rld-mutual-ssl-secured/src/test/java/org/jboss/as/quickstarts/helloworld/BasicRuntimeIT.java
Outdated
Show resolved
Hide resolved
b69786d
to
1d59e40
Compare
/subsystem=elytron/key-manager=applicationKM:write-attribute(name=key-store, value=applicationKS) | ||
|
||
#add the key-manager to the ssl-context for the server | ||
/subsystem=elytron/server-ssl-context=applicationSSC:write-attribute(name=key-manager, value=applicationKM) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, why is this needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed
@@ -0,0 +1,8 @@ | |||
#remove the keypairs and certificates from the keystore and truststore | |||
/subsystem=elytron/key-store=serverTS:remove-alias(alias=example) | |||
/subsystem=elytron/key-store=clientKS:remove-alias(alias=example) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the alias needs to be updated based on the values used in the cli scripts above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed!
Thanks @fjuma
a0d4b94
to
1aedb66
Compare
I guess this one in under development and not ready to review? |
A few small things, and should be good afterwards. |
975c28d
to
d8bfc54
Compare
@@ -0,0 +1,19 @@ | |||
# Configure a key-store in the Elytron subsystem. The path to the keystore file doesn’t actually have to exist yet. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Configure the client's keystore. This will be used to generate the client's certificate. The path to the keystore file doesn’t actually have to exist yet
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed!
@@ -0,0 +1,19 @@ | |||
# Configure a key-store in the Elytron subsystem. The path to the keystore file doesn’t actually have to exist yet. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just minor, but configure-client-certs.cli could be renamed to just configure-client-cert.cli.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed!
# Generate a new key pair for the client. We'll use an RSA key of size 2048 and we'll use CN=quickstartUser | ||
/subsystem=elytron/key-store=clientKS:generate-key-pair(alias=quickstartUser, algorithm=RSA, key-size=2048, validity=365, credential-reference={clear-text=secret}, distinguished-name="cn=quickstartUser") | ||
|
||
# Export the certificate to a file called clientCert.crt |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/the certificate/the client's certificate
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed!
# Export the certificate to a file called clientCert.crt | ||
/subsystem=elytron/key-store=clientKS:export-certificate(alias=quickstartUser, path=clientCert.crt, relative-to=jboss.server.config.dir, pem=true) | ||
|
||
# Create a the server's truststore |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/a the/the
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed!
# Create a the server's truststore | ||
/subsystem=elytron/key-store=serverTS:add(path=server.truststore, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=PKCS12) | ||
|
||
# Import a certificate into the server's truststore |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/a certificate/the client's certificate
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed!
@@ -29,10 +29,13 @@ batch | |||
# Add an application-security-domain in the undertow subsystem to map the client_cert_domain from the quickstart app to the http-authentication-factory | |||
/subsystem=undertow/application-security-domain=client_cert_domain:add(http-authentication-factory=quickstart-http-authentication) | |||
|
|||
#generate the key pair that the server would use for its keystore |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generate the server's certificate
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed!
@@ -44,8 +44,12 @@ | |||
</licenses> | |||
|
|||
<properties> | |||
<!-- The versions for BOMs, Dependencies and Plugins --> | |||
<version.server.bom>30.0.0.Final</version.server.bom> | |||
<!-- Version for the server --> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think <!-- Version for the server -->
isn't aligned with the rest.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed!
* @author <a href="mailto:prpaul@redhat.com">Prarthona Paul</a> | ||
*/ | ||
|
||
public class keystoreUtil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The k
should be uppercase, KeystoreUtil.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed!
|
||
public class keystoreUtil { | ||
|
||
public static KeyStore loadKeyPairFromKeyStore(String serverDir, String keyStoreFile, String storePassword, String keyAlias, String keyStoreType) throws KeyStoreException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this method creates a truststore and adds a cert entry to it, maybe it could be called createTrustStore
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed!
Thanks @fjuma !
@emmartins This should be good to review once we resolve this comment: #729 (comment)
b717e2a
to
efca5dd
Compare
WFLY 31.0.0.Beta1 has been released, please rebase this PR with upstream/main branch, and update:
|
9ec6834
to
9fa90c5
Compare
Hi @emmartins |
… use a CLI script instead of keytool
9fa90c5
to
33d732a
Compare
Hi @PrarthonaPaul, this PR required some changes to bring it up in sync with current main branch, plus a few minor enhancements similar to #885 , so I made a replacement PR for this at #886 , please have a look |
Superseded by #886 |
Jira Issue: https://issues.redhat.com/browse/WFLY-18475
Notes:
-Djboss.server.config.dir
, where the value for the param is the path to the standalone/configuration directory for the server.mvn verify -Pintegration-testing -Djboss.server.config.dir=target/server/standalone/configuration -Dserver.host=https://localhost:8443
README would need to be updated to reflect this. CI would also need to be updated for this. Currently there is a null pointer exception for getting the system property forDJboss.server.config.dir
.