From ee3b1a6d086330ca6336cca00de1979991720883 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Thu, 6 Apr 2017 15:40:01 +0100 Subject: [PATCH 01/23] Fixed Java flavor to be only Oracle & enabled inspec tests --- .kitchen.yml | 1 + recipes/tomcat.rb | 19 +++++++++++++++++++ .../community-edition/inspec/java_spec.rb | 9 +++++++++ 3 files changed, 29 insertions(+) create mode 100644 test/integration/community-edition/inspec/java_spec.rb diff --git a/.kitchen.yml b/.kitchen.yml index 1afbffe..0e9c664 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -32,6 +32,7 @@ suites: inspec_tests: - name: nginx-hardening git: https://github.com/Alfresco/tests-nginx-hardening + - path: test/integration/community-edition/inspec data_bags_path: "test/integration/data_bags" attributes: { "name": "chef-alfresco-community", diff --git a/recipes/tomcat.rb b/recipes/tomcat.rb index 77a6276..fd1d1d7 100644 --- a/recipes/tomcat.rb +++ b/recipes/tomcat.rb @@ -38,6 +38,25 @@ include_recipe 'tomcat::default' +# Reset back to Oracle Java as apache tomcat installs OpenJDK via Yum +java_ark 'jdk' do + url node['java']['jdk']['8']['x86_64']['url'] + default node['java']['set_default'] + checksum node['java']['jdk']['8']['x86_64']['checksum'] + app_home node['java']['java_home'] + bin_cmds node['java']['jdk']['8']['bin_cmds'] + alternatives_priority node['java']['alternatives_priority'] + retries node['java']['ark_retries'] + retry_delay node['java']['ark_retry_delay'] + connect_timeout node['java']['ark_timeout'] + use_alt_suffix node['java']['use_alt_suffix'] + reset_alternatives node['java']['reset_alternatives'] + download_timeout node['java']['ark_download_timeout'] + proxy node['java']['ark_proxy'] + action :install + notifies :write, 'log[jdk-version-changed]', :immediately +end + selinux_commands = {} selinux_commands['semanage permissive -a tomcat_t'] = 'semanage permissive -l | grep tomcat_t' diff --git a/test/integration/community-edition/inspec/java_spec.rb b/test/integration/community-edition/inspec/java_spec.rb new file mode 100644 index 0000000..28da6ea --- /dev/null +++ b/test/integration/community-edition/inspec/java_spec.rb @@ -0,0 +1,9 @@ +control 'Java version' do + impact 1.0 + title 'Check for Oracle Java' + desc 'Determine if Java flavor is OracleJDK and not OpenJDK' + describe command("java -version 2>&1 >/dev/null | grep 'java' | awk '{print $1}'") do + its(:stdout) { should match(/java/) } + its(:stdout) { should_not match(/openjdk/) } + end +end From 19a93df440c2827701dbc0f9cc9e77d4af7b5100 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Fri, 7 Apr 2017 11:27:27 +0100 Subject: [PATCH 02/23] Bump chef-commons tag version to solve HA-Proxy variable not defined issue --- Berksfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Berksfile b/Berksfile index 0f2ff15..1aca85e 100644 --- a/Berksfile +++ b/Berksfile @@ -8,5 +8,5 @@ cookbook 'tomcat', git: 'https://github.com/maoo/tomcat.git', tag: 'v11.17.3' # Resolve transitive deps of artifact-deployer cookbook 'maven', git: 'https://github.com/maoo/maven.git', tag: 'v1.2.0-fork' cookbook 'file', git: 'https://github.com/jenssegers/chef-file.git', tag: 'v1.0.0' -cookbook 'commons', git: 'https://github.com/Alfresco/chef-commons.git', tag: 'v0.5.5' +cookbook 'commons', git: 'https://github.com/Alfresco/chef-commons.git', tag: 'v0.5.7' cookbook 'database', git: 'https://github.com/enzor/database.git' From 53983b5d96a9dae65939e0a4713ebd7503d9f4dc Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Fri, 7 Apr 2017 11:51:13 +0100 Subject: [PATCH 03/23] Fix typo of HA-Proxy variable not defined issue inside LWRP then bump separately commons version --- Berksfile | 2 +- resources/haproxy_config.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Berksfile b/Berksfile index 1aca85e..0f2ff15 100644 --- a/Berksfile +++ b/Berksfile @@ -8,5 +8,5 @@ cookbook 'tomcat', git: 'https://github.com/maoo/tomcat.git', tag: 'v11.17.3' # Resolve transitive deps of artifact-deployer cookbook 'maven', git: 'https://github.com/maoo/maven.git', tag: 'v1.2.0-fork' cookbook 'file', git: 'https://github.com/jenssegers/chef-file.git', tag: 'v1.0.0' -cookbook 'commons', git: 'https://github.com/Alfresco/chef-commons.git', tag: 'v0.5.7' +cookbook 'commons', git: 'https://github.com/Alfresco/chef-commons.git', tag: 'v0.5.5' cookbook 'database', git: 'https://github.com/enzor/database.git' diff --git a/resources/haproxy_config.rb b/resources/haproxy_config.rb index 1606d53..dfff0ff 100644 --- a/resources/haproxy_config.rb +++ b/resources/haproxy_config.rb @@ -77,7 +77,7 @@ ordered_role << role['az']['local'] if role['az']['local'] ordered_role << role['az'][current_az] if current_az && role['az'][current_az] role['az'].each do |az_name, az| - if 'local' != az_name && (current_az == nil? || current_az != azName) + if 'local' != az_name && (current_az == nil? || current_az != az_name) ordered_role << az if az end end From e884f2868fc90d6ebdac0ccf4b25788167baad6d Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Tue, 11 Apr 2017 10:57:41 +0100 Subject: [PATCH 04/23] HA-Proxy load balancing for backends & OpenJDK unset alternatives --- attributes/haproxy.rb | 8 ++++++-- recipes/tomcat.rb | 20 +++++++++++++++++++- resources/haproxy_config.rb | 8 +++++++- 3 files changed, 32 insertions(+), 4 deletions(-) diff --git a/attributes/haproxy.rb b/attributes/haproxy.rb index 3e887ae..aa0732b 100644 --- a/attributes/haproxy.rb +++ b/attributes/haproxy.rb @@ -217,14 +217,18 @@ # HAproxy configuration default['haproxy']['frontends']['internal']['acls']['alfresco'] = ['path_beg /alfresco'] default['haproxy']['frontends']['external']['acls']['alfresco'] = ['path_beg /alfresco', 'path_reg ^/alfresco/aos/.*', 'path_reg ^/alfresco/aos$'] +default['haproxy']['frontends']['external']['acls']['aos_vti'] = ['path_reg ^/_vti_inf.html$', 'path_reg ^/_vti_bin/.*'] +default['haproxy']['frontends']['external']['acls']['aos_root'] = ['path_reg ^/$ method OPTIONS', 'path_reg ^/$ method PROPFIND'] + default['haproxy']['backends']['roles']['alfresco']['entries'] = ['option httpchk GET /alfresco', 'cookie JSESSIONID prefix', 'balance url_param JSESSIONID check_post'] default['haproxy']['backends']['roles']['alfresco']['port'] = 8070 -default['haproxy']['frontends']['external']['acls']['aos_vti'] = ['path_reg ^/_vti_inf.html$', 'path_reg ^/_vti_bin/.*'] +default['haproxy']['backends']['roles']['aos']['entries'] = ['option httpchk GET /alfresco', 'cookie JSESSIONID prefix', 'balance url_param JSESSIONID check_post'] +default['haproxy']['backends']['roles']['aos']['port'] = 8070 + default['haproxy']['backends']['roles']['aos_vti']['entries'] = ['option httpchk GET /_vti_inf.html', 'cookie JSESSIONID prefix', 'balance url_param JSESSIONID check_post'] default['haproxy']['backends']['roles']['aos_vti']['port'] = 8070 -default['haproxy']['frontends']['external']['acls']['aos_root'] = ['path_reg ^/$ method OPTIONS', 'path_reg ^/$ method PROPFIND'] default['haproxy']['backends']['roles']['aos_root']['entries'] = ['option httpchk GET /'] default['haproxy']['backends']['roles']['aos_root']['port'] = 8070 diff --git a/recipes/tomcat.rb b/recipes/tomcat.rb index fd1d1d7..6c4c6f3 100644 --- a/recipes/tomcat.rb +++ b/recipes/tomcat.rb @@ -38,7 +38,25 @@ include_recipe 'tomcat::default' -# Reset back to Oracle Java as apache tomcat installs OpenJDK via Yum +# Find openjdk version +ruby_block "Find openjdk version" do + block do + Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) + command = 'rpm -qa | grep openjdk | grep -v headless' + command_out = shell_out(command) + node.run_state['openjdk_version'] = command_out.stdout + end + action :create +end + +# Unset openjdk alternatives for java and javac commands +java_alternatives "un-set java alternatives" do + java_location "/usr/lib/jvm/#{node.run_state['openjdk_version']}" + bin_cmds ["java", "javac"] + action :unset +end + +# Reset back to Oracle Java as Apache Tomcat installs OpenJDK via Yum java_ark 'jdk' do url node['java']['jdk']['8']['x86_64']['url'] default node['java']['set_default'] diff --git a/resources/haproxy_config.rb b/resources/haproxy_config.rb index dfff0ff..323034d 100644 --- a/resources/haproxy_config.rb +++ b/resources/haproxy_config.rb @@ -58,6 +58,10 @@ end # Duplicate alfresco backend into aos_vti, root and alfresco_api + new_hash = (Marshal.load(Marshal.dump(haproxy_backends))) + + haproxy_backends['alfresco']['az'] = new_hash['share']['az'] + haproxy_backends['aos']['az'] = new_hash['share']['az'] haproxy_backends['aos_vti']['az'] = haproxy_backends['alfresco']['az'] # haproxy_backends['aos_root']['az'] = haproxy_backends['alfresco']['az'] @@ -100,7 +104,9 @@ if balanced options = "cookie #{instance['jvm_route']} check inter 5000" elsif index > 0 - options = 'check inter 5000 backup' + if instance['haproxy_backends'] == 'solr' + options = 'check inter 5000 backup' + end end instance['options'] = options end From 6bf2cfdfecce4ea431b6f9c252f10696445c32c2 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Tue, 11 Apr 2017 11:34:02 +0100 Subject: [PATCH 05/23] Add kitchen provisioner chef_omnibus version < 13 to not have chef 13 on box and fix mysql2_chef_gem issue --- .kitchen.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.kitchen.yml b/.kitchen.yml index 0e9c664..7a7a236 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -9,6 +9,7 @@ driver: provisioner: name: chef_zero + require_chef_omnibus: 12.19.36 verifier: name: inspec From f33fd39862ef133de7e259bba66805359b378eb6 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Tue, 11 Apr 2017 12:11:46 +0100 Subject: [PATCH 06/23] Fixed cookstyle & rake test errors --- recipes/tomcat.rb | 6 +++--- resources/haproxy_config.rb | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/recipes/tomcat.rb b/recipes/tomcat.rb index 6c4c6f3..5e415ce 100644 --- a/recipes/tomcat.rb +++ b/recipes/tomcat.rb @@ -39,7 +39,7 @@ include_recipe 'tomcat::default' # Find openjdk version -ruby_block "Find openjdk version" do +ruby_block 'Find openjdk version' do block do Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) command = 'rpm -qa | grep openjdk | grep -v headless' @@ -50,9 +50,9 @@ end # Unset openjdk alternatives for java and javac commands -java_alternatives "un-set java alternatives" do +java_alternatives 'un-set java alternatives' do java_location "/usr/lib/jvm/#{node.run_state['openjdk_version']}" - bin_cmds ["java", "javac"] + bin_cmds ['java', 'javac'] action :unset end diff --git a/resources/haproxy_config.rb b/resources/haproxy_config.rb index 323034d..0863165 100644 --- a/resources/haproxy_config.rb +++ b/resources/haproxy_config.rb @@ -58,7 +58,7 @@ end # Duplicate alfresco backend into aos_vti, root and alfresco_api - new_hash = (Marshal.load(Marshal.dump(haproxy_backends))) + new_hash = Marshal.load(Marshal.dump(haproxy_backends)) haproxy_backends['alfresco']['az'] = new_hash['share']['az'] haproxy_backends['aos']['az'] = new_hash['share']['az'] From 160d6ebac7751c3190c7468b0101b9a7469b8c11 Mon Sep 17 00:00:00 2001 From: Daniel Monteiro Date: Thu, 20 Apr 2017 11:21:09 +0100 Subject: [PATCH 07/23] TAA-892 issue done. Fixed the bug regarding certs creation. Added inspec tests for the community-52 --- .kitchen.docker.yml | 6 +++++- recipes/_certs.rb | 3 +-- test/integration/data_bags/ssl/local.json | 8 -------- 3 files changed, 6 insertions(+), 11 deletions(-) delete mode 100644 test/integration/data_bags/ssl/local.json diff --git a/.kitchen.docker.yml b/.kitchen.docker.yml index 8413048..3120e10 100644 --- a/.kitchen.docker.yml +++ b/.kitchen.docker.yml @@ -64,7 +64,11 @@ suites: "alfresco" : { "components" : ['haproxy','nginx','tomcat','transform','repo','share','solr','mysql','googledocs','yourkit'], "version" : "5.2.d", - "ssl_enabled" : false + "ssl_enabled" : false, + "certs" : { + "ssl_databag" : "ssl", + "ssl_databag_item" : "certs" + } }, "nginx" : { "use_nossl_config" : true diff --git a/recipes/_certs.rb b/recipes/_certs.rb index 7e74f5b..d6eef5e 100644 --- a/recipes/_certs.rb +++ b/recipes/_certs.rb @@ -12,7 +12,7 @@ begin ssl = data_bag_item(ssl_databag, ssl_databag_item) ssl.each do |ssl_item_name, ssl_item_value| - next unless ssl_item_name == 'id' + next if ssl_item_name == 'id' ssl_file = "#{ssl_folder}/#{filename}.#{ssl_item_name}" file ssl_file do action :create @@ -26,7 +26,6 @@ ssl_chain_file = "#{ssl_folder}/#{filename}.chain" ssl_nginxcrt_file = "#{ssl_folder}/#{filename}.nginxcrt" ssl_dhparam_file = "#{ssl_folder}/#{filename}.dhparam" - unless node['alfresco']['skip_certificate_creation'] execute 'create-fake-ssl-keypair' do command "openssl req -subj '/C=UK/ST=Berkshire/L=Maidenhead/O=Alfresco/CN=#{ssl_fqdn}' -x509 -days 3650 -batch -nodes -newkey rsa:4096 -keyout #{ssl_key_file} -out #{ssl_crt_file}" diff --git a/test/integration/data_bags/ssl/local.json b/test/integration/data_bags/ssl/local.json deleted file mode 100644 index 197a8b7..0000000 --- a/test/integration/data_bags/ssl/local.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "id":"haproxy", - "key": "-----BEGIN PRIVATE KEY-----\nMIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDm+vi3jUUjc/63\nPT8lLQfQMXtr2W8nHC1LAXglZ9eFyy4GS78vSVNgyFfYOMUDXyzbMkRn9aPAdsoP\nsgRWfDF3I9JDHl1xv7PAGLHbMjprHlkhURo97qmATruwCvcWV5OEUpj9x/yued66\nbQ+M3Boy5AvO+7u7/2GG6bldFwtApaQZ8ZJ9Unc6fQShVKsi2A4hQ3PDC4xtNoTL\nxcVWBK0Z1HcVs99+5WvMOBz3Tm8o9e0I9ti2dnSci051TZ4YEl9uyl/fJOqlnGIE\nvjSmXEMBg5opY7+T/MWOkBGIyUphd5WlQa6MSj6rthU2bvmAjTxalJzYJekPaMik\n26BugQOr8InNBf/0fnyZsyXdlanfvJiGdtUR2eDVJNGTOS3Rwln5UhdYW7M6lQQH\nqeXux6h3tlxeYVLZASHKVd6SJae7pbG+KU3HY18oKgwj885BXOT1Ga0SAM/H/ktF\n4OKAeCv4CHSFY45i3x1t6ePFDlosBqlp+T/lgLRtcs8wA249ujmiBEiIaYRcukMO\nEiroPWKAoiG7K9za2HgRvNIsE0cvSUX0kkEGj2ZkjzVKpGeqElZX9B2yluK4YXCX\nFIRXoLPLqcjL5CDkA7hdXKnP6Zu4titc94Tm/unTUAtvrM8H75OxYWZ6vrM2qSI5\nsAPJ/rMEfFfAN5XXn0gCTTz81fqBkwIDAQABAoICAQCZHmSEoYTkxL9lT5etmFVm\noXbU/vYdciNgZp/0BAuuqQtgpxQdT7mTHhyFvNR1sME2qfMJC6C7NMQsdXFEt92+\nwiNf1SBTCKcrP/OfgIOTgTHK0U3ZIn6BDTCEujAkQngLLwo2qj2KmEWbRjMZyMsh\nU2W0l9JTBS/s1MHJwT33ZBcOD8Nxipp5TmkkXdF5LsrnKCT0dpJnz81mnDt+E2mB\nBwTOgUg2gfXdEpG5K+iquaSh3am6A3q4T+z5/DNCd+OFuWimr31RvgKIbGLQqbbN\nqSUoLPTSMK3yHPVSvUWuqSytuYXxgEJdaD5VsGl726TX007KRw9h5K+mAeYvex0n\nuqR3S7uG3gXzJ2mAtOS0Tw9QBFa4JMzlOpD4nGBbx7U971NuVNDf2h9gNd8vvGhE\n6OE2H1JeuAzLYYnFG3jDLSjMFsdsgUrMhxW3xVWT5ohGHLscL7pAnGzegE2eL0/P\n7aos26/pX8oPRimoekVvyi8C6jdxVH34YhfU/+g3Gabo1gOxzMggwvQ/YmbCYMu5\nY3SkK4VLE1AePd4Ry+wnXJkunGHR+TAT4ZalPVHgj06Lvh2xZRJi1t1uMMbR7MD0\nM0XGOGLQqbgRBdwPthXNmZNfOu4FL4xz/p6yJLtmD0dnYdYcXlFBPknT992yeBRp\nLF72lvH8GaVaBjFTxfLNWQKCAQEA+vR0OZ1oRItcfPdAvN/lDXsfZ4iUVoi7HaBD\nDzVtP+vxJ1/39oISSDCqTwWQtzCX/O5oqMPwVMSlcsSYaB+7U5RmuHa4c7QoFIX1\nnqA1QjeCM4PbLafMP1Ya1If+kiqza56N7z083nhEsUpC38nyg9AisprOXdtNFV5/\nXNHvm3XsddF8nnpf3fv8HhCqbctlZW29YTEiziaX6yaVv2IXgbh22/LsAxRirnA4\nRtOlNJy4oY5DvanBQdX2kutqfFNSkRUkwY4lra3xvzAvMtPkSBUp9W22AcE3eWyE\nuDyXG7IjnIV+mdQxmdNb1TWR91WtJOHg9bp97xdY/f4TEaWqRwKCAQEA65+30d20\nGoTH0yqZZDiRkakSfhdd0fGvDwXIvYNRwNTSqloNkxrwUL4pVZ+2FUbJl1i3o+Vt\npybfHixHnsXr+vPqcBIunbIMgBIukvLwKsxkeWPPS19e90N/aQe7hAxElhUXCHrE\nUXte+KMJ8JYj71xGML2F/IJ9V66UGOZ/Z+h7QaixCK5TmoRluTZBd4UuKCri/1vd\ns57jazKdswSXsg26fXIcWGUv4f4KoP5ip/SQl92Kg+Z6BKTqO2lhprnJOjTreDJx\nJB74FMe8SkFXT+rQWR8XsGMkR2k9CpbR8ai4+LTZThRnD4+fr0YPB676+lWd4uVL\n7/NDbMVi4sNIVQKCAQEAwCVZtB98jTbzOs+JptP7KgZCdmBRy6vnMPjbP5LVsmKy\nA0bssbbHzrRMQjLtqgWv6b6VLdrQcecbErPKSbc6E/WFbOmhsx2WrpgfBzR9ctTT\ngSQNNnjK3xfLdT0nQr0lIVqGLE6EA4ased51M6oJYLmFR6FWLvDRpXH0LJqlTi/N\nPCyIsULbkjj0wgRaqbRZT37lyLv5fUR5f1fMwnuVqgIWJ7Ro1rbOE+fifwBf9tek\nWjZ2UYrfaMwtfjJ4FvcpOeKpgPWYjdGoTo3TJaStni9uL/evqspI8lSPjgz+Wftc\nXuSrmZap37DAGJBq0ais6Jd2Sk9fSyhiQB9AdHuW0wKCAQEAy514QlmuXARGkksL\nxznDQfazTldu8hBC0V6UPIEQ0uyXKDMt6+OprHzIR3/+36AOcUVvXKjU+09yHCbz\ntVcgN/s0qqhrtEa62qnbqY1a0gFTCjugVWgTLuYbYm4WM2ROmMuc3e0JXciZJ4/s\n9QUqBJze4xvEf5NcMbthq6r0ipyydukKI5BSGwMyzL0AEgL7AicdhsKicahqqqZQ\n9PSRCoMml2VW7WRz3n2kPb/XDYEgurvuCVHQO9cvuyu0AVondK9qlLIyZ56Dj6GT\nKzAP/bXTWlCuLfVe0n81CsOOpaDCR9owt3KWJTJeMh7+ugsSQ+ZczEiOOMslhweE\nDqXnCQKCAQBWLxdSTiG2zENYHWjdqsN8fnCElROmcB/Ek/IfLhFmWXOERDQ6oong\nE5zzt1Os5M9Hp2q0ao6QECxErMnqGlwdQ3KB3gd5i22H/vQDgeNwbQLjXXEYF550\nsoCwykeXcArF2GfaDe3geOCIK9EzSmk0IuAeKx+PaQttD4GZz4PUXwQ2d123AYOF\nZjz67iVP2QwkLx55K/6QHqMrrbwyxvU+AcLKORrz1hLpAnYO6QKN1tCG0MK/ARVv\nL5wmgUE+HoK9Mp95Ea5ROYj2fid4LmEzSEH9k6XaLbv4j4TO+Th7RBJd2jiuM8CE\nmNjr7S2VErkv9O1OSoVUqFAgN9njYR52\n-----END PRIVATE KEY-----", - "crt": "-----BEGIN CERTIFICATE-----\nMIIE+zCCAuOgAwIBAgIJAJ49uJaP5qmzMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDAeFw0xNTEwMDMxNzU5MTJaFw0yNTA5MzAxNzU5MTJaMBQx\nEjAQBgNVBAMMCWxvY2FsaG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC\nggIBAOb6+LeNRSNz/rc9PyUtB9Axe2vZbyccLUsBeCVn14XLLgZLvy9JU2DIV9g4\nxQNfLNsyRGf1o8B2yg+yBFZ8MXcj0kMeXXG/s8AYsdsyOmseWSFRGj3uqYBOu7AK\n9xZXk4RSmP3H/K553rptD4zcGjLkC877u7v/YYbpuV0XC0ClpBnxkn1Sdzp9BKFU\nqyLYDiFDc8MLjG02hMvFxVYErRnUdxWz337la8w4HPdObyj17Qj22LZ2dJyLTnVN\nnhgSX27KX98k6qWcYgS+NKZcQwGDmiljv5P8xY6QEYjJSmF3laVBroxKPqu2FTZu\n+YCNPFqUnNgl6Q9oyKTboG6BA6vwic0F//R+fJmzJd2Vqd+8mIZ21RHZ4NUk0ZM5\nLdHCWflSF1hbszqVBAep5e7HqHe2XF5hUtkBIcpV3pIlp7ulsb4pTcdjXygqDCPz\nzkFc5PUZrRIAz8f+S0Xg4oB4K/gIdIVjjmLfHW3p48UOWiwGqWn5P+WAtG1yzzAD\nbj26OaIESIhphFy6Qw4SKug9YoCiIbsr3NrYeBG80iwTRy9JRfSSQQaPZmSPNUqk\nZ6oSVlf0HbKW4rhhcJcUhFegs8upyMvkIOQDuF1cqc/pm7i2K1z3hOb+6dNQC2+s\nzwfvk7FhZnq+szapIjmwA8n+swR8V8A3ldefSAJNPPzV+oGTAgMBAAGjUDBOMB0G\nA1UdDgQWBBRk6rzhP9CbkC21384TDs3IUsuOuzAfBgNVHSMEGDAWgBRk6rzhP9Cb\nkC21384TDs3IUsuOuzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQDW\nWvPO1orJUpTKB4E2cU//z43fEn9eXcRIo5bJUBGizrjZNcOwXZbnEkZj3ujVpaar\nInYbliUQw1C5aY4slUtkQUEnNZLhkwoz7xdBoyo9SS5dP9ZbCxAq4XzPbnUpmidd\n1qf7hnqT1/tF+Sg3fL0tM9+wZjasI9FmROD8WgdDejgyaTuVGwHwfXFCA4ot3wMZ\nqx+SnIjyIOZOC2lp9YoqkmJQ/j0A/uhiJrXWEBHkm8Y86s9saup5usGj4Itito7a\nJWP7DOlD1qgE6U9haNlP8+lSynFsWfmZzrlR6BQqoHG5ByWK1c7agfTLSF2JS7eQ\nzdvx7+ScvQjTDt3CNlKPEStkvwB6zru6vKjESLtVvrjEJpRvRWc/vJDGXP642UXb\nMB+dLa/LTESIVR4bZrjRNdhJiuVPtV0ohgXINztRR/ZSh4i6cCMMGLXhAfKIQCSQ\nkXkpwT5h2FssBTBYsDlZkYqyf+gNEVU/zMhAPBXDIMM8ASqvR/tkKQv3n96cJcXA\n55llGSe6HxpUugaDmhJZ/J2TlKUFATUsD2yyRbvEy3wGoXup03TL8g3foSnhe/Jq\nl6Z/FK36ULZ1sE6XXZkhWcu8lSy2zrN1wc0uCK8+lIqzlJiNn/9QzlNIWGNtuepa\n2saciGziOVSUdC8OZpZPxXBj9mHYsltBpi8kAkFUTw==\n-----END CERTIFICATE-----", - "chain": "-----BEGIN PRIVATE KEY-----\nMIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDm+vi3jUUjc/63\nPT8lLQfQMXtr2W8nHC1LAXglZ9eFyy4GS78vSVNgyFfYOMUDXyzbMkRn9aPAdsoP\nsgRWfDF3I9JDHl1xv7PAGLHbMjprHlkhURo97qmATruwCvcWV5OEUpj9x/yued66\nbQ+M3Boy5AvO+7u7/2GG6bldFwtApaQZ8ZJ9Unc6fQShVKsi2A4hQ3PDC4xtNoTL\nxcVWBK0Z1HcVs99+5WvMOBz3Tm8o9e0I9ti2dnSci051TZ4YEl9uyl/fJOqlnGIE\nvjSmXEMBg5opY7+T/MWOkBGIyUphd5WlQa6MSj6rthU2bvmAjTxalJzYJekPaMik\n26BugQOr8InNBf/0fnyZsyXdlanfvJiGdtUR2eDVJNGTOS3Rwln5UhdYW7M6lQQH\nqeXux6h3tlxeYVLZASHKVd6SJae7pbG+KU3HY18oKgwj885BXOT1Ga0SAM/H/ktF\n4OKAeCv4CHSFY45i3x1t6ePFDlosBqlp+T/lgLRtcs8wA249ujmiBEiIaYRcukMO\nEiroPWKAoiG7K9za2HgRvNIsE0cvSUX0kkEGj2ZkjzVKpGeqElZX9B2yluK4YXCX\nFIRXoLPLqcjL5CDkA7hdXKnP6Zu4titc94Tm/unTUAtvrM8H75OxYWZ6vrM2qSI5\nsAPJ/rMEfFfAN5XXn0gCTTz81fqBkwIDAQABAoICAQCZHmSEoYTkxL9lT5etmFVm\noXbU/vYdciNgZp/0BAuuqQtgpxQdT7mTHhyFvNR1sME2qfMJC6C7NMQsdXFEt92+\nwiNf1SBTCKcrP/OfgIOTgTHK0U3ZIn6BDTCEujAkQngLLwo2qj2KmEWbRjMZyMsh\nU2W0l9JTBS/s1MHJwT33ZBcOD8Nxipp5TmkkXdF5LsrnKCT0dpJnz81mnDt+E2mB\nBwTOgUg2gfXdEpG5K+iquaSh3am6A3q4T+z5/DNCd+OFuWimr31RvgKIbGLQqbbN\nqSUoLPTSMK3yHPVSvUWuqSytuYXxgEJdaD5VsGl726TX007KRw9h5K+mAeYvex0n\nuqR3S7uG3gXzJ2mAtOS0Tw9QBFa4JMzlOpD4nGBbx7U971NuVNDf2h9gNd8vvGhE\n6OE2H1JeuAzLYYnFG3jDLSjMFsdsgUrMhxW3xVWT5ohGHLscL7pAnGzegE2eL0/P\n7aos26/pX8oPRimoekVvyi8C6jdxVH34YhfU/+g3Gabo1gOxzMggwvQ/YmbCYMu5\nY3SkK4VLE1AePd4Ry+wnXJkunGHR+TAT4ZalPVHgj06Lvh2xZRJi1t1uMMbR7MD0\nM0XGOGLQqbgRBdwPthXNmZNfOu4FL4xz/p6yJLtmD0dnYdYcXlFBPknT992yeBRp\nLF72lvH8GaVaBjFTxfLNWQKCAQEA+vR0OZ1oRItcfPdAvN/lDXsfZ4iUVoi7HaBD\nDzVtP+vxJ1/39oISSDCqTwWQtzCX/O5oqMPwVMSlcsSYaB+7U5RmuHa4c7QoFIX1\nnqA1QjeCM4PbLafMP1Ya1If+kiqza56N7z083nhEsUpC38nyg9AisprOXdtNFV5/\nXNHvm3XsddF8nnpf3fv8HhCqbctlZW29YTEiziaX6yaVv2IXgbh22/LsAxRirnA4\nRtOlNJy4oY5DvanBQdX2kutqfFNSkRUkwY4lra3xvzAvMtPkSBUp9W22AcE3eWyE\nuDyXG7IjnIV+mdQxmdNb1TWR91WtJOHg9bp97xdY/f4TEaWqRwKCAQEA65+30d20\nGoTH0yqZZDiRkakSfhdd0fGvDwXIvYNRwNTSqloNkxrwUL4pVZ+2FUbJl1i3o+Vt\npybfHixHnsXr+vPqcBIunbIMgBIukvLwKsxkeWPPS19e90N/aQe7hAxElhUXCHrE\nUXte+KMJ8JYj71xGML2F/IJ9V66UGOZ/Z+h7QaixCK5TmoRluTZBd4UuKCri/1vd\ns57jazKdswSXsg26fXIcWGUv4f4KoP5ip/SQl92Kg+Z6BKTqO2lhprnJOjTreDJx\nJB74FMe8SkFXT+rQWR8XsGMkR2k9CpbR8ai4+LTZThRnD4+fr0YPB676+lWd4uVL\n7/NDbMVi4sNIVQKCAQEAwCVZtB98jTbzOs+JptP7KgZCdmBRy6vnMPjbP5LVsmKy\nA0bssbbHzrRMQjLtqgWv6b6VLdrQcecbErPKSbc6E/WFbOmhsx2WrpgfBzR9ctTT\ngSQNNnjK3xfLdT0nQr0lIVqGLE6EA4ased51M6oJYLmFR6FWLvDRpXH0LJqlTi/N\nPCyIsULbkjj0wgRaqbRZT37lyLv5fUR5f1fMwnuVqgIWJ7Ro1rbOE+fifwBf9tek\nWjZ2UYrfaMwtfjJ4FvcpOeKpgPWYjdGoTo3TJaStni9uL/evqspI8lSPjgz+Wftc\nXuSrmZap37DAGJBq0ais6Jd2Sk9fSyhiQB9AdHuW0wKCAQEAy514QlmuXARGkksL\nxznDQfazTldu8hBC0V6UPIEQ0uyXKDMt6+OprHzIR3/+36AOcUVvXKjU+09yHCbz\ntVcgN/s0qqhrtEa62qnbqY1a0gFTCjugVWgTLuYbYm4WM2ROmMuc3e0JXciZJ4/s\n9QUqBJze4xvEf5NcMbthq6r0ipyydukKI5BSGwMyzL0AEgL7AicdhsKicahqqqZQ\n9PSRCoMml2VW7WRz3n2kPb/XDYEgurvuCVHQO9cvuyu0AVondK9qlLIyZ56Dj6GT\nKzAP/bXTWlCuLfVe0n81CsOOpaDCR9owt3KWJTJeMh7+ugsSQ+ZczEiOOMslhweE\nDqXnCQKCAQBWLxdSTiG2zENYHWjdqsN8fnCElROmcB/Ek/IfLhFmWXOERDQ6oong\nE5zzt1Os5M9Hp2q0ao6QECxErMnqGlwdQ3KB3gd5i22H/vQDgeNwbQLjXXEYF550\nsoCwykeXcArF2GfaDe3geOCIK9EzSmk0IuAeKx+PaQttD4GZz4PUXwQ2d123AYOF\nZjz67iVP2QwkLx55K/6QHqMrrbwyxvU+AcLKORrz1hLpAnYO6QKN1tCG0MK/ARVv\nL5wmgUE+HoK9Mp95Ea5ROYj2fid4LmEzSEH9k6XaLbv4j4TO+Th7RBJd2jiuM8CE\nmNjr7S2VErkv9O1OSoVUqFAgN9njYR52\n-----END PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIE+zCCAuOgAwIBAgIJAJ49uJaP5qmzMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDAeFw0xNTEwMDMxNzU5MTJaFw0yNTA5MzAxNzU5MTJaMBQx\nEjAQBgNVBAMMCWxvY2FsaG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC\nggIBAOb6+LeNRSNz/rc9PyUtB9Axe2vZbyccLUsBeCVn14XLLgZLvy9JU2DIV9g4\nxQNfLNsyRGf1o8B2yg+yBFZ8MXcj0kMeXXG/s8AYsdsyOmseWSFRGj3uqYBOu7AK\n9xZXk4RSmP3H/K553rptD4zcGjLkC877u7v/YYbpuV0XC0ClpBnxkn1Sdzp9BKFU\nqyLYDiFDc8MLjG02hMvFxVYErRnUdxWz337la8w4HPdObyj17Qj22LZ2dJyLTnVN\nnhgSX27KX98k6qWcYgS+NKZcQwGDmiljv5P8xY6QEYjJSmF3laVBroxKPqu2FTZu\n+YCNPFqUnNgl6Q9oyKTboG6BA6vwic0F//R+fJmzJd2Vqd+8mIZ21RHZ4NUk0ZM5\nLdHCWflSF1hbszqVBAep5e7HqHe2XF5hUtkBIcpV3pIlp7ulsb4pTcdjXygqDCPz\nzkFc5PUZrRIAz8f+S0Xg4oB4K/gIdIVjjmLfHW3p48UOWiwGqWn5P+WAtG1yzzAD\nbj26OaIESIhphFy6Qw4SKug9YoCiIbsr3NrYeBG80iwTRy9JRfSSQQaPZmSPNUqk\nZ6oSVlf0HbKW4rhhcJcUhFegs8upyMvkIOQDuF1cqc/pm7i2K1z3hOb+6dNQC2+s\nzwfvk7FhZnq+szapIjmwA8n+swR8V8A3ldefSAJNPPzV+oGTAgMBAAGjUDBOMB0G\nA1UdDgQWBBRk6rzhP9CbkC21384TDs3IUsuOuzAfBgNVHSMEGDAWgBRk6rzhP9Cb\nkC21384TDs3IUsuOuzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQDW\nWvPO1orJUpTKB4E2cU//z43fEn9eXcRIo5bJUBGizrjZNcOwXZbnEkZj3ujVpaar\nInYbliUQw1C5aY4slUtkQUEnNZLhkwoz7xdBoyo9SS5dP9ZbCxAq4XzPbnUpmidd\n1qf7hnqT1/tF+Sg3fL0tM9+wZjasI9FmROD8WgdDejgyaTuVGwHwfXFCA4ot3wMZ\nqx+SnIjyIOZOC2lp9YoqkmJQ/j0A/uhiJrXWEBHkm8Y86s9saup5usGj4Itito7a\nJWP7DOlD1qgE6U9haNlP8+lSynFsWfmZzrlR6BQqoHG5ByWK1c7agfTLSF2JS7eQ\nzdvx7+ScvQjTDt3CNlKPEStkvwB6zru6vKjESLtVvrjEJpRvRWc/vJDGXP642UXb\nMB+dLa/LTESIVR4bZrjRNdhJiuVPtV0ohgXINztRR/ZSh4i6cCMMGLXhAfKIQCSQ\nkXkpwT5h2FssBTBYsDlZkYqyf+gNEVU/zMhAPBXDIMM8ASqvR/tkKQv3n96cJcXA\n55llGSe6HxpUugaDmhJZ/J2TlKUFATUsD2yyRbvEy3wGoXup03TL8g3foSnhe/Jq\nl6Z/FK36ULZ1sE6XXZkhWcu8lSy2zrN1wc0uCK8+lIqzlJiNn/9QzlNIWGNtuepa\n2saciGziOVSUdC8OZpZPxXBj9mHYsltBpi8kAkFUTw==\n-----END CERTIFICATE-----", - "dhparam": "-----BEGIN DH PARAMETERS-----\nMIICCAKCAgEA1Da6WjdD9lAhRiGJhE3Yc6mfLSh8teVQjmf5Mr0W3VNl3mgklBji\ni+9jD20bCSC+aGqe25pMjHxyL0FROB8qwHCpjX+imCG6/h3MT+rCZoCgd1fpw4iy\n5GdwNccTLi4P3PTTPZEKw/DY59KQOA5fs18/BEc04SrzbvYJ0kCehoJDNVi27owR\n0WMp7wKSqXrubCQNo2l1o2+MvhgYa047s/Wh5uYq01rtZghvQRNtJHJWmLM/l/cA\ngMu7stMWbgOczahOOeLwuB3oncGIXY403/j7KuxFQF/3WXG2i7XRLhFPwOn+L+1C\ngFfMzxLa/g9p8jAlLPSE6KAzg4OTki+q9IsB0a233XUkmryPIPWxrXwY6wzb4oqD\nwROT2/pKJJ7SHbFBnkiqvyqKkdbBgCGS5W4kOYuS5pMqy44RDbMzkuxZdffnWZYU\nYUmaaeSCcVc8TF90LSGGriSSdTiEsLrrs0tya4+/nWvrWkZyCXpeDdKrD8NGA1KR\nXs3lMn8o/X1htNbrgwDDVl/f8TQGdw41Ik7pEeNZH/ZXohFC5P3wFW/WAtKmDXk/\nrb7t8lQI8/Ig/nR5j2QnMmj/hZnHHJugkIjDDDIXTaAwxmMOnqUm9aU+i61Yltld\nQBnJy57nFDReEzp3XyiAwMQtCXBpHZg7QYV5oQaeRb7oDl4wKBpgfzsCAQI=\n-----END DH PARAMETERS-----", - "nginxcrt": "-----BEGIN CERTIFICATE-----\nMIIE+zCCAuOgAwIBAgIJAJ49uJaP5qmzMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDAeFw0xNTEwMDMxNzU5MTJaFw0yNTA5MzAxNzU5MTJaMBQx\nEjAQBgNVBAMMCWxvY2FsaG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC\nggIBAOb6+LeNRSNz/rc9PyUtB9Axe2vZbyccLUsBeCVn14XLLgZLvy9JU2DIV9g4\nxQNfLNsyRGf1o8B2yg+yBFZ8MXcj0kMeXXG/s8AYsdsyOmseWSFRGj3uqYBOu7AK\n9xZXk4RSmP3H/K553rptD4zcGjLkC877u7v/YYbpuV0XC0ClpBnxkn1Sdzp9BKFU\nqyLYDiFDc8MLjG02hMvFxVYErRnUdxWz337la8w4HPdObyj17Qj22LZ2dJyLTnVN\nnhgSX27KX98k6qWcYgS+NKZcQwGDmiljv5P8xY6QEYjJSmF3laVBroxKPqu2FTZu\n+YCNPFqUnNgl6Q9oyKTboG6BA6vwic0F//R+fJmzJd2Vqd+8mIZ21RHZ4NUk0ZM5\nLdHCWflSF1hbszqVBAep5e7HqHe2XF5hUtkBIcpV3pIlp7ulsb4pTcdjXygqDCPz\nzkFc5PUZrRIAz8f+S0Xg4oB4K/gIdIVjjmLfHW3p48UOWiwGqWn5P+WAtG1yzzAD\nbj26OaIESIhphFy6Qw4SKug9YoCiIbsr3NrYeBG80iwTRy9JRfSSQQaPZmSPNUqk\nZ6oSVlf0HbKW4rhhcJcUhFegs8upyMvkIOQDuF1cqc/pm7i2K1z3hOb+6dNQC2+s\nzwfvk7FhZnq+szapIjmwA8n+swR8V8A3ldefSAJNPPzV+oGTAgMBAAGjUDBOMB0G\nA1UdDgQWBBRk6rzhP9CbkC21384TDs3IUsuOuzAfBgNVHSMEGDAWgBRk6rzhP9Cb\nkC21384TDs3IUsuOuzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQDW\nWvPO1orJUpTKB4E2cU//z43fEn9eXcRIo5bJUBGizrjZNcOwXZbnEkZj3ujVpaar\nInYbliUQw1C5aY4slUtkQUEnNZLhkwoz7xdBoyo9SS5dP9ZbCxAq4XzPbnUpmidd\n1qf7hnqT1/tF+Sg3fL0tM9+wZjasI9FmROD8WgdDejgyaTuVGwHwfXFCA4ot3wMZ\nqx+SnIjyIOZOC2lp9YoqkmJQ/j0A/uhiJrXWEBHkm8Y86s9saup5usGj4Itito7a\nJWP7DOlD1qgE6U9haNlP8+lSynFsWfmZzrlR6BQqoHG5ByWK1c7agfTLSF2JS7eQ\nzdvx7+ScvQjTDt3CNlKPEStkvwB6zru6vKjESLtVvrjEJpRvRWc/vJDGXP642UXb\nMB+dLa/LTESIVR4bZrjRNdhJiuVPtV0ohgXINztRR/ZSh4i6cCMMGLXhAfKIQCSQ\nkXkpwT5h2FssBTBYsDlZkYqyf+gNEVU/zMhAPBXDIMM8ASqvR/tkKQv3n96cJcXA\n55llGSe6HxpUugaDmhJZ/J2TlKUFATUsD2yyRbvEy3wGoXup03TL8g3foSnhe/Jq\nl6Z/FK36ULZ1sE6XXZkhWcu8lSy2zrN1wc0uCK8+lIqzlJiNn/9QzlNIWGNtuepa\n2saciGziOVSUdC8OZpZPxXBj9mHYsltBpi8kAkFUTw==\n-----END CERTIFICATE-----" -} From 75855c53376cae71d998d5d4313f9430c6d2f40a Mon Sep 17 00:00:00 2001 From: Daniel Monteiro Date: Thu, 20 Apr 2017 11:23:16 +0100 Subject: [PATCH 08/23] missed some files on the previous commit --- .../community-52/inspec/certs_spec.rb | 37 +++++++++++++++++++ test/integration/data_bags/ssl/certs.json | 8 ++++ 2 files changed, 45 insertions(+) create mode 100644 test/integration/community-52/inspec/certs_spec.rb create mode 100644 test/integration/data_bags/ssl/certs.json diff --git a/test/integration/community-52/inspec/certs_spec.rb b/test/integration/community-52/inspec/certs_spec.rb new file mode 100644 index 0000000..8e6f308 --- /dev/null +++ b/test/integration/community-52/inspec/certs_spec.rb @@ -0,0 +1,37 @@ +require 'json' + +ssl_folder = '/etc/pki/tls/certs' +filename = 'alfresco' + +file = File.read('test/integration/data_bags/ssl/certs.json') +ssl_databag_test = JSON.parse(file) + +control 'alfresco-10' do + impact 0.5 + title 'Certs files creation and value check' + + describe file("#{ssl_folder}/#{filename}.key") do + it { should exist } + its('content') { should match "#{ssl_databag_test['key']}" } + end + + describe file("#{ssl_folder}/#{filename}.crt") do + it { should exist } + its('content') { should match "#{ssl_databag_test['crt']}" } + end + + describe file("#{ssl_folder}/#{filename}.chain") do + it { should exist } + its('content') { should match "#{ssl_databag_test['chain']}" } + end + + describe file("#{ssl_folder}/#{filename}.nginxcrt") do + it { should exist } + its('content') { should match "#{ssl_databag_test['nginxcrt']}" } + end + + describe file("#{ssl_folder}/#{filename}.dhparam") do + it { should exist } + its('content') { should match "#{ssl_databag_test['dhparam']}" } + end +end diff --git a/test/integration/data_bags/ssl/certs.json b/test/integration/data_bags/ssl/certs.json new file mode 100644 index 0000000..77376b5 --- /dev/null +++ b/test/integration/data_bags/ssl/certs.json @@ -0,0 +1,8 @@ +{ + "id":"certs", + "key": "-----BEGIN PRIVATE KEY-----\nMIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDm+vi3jUUjc/63\nPT8lLQfQMXtr2W8nHC1LAXglZ9eFyy4GS78vSVNgyFfYOMUDXyzbMkRn9aPAdsoP\nsgRWfDF3I9JDHl1xv7PAGLHbMjprHlkhURo97qmATruwCvcWV5OEUpj9x/yued66\nbQ+M3Boy5AvO+7u7/2GG6bldFwtApaQZ8ZJ9Unc6fQShVKsi2A4hQ3PDC4xtNoTL\nxcVWBK0Z1HcVs99+5WvMOBz3Tm8o9e0I9ti2dnSci051TZ4YEl9uyl/fJOqlnGIE\nvjSmXEMBg5opY7+T/MWOkBGIyUphd5WlQa6MSj6rthU2bvmAjTxalJzYJekPaMik\n26BugQOr8InNBf/0fnyZsyXdlanfvJiGdtUR2eDVJNGTOS3Rwln5UhdYW7M6lQQH\nqeXux6h3tlxeYVLZASHKVd6SJae7pbG+KU3HY18oKgwj885BXOT1Ga0SAM/H/ktF\n4OKAeCv4CHSFY45i3x1t6ePFDlosBqlp+T/lgLRtcs8wA249ujmiBEiIaYRcukMO\nEiroPWKAoiG7K9za2HgRvNIsE0cvSUX0kkEGj2ZkjzVKpGeqElZX9B2yluK4YXCX\nFIRXoLPLqcjL5CDkA7hdXKnP6Zu4titc94Tm/unTUAtvrM8H75OxYWZ6vrM2qSI5\nsAPJ/rMEfFfAN5XXn0gCTTz81fqBkwIDAQABAoICAQCZHmSEoYTkxL9lT5etmFVm\noXbU/vYdciNgZp/0BAuuqQtgpxQdT7mTHhyFvNR1sME2qfMJC6C7NMQsdXFEt92+\nwiNf1SBTCKcrP/OfgIOTgTHK0U3ZIn6BDTCEujAkQngLLwo2qj2KmEWbRjMZyMsh\nU2W0l9JTBS/s1MHJwT33ZBcOD8Nxipp5TmkkXdF5LsrnKCT0dpJnz81mnDt+E2mB\nBwTOgUg2gfXdEpG5K+iquaSh3am6A3q4T+z5/DNCd+OFuWimr31RvgKIbGLQqbbN\nqSUoLPTSMK3yHPVSvUWuqSytuYXxgEJdaD5VsGl726TX007KRw9h5K+mAeYvex0n\nuqR3S7uG3gXzJ2mAtOS0Tw9QBFa4JMzlOpD4nGBbx7U971NuVNDf2h9gNd8vvGhE\n6OE2H1JeuAzLYYnFG3jDLSjMFsdsgUrMhxW3xVWT5ohGHLscL7pAnGzegE2eL0/P\n7aos26/pX8oPRimoekVvyi8C6jdxVH34YhfU/+g3Gabo1gOxzMggwvQ/YmbCYMu5\nY3SkK4VLE1AePd4Ry+wnXJkunGHR+TAT4ZalPVHgj06Lvh2xZRJi1t1uMMbR7MD0\nM0XGOGLQqbgRBdwPthXNmZNfOu4FL4xz/p6yJLtmD0dnYdYcXlFBPknT992yeBRp\nLF72lvH8GaVaBjFTxfLNWQKCAQEA+vR0OZ1oRItcfPdAvN/lDXsfZ4iUVoi7HaBD\nDzVtP+vxJ1/39oISSDCqTwWQtzCX/O5oqMPwVMSlcsSYaB+7U5RmuHa4c7QoFIX1\nnqA1QjeCM4PbLafMP1Ya1If+kiqza56N7z083nhEsUpC38nyg9AisprOXdtNFV5/\nXNHvm3XsddF8nnpf3fv8HhCqbctlZW29YTEiziaX6yaVv2IXgbh22/LsAxRirnA4\nRtOlNJy4oY5DvanBQdX2kutqfFNSkRUkwY4lra3xvzAvMtPkSBUp9W22AcE3eWyE\nuDyXG7IjnIV+mdQxmdNb1TWR91WtJOHg9bp97xdY/f4TEaWqRwKCAQEA65+30d20\nGoTH0yqZZDiRkakSfhdd0fGvDwXIvYNRwNTSqloNkxrwUL4pVZ+2FUbJl1i3o+Vt\npybfHixHnsXr+vPqcBIunbIMgBIukvLwKsxkeWPPS19e90N/aQe7hAxElhUXCHrE\nUXte+KMJ8JYj71xGML2F/IJ9V66UGOZ/Z+h7QaixCK5TmoRluTZBd4UuKCri/1vd\ns57jazKdswSXsg26fXIcWGUv4f4KoP5ip/SQl92Kg+Z6BKTqO2lhprnJOjTreDJx\nJB74FMe8SkFXT+rQWR8XsGMkR2k9CpbR8ai4+LTZThRnD4+fr0YPB676+lWd4uVL\n7/NDbMVi4sNIVQKCAQEAwCVZtB98jTbzOs+JptP7KgZCdmBRy6vnMPjbP5LVsmKy\nA0bssbbHzrRMQjLtqgWv6b6VLdrQcecbErPKSbc6E/WFbOmhsx2WrpgfBzR9ctTT\ngSQNNnjK3xfLdT0nQr0lIVqGLE6EA4ased51M6oJYLmFR6FWLvDRpXH0LJqlTi/N\nPCyIsULbkjj0wgRaqbRZT37lyLv5fUR5f1fMwnuVqgIWJ7Ro1rbOE+fifwBf9tek\nWjZ2UYrfaMwtfjJ4FvcpOeKpgPWYjdGoTo3TJaStni9uL/evqspI8lSPjgz+Wftc\nXuSrmZap37DAGJBq0ais6Jd2Sk9fSyhiQB9AdHuW0wKCAQEAy514QlmuXARGkksL\nxznDQfazTldu8hBC0V6UPIEQ0uyXKDMt6+OprHzIR3/+36AOcUVvXKjU+09yHCbz\ntVcgN/s0qqhrtEa62qnbqY1a0gFTCjugVWgTLuYbYm4WM2ROmMuc3e0JXciZJ4/s\n9QUqBJze4xvEf5NcMbthq6r0ipyydukKI5BSGwMyzL0AEgL7AicdhsKicahqqqZQ\n9PSRCoMml2VW7WRz3n2kPb/XDYEgurvuCVHQO9cvuyu0AVondK9qlLIyZ56Dj6GT\nKzAP/bXTWlCuLfVe0n81CsOOpaDCR9owt3KWJTJeMh7+ugsSQ+ZczEiOOMslhweE\nDqXnCQKCAQBWLxdSTiG2zENYHWjdqsN8fnCElROmcB/Ek/IfLhFmWXOERDQ6oong\nE5zzt1Os5M9Hp2q0ao6QECxErMnqGlwdQ3KB3gd5i22H/vQDgeNwbQLjXXEYF550\nsoCwykeXcArF2GfaDe3geOCIK9EzSmk0IuAeKx+PaQttD4GZz4PUXwQ2d123AYOF\nZjz67iVP2QwkLx55K/6QHqMrrbwyxvU+AcLKORrz1hLpAnYO6QKN1tCG0MK/ARVv\nL5wmgUE+HoK9Mp95Ea5ROYj2fid4LmEzSEH9k6XaLbv4j4TO+Th7RBJd2jiuM8CE\nmNjr7S2VErkv9O1OSoVUqFAgN9njYR52\n-----END PRIVATE KEY-----", + "crt": "-----BEGIN CERTIFICATE-----\nMIIE+zCCAuOgAwIBAgIJAJ49uJaP5qmzMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDAeFw0xNTEwMDMxNzU5MTJaFw0yNTA5MzAxNzU5MTJaMBQx\nEjAQBgNVBAMMCWxvY2FsaG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC\nggIBAOb6+LeNRSNz/rc9PyUtB9Axe2vZbyccLUsBeCVn14XLLgZLvy9JU2DIV9g4\nxQNfLNsyRGf1o8B2yg+yBFZ8MXcj0kMeXXG/s8AYsdsyOmseWSFRGj3uqYBOu7AK\n9xZXk4RSmP3H/K553rptD4zcGjLkC877u7v/YYbpuV0XC0ClpBnxkn1Sdzp9BKFU\nqyLYDiFDc8MLjG02hMvFxVYErRnUdxWz337la8w4HPdObyj17Qj22LZ2dJyLTnVN\nnhgSX27KX98k6qWcYgS+NKZcQwGDmiljv5P8xY6QEYjJSmF3laVBroxKPqu2FTZu\n+YCNPFqUnNgl6Q9oyKTboG6BA6vwic0F//R+fJmzJd2Vqd+8mIZ21RHZ4NUk0ZM5\nLdHCWflSF1hbszqVBAep5e7HqHe2XF5hUtkBIcpV3pIlp7ulsb4pTcdjXygqDCPz\nzkFc5PUZrRIAz8f+S0Xg4oB4K/gIdIVjjmLfHW3p48UOWiwGqWn5P+WAtG1yzzAD\nbj26OaIESIhphFy6Qw4SKug9YoCiIbsr3NrYeBG80iwTRy9JRfSSQQaPZmSPNUqk\nZ6oSVlf0HbKW4rhhcJcUhFegs8upyMvkIOQDuF1cqc/pm7i2K1z3hOb+6dNQC2+s\nzwfvk7FhZnq+szapIjmwA8n+swR8V8A3ldefSAJNPPzV+oGTAgMBAAGjUDBOMB0G\nA1UdDgQWBBRk6rzhP9CbkC21384TDs3IUsuOuzAfBgNVHSMEGDAWgBRk6rzhP9Cb\nkC21384TDs3IUsuOuzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQDW\nWvPO1orJUpTKB4E2cU//z43fEn9eXcRIo5bJUBGizrjZNcOwXZbnEkZj3ujVpaar\nInYbliUQw1C5aY4slUtkQUEnNZLhkwoz7xdBoyo9SS5dP9ZbCxAq4XzPbnUpmidd\n1qf7hnqT1/tF+Sg3fL0tM9+wZjasI9FmROD8WgdDejgyaTuVGwHwfXFCA4ot3wMZ\nqx+SnIjyIOZOC2lp9YoqkmJQ/j0A/uhiJrXWEBHkm8Y86s9saup5usGj4Itito7a\nJWP7DOlD1qgE6U9haNlP8+lSynFsWfmZzrlR6BQqoHG5ByWK1c7agfTLSF2JS7eQ\nzdvx7+ScvQjTDt3CNlKPEStkvwB6zru6vKjESLtVvrjEJpRvRWc/vJDGXP642UXb\nMB+dLa/LTESIVR4bZrjRNdhJiuVPtV0ohgXINztRR/ZSh4i6cCMMGLXhAfKIQCSQ\nkXkpwT5h2FssBTBYsDlZkYqyf+gNEVU/zMhAPBXDIMM8ASqvR/tkKQv3n96cJcXA\n55llGSe6HxpUugaDmhJZ/J2TlKUFATUsD2yyRbvEy3wGoXup03TL8g3foSnhe/Jq\nl6Z/FK36ULZ1sE6XXZkhWcu8lSy2zrN1wc0uCK8+lIqzlJiNn/9QzlNIWGNtuepa\n2saciGziOVSUdC8OZpZPxXBj9mHYsltBpi8kAkFUTw==\n-----END CERTIFICATE-----", + "chain": "-----BEGIN PRIVATE KEY-----\nMIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDm+vi3jUUjc/63\nPT8lLQfQMXtr2W8nHC1LAXglZ9eFyy4GS78vSVNgyFfYOMUDXyzbMkRn9aPAdsoP\nsgRWfDF3I9JDHl1xv7PAGLHbMjprHlkhURo97qmATruwCvcWV5OEUpj9x/yued66\nbQ+M3Boy5AvO+7u7/2GG6bldFwtApaQZ8ZJ9Unc6fQShVKsi2A4hQ3PDC4xtNoTL\nxcVWBK0Z1HcVs99+5WvMOBz3Tm8o9e0I9ti2dnSci051TZ4YEl9uyl/fJOqlnGIE\nvjSmXEMBg5opY7+T/MWOkBGIyUphd5WlQa6MSj6rthU2bvmAjTxalJzYJekPaMik\n26BugQOr8InNBf/0fnyZsyXdlanfvJiGdtUR2eDVJNGTOS3Rwln5UhdYW7M6lQQH\nqeXux6h3tlxeYVLZASHKVd6SJae7pbG+KU3HY18oKgwj885BXOT1Ga0SAM/H/ktF\n4OKAeCv4CHSFY45i3x1t6ePFDlosBqlp+T/lgLRtcs8wA249ujmiBEiIaYRcukMO\nEiroPWKAoiG7K9za2HgRvNIsE0cvSUX0kkEGj2ZkjzVKpGeqElZX9B2yluK4YXCX\nFIRXoLPLqcjL5CDkA7hdXKnP6Zu4titc94Tm/unTUAtvrM8H75OxYWZ6vrM2qSI5\nsAPJ/rMEfFfAN5XXn0gCTTz81fqBkwIDAQABAoICAQCZHmSEoYTkxL9lT5etmFVm\noXbU/vYdciNgZp/0BAuuqQtgpxQdT7mTHhyFvNR1sME2qfMJC6C7NMQsdXFEt92+\nwiNf1SBTCKcrP/OfgIOTgTHK0U3ZIn6BDTCEujAkQngLLwo2qj2KmEWbRjMZyMsh\nU2W0l9JTBS/s1MHJwT33ZBcOD8Nxipp5TmkkXdF5LsrnKCT0dpJnz81mnDt+E2mB\nBwTOgUg2gfXdEpG5K+iquaSh3am6A3q4T+z5/DNCd+OFuWimr31RvgKIbGLQqbbN\nqSUoLPTSMK3yHPVSvUWuqSytuYXxgEJdaD5VsGl726TX007KRw9h5K+mAeYvex0n\nuqR3S7uG3gXzJ2mAtOS0Tw9QBFa4JMzlOpD4nGBbx7U971NuVNDf2h9gNd8vvGhE\n6OE2H1JeuAzLYYnFG3jDLSjMFsdsgUrMhxW3xVWT5ohGHLscL7pAnGzegE2eL0/P\n7aos26/pX8oPRimoekVvyi8C6jdxVH34YhfU/+g3Gabo1gOxzMggwvQ/YmbCYMu5\nY3SkK4VLE1AePd4Ry+wnXJkunGHR+TAT4ZalPVHgj06Lvh2xZRJi1t1uMMbR7MD0\nM0XGOGLQqbgRBdwPthXNmZNfOu4FL4xz/p6yJLtmD0dnYdYcXlFBPknT992yeBRp\nLF72lvH8GaVaBjFTxfLNWQKCAQEA+vR0OZ1oRItcfPdAvN/lDXsfZ4iUVoi7HaBD\nDzVtP+vxJ1/39oISSDCqTwWQtzCX/O5oqMPwVMSlcsSYaB+7U5RmuHa4c7QoFIX1\nnqA1QjeCM4PbLafMP1Ya1If+kiqza56N7z083nhEsUpC38nyg9AisprOXdtNFV5/\nXNHvm3XsddF8nnpf3fv8HhCqbctlZW29YTEiziaX6yaVv2IXgbh22/LsAxRirnA4\nRtOlNJy4oY5DvanBQdX2kutqfFNSkRUkwY4lra3xvzAvMtPkSBUp9W22AcE3eWyE\nuDyXG7IjnIV+mdQxmdNb1TWR91WtJOHg9bp97xdY/f4TEaWqRwKCAQEA65+30d20\nGoTH0yqZZDiRkakSfhdd0fGvDwXIvYNRwNTSqloNkxrwUL4pVZ+2FUbJl1i3o+Vt\npybfHixHnsXr+vPqcBIunbIMgBIukvLwKsxkeWPPS19e90N/aQe7hAxElhUXCHrE\nUXte+KMJ8JYj71xGML2F/IJ9V66UGOZ/Z+h7QaixCK5TmoRluTZBd4UuKCri/1vd\ns57jazKdswSXsg26fXIcWGUv4f4KoP5ip/SQl92Kg+Z6BKTqO2lhprnJOjTreDJx\nJB74FMe8SkFXT+rQWR8XsGMkR2k9CpbR8ai4+LTZThRnD4+fr0YPB676+lWd4uVL\n7/NDbMVi4sNIVQKCAQEAwCVZtB98jTbzOs+JptP7KgZCdmBRy6vnMPjbP5LVsmKy\nA0bssbbHzrRMQjLtqgWv6b6VLdrQcecbErPKSbc6E/WFbOmhsx2WrpgfBzR9ctTT\ngSQNNnjK3xfLdT0nQr0lIVqGLE6EA4ased51M6oJYLmFR6FWLvDRpXH0LJqlTi/N\nPCyIsULbkjj0wgRaqbRZT37lyLv5fUR5f1fMwnuVqgIWJ7Ro1rbOE+fifwBf9tek\nWjZ2UYrfaMwtfjJ4FvcpOeKpgPWYjdGoTo3TJaStni9uL/evqspI8lSPjgz+Wftc\nXuSrmZap37DAGJBq0ais6Jd2Sk9fSyhiQB9AdHuW0wKCAQEAy514QlmuXARGkksL\nxznDQfazTldu8hBC0V6UPIEQ0uyXKDMt6+OprHzIR3/+36AOcUVvXKjU+09yHCbz\ntVcgN/s0qqhrtEa62qnbqY1a0gFTCjugVWgTLuYbYm4WM2ROmMuc3e0JXciZJ4/s\n9QUqBJze4xvEf5NcMbthq6r0ipyydukKI5BSGwMyzL0AEgL7AicdhsKicahqqqZQ\n9PSRCoMml2VW7WRz3n2kPb/XDYEgurvuCVHQO9cvuyu0AVondK9qlLIyZ56Dj6GT\nKzAP/bXTWlCuLfVe0n81CsOOpaDCR9owt3KWJTJeMh7+ugsSQ+ZczEiOOMslhweE\nDqXnCQKCAQBWLxdSTiG2zENYHWjdqsN8fnCElROmcB/Ek/IfLhFmWXOERDQ6oong\nE5zzt1Os5M9Hp2q0ao6QECxErMnqGlwdQ3KB3gd5i22H/vQDgeNwbQLjXXEYF550\nsoCwykeXcArF2GfaDe3geOCIK9EzSmk0IuAeKx+PaQttD4GZz4PUXwQ2d123AYOF\nZjz67iVP2QwkLx55K/6QHqMrrbwyxvU+AcLKORrz1hLpAnYO6QKN1tCG0MK/ARVv\nL5wmgUE+HoK9Mp95Ea5ROYj2fid4LmEzSEH9k6XaLbv4j4TO+Th7RBJd2jiuM8CE\nmNjr7S2VErkv9O1OSoVUqFAgN9njYR52\n-----END PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIE+zCCAuOgAwIBAgIJAJ49uJaP5qmzMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDAeFw0xNTEwMDMxNzU5MTJaFw0yNTA5MzAxNzU5MTJaMBQx\nEjAQBgNVBAMMCWxvY2FsaG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC\nggIBAOb6+LeNRSNz/rc9PyUtB9Axe2vZbyccLUsBeCVn14XLLgZLvy9JU2DIV9g4\nxQNfLNsyRGf1o8B2yg+yBFZ8MXcj0kMeXXG/s8AYsdsyOmseWSFRGj3uqYBOu7AK\n9xZXk4RSmP3H/K553rptD4zcGjLkC877u7v/YYbpuV0XC0ClpBnxkn1Sdzp9BKFU\nqyLYDiFDc8MLjG02hMvFxVYErRnUdxWz337la8w4HPdObyj17Qj22LZ2dJyLTnVN\nnhgSX27KX98k6qWcYgS+NKZcQwGDmiljv5P8xY6QEYjJSmF3laVBroxKPqu2FTZu\n+YCNPFqUnNgl6Q9oyKTboG6BA6vwic0F//R+fJmzJd2Vqd+8mIZ21RHZ4NUk0ZM5\nLdHCWflSF1hbszqVBAep5e7HqHe2XF5hUtkBIcpV3pIlp7ulsb4pTcdjXygqDCPz\nzkFc5PUZrRIAz8f+S0Xg4oB4K/gIdIVjjmLfHW3p48UOWiwGqWn5P+WAtG1yzzAD\nbj26OaIESIhphFy6Qw4SKug9YoCiIbsr3NrYeBG80iwTRy9JRfSSQQaPZmSPNUqk\nZ6oSVlf0HbKW4rhhcJcUhFegs8upyMvkIOQDuF1cqc/pm7i2K1z3hOb+6dNQC2+s\nzwfvk7FhZnq+szapIjmwA8n+swR8V8A3ldefSAJNPPzV+oGTAgMBAAGjUDBOMB0G\nA1UdDgQWBBRk6rzhP9CbkC21384TDs3IUsuOuzAfBgNVHSMEGDAWgBRk6rzhP9Cb\nkC21384TDs3IUsuOuzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQDW\nWvPO1orJUpTKB4E2cU//z43fEn9eXcRIo5bJUBGizrjZNcOwXZbnEkZj3ujVpaar\nInYbliUQw1C5aY4slUtkQUEnNZLhkwoz7xdBoyo9SS5dP9ZbCxAq4XzPbnUpmidd\n1qf7hnqT1/tF+Sg3fL0tM9+wZjasI9FmROD8WgdDejgyaTuVGwHwfXFCA4ot3wMZ\nqx+SnIjyIOZOC2lp9YoqkmJQ/j0A/uhiJrXWEBHkm8Y86s9saup5usGj4Itito7a\nJWP7DOlD1qgE6U9haNlP8+lSynFsWfmZzrlR6BQqoHG5ByWK1c7agfTLSF2JS7eQ\nzdvx7+ScvQjTDt3CNlKPEStkvwB6zru6vKjESLtVvrjEJpRvRWc/vJDGXP642UXb\nMB+dLa/LTESIVR4bZrjRNdhJiuVPtV0ohgXINztRR/ZSh4i6cCMMGLXhAfKIQCSQ\nkXkpwT5h2FssBTBYsDlZkYqyf+gNEVU/zMhAPBXDIMM8ASqvR/tkKQv3n96cJcXA\n55llGSe6HxpUugaDmhJZ/J2TlKUFATUsD2yyRbvEy3wGoXup03TL8g3foSnhe/Jq\nl6Z/FK36ULZ1sE6XXZkhWcu8lSy2zrN1wc0uCK8+lIqzlJiNn/9QzlNIWGNtuepa\n2saciGziOVSUdC8OZpZPxXBj9mHYsltBpi8kAkFUTw==\n-----END CERTIFICATE-----", + "dhparam": "-----BEGIN DH PARAMETERS-----\nMIICCAKCAgEA1Da6WjdD9lAhRiGJhE3Yc6mfLSh8teVQjmf5Mr0W3VNl3mgklBji\ni+9jD20bCSC+aGqe25pMjHxyL0FROB8qwHCpjX+imCG6/h3MT+rCZoCgd1fpw4iy\n5GdwNccTLi4P3PTTPZEKw/DY59KQOA5fs18/BEc04SrzbvYJ0kCehoJDNVi27owR\n0WMp7wKSqXrubCQNo2l1o2+MvhgYa047s/Wh5uYq01rtZghvQRNtJHJWmLM/l/cA\ngMu7stMWbgOczahOOeLwuB3oncGIXY403/j7KuxFQF/3WXG2i7XRLhFPwOn+L+1C\ngFfMzxLa/g9p8jAlLPSE6KAzg4OTki+q9IsB0a233XUkmryPIPWxrXwY6wzb4oqD\nwROT2/pKJJ7SHbFBnkiqvyqKkdbBgCGS5W4kOYuS5pMqy44RDbMzkuxZdffnWZYU\nYUmaaeSCcVc8TF90LSGGriSSdTiEsLrrs0tya4+/nWvrWkZyCXpeDdKrD8NGA1KR\nXs3lMn8o/X1htNbrgwDDVl/f8TQGdw41Ik7pEeNZH/ZXohFC5P3wFW/WAtKmDXk/\nrb7t8lQI8/Ig/nR5j2QnMmj/hZnHHJugkIjDDDIXTaAwxmMOnqUm9aU+i61Yltld\nQBnJy57nFDReEzp3XyiAwMQtCXBpHZg7QYV5oQaeRb7oDl4wKBpgfzsCAQI=\n-----END DH PARAMETERS-----", + "nginxcrt": "-----BEGIN CERTIFICATE-----\nMIIE+zCCAuOgAwIBAgIJAJ49uJaP5qmzMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDAeFw0xNTEwMDMxNzU5MTJaFw0yNTA5MzAxNzU5MTJaMBQx\nEjAQBgNVBAMMCWxvY2FsaG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC\nggIBAOb6+LeNRSNz/rc9PyUtB9Axe2vZbyccLUsBeCVn14XLLgZLvy9JU2DIV9g4\nxQNfLNsyRGf1o8B2yg+yBFZ8MXcj0kMeXXG/s8AYsdsyOmseWSFRGj3uqYBOu7AK\n9xZXk4RSmP3H/K553rptD4zcGjLkC877u7v/YYbpuV0XC0ClpBnxkn1Sdzp9BKFU\nqyLYDiFDc8MLjG02hMvFxVYErRnUdxWz337la8w4HPdObyj17Qj22LZ2dJyLTnVN\nnhgSX27KX98k6qWcYgS+NKZcQwGDmiljv5P8xY6QEYjJSmF3laVBroxKPqu2FTZu\n+YCNPFqUnNgl6Q9oyKTboG6BA6vwic0F//R+fJmzJd2Vqd+8mIZ21RHZ4NUk0ZM5\nLdHCWflSF1hbszqVBAep5e7HqHe2XF5hUtkBIcpV3pIlp7ulsb4pTcdjXygqDCPz\nzkFc5PUZrRIAz8f+S0Xg4oB4K/gIdIVjjmLfHW3p48UOWiwGqWn5P+WAtG1yzzAD\nbj26OaIESIhphFy6Qw4SKug9YoCiIbsr3NrYeBG80iwTRy9JRfSSQQaPZmSPNUqk\nZ6oSVlf0HbKW4rhhcJcUhFegs8upyMvkIOQDuF1cqc/pm7i2K1z3hOb+6dNQC2+s\nzwfvk7FhZnq+szapIjmwA8n+swR8V8A3ldefSAJNPPzV+oGTAgMBAAGjUDBOMB0G\nA1UdDgQWBBRk6rzhP9CbkC21384TDs3IUsuOuzAfBgNVHSMEGDAWgBRk6rzhP9Cb\nkC21384TDs3IUsuOuzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQDW\nWvPO1orJUpTKB4E2cU//z43fEn9eXcRIo5bJUBGizrjZNcOwXZbnEkZj3ujVpaar\nInYbliUQw1C5aY4slUtkQUEnNZLhkwoz7xdBoyo9SS5dP9ZbCxAq4XzPbnUpmidd\n1qf7hnqT1/tF+Sg3fL0tM9+wZjasI9FmROD8WgdDejgyaTuVGwHwfXFCA4ot3wMZ\nqx+SnIjyIOZOC2lp9YoqkmJQ/j0A/uhiJrXWEBHkm8Y86s9saup5usGj4Itito7a\nJWP7DOlD1qgE6U9haNlP8+lSynFsWfmZzrlR6BQqoHG5ByWK1c7agfTLSF2JS7eQ\nzdvx7+ScvQjTDt3CNlKPEStkvwB6zru6vKjESLtVvrjEJpRvRWc/vJDGXP642UXb\nMB+dLa/LTESIVR4bZrjRNdhJiuVPtV0ohgXINztRR/ZSh4i6cCMMGLXhAfKIQCSQ\nkXkpwT5h2FssBTBYsDlZkYqyf+gNEVU/zMhAPBXDIMM8ASqvR/tkKQv3n96cJcXA\n55llGSe6HxpUugaDmhJZ/J2TlKUFATUsD2yyRbvEy3wGoXup03TL8g3foSnhe/Jq\nl6Z/FK36ULZ1sE6XXZkhWcu8lSy2zrN1wc0uCK8+lIqzlJiNn/9QzlNIWGNtuepa\n2saciGziOVSUdC8OZpZPxXBj9mHYsltBpi8kAkFUTw==\n-----END CERTIFICATE-----" +} From 0bb528ca3004a09d700075665e40c6d6719f55c8 Mon Sep 17 00:00:00 2001 From: Daniel Monteiro Date: Thu, 20 Apr 2017 13:35:56 +0100 Subject: [PATCH 09/23] fixing the build error --- .kitchen.docker.yml | 18 +++++++-- .kitchen.yml | 24 ++++++++++-- .../community-52/inspec/certs_spec.rb | 10 ++--- .../enterprise-52/inspec/certs_spec.rb | 37 +++++++++++++++++++ .../enterprise-edition/inspec/certs_spec.rb | 37 +++++++++++++++++++ .../enterprise-solr6-52/inspec/certs_spec.rb | 37 +++++++++++++++++++ 6 files changed, 151 insertions(+), 12 deletions(-) create mode 100644 test/integration/enterprise-52/inspec/certs_spec.rb create mode 100644 test/integration/enterprise-edition/inspec/certs_spec.rb create mode 100644 test/integration/enterprise-solr6-52/inspec/certs_spec.rb diff --git a/.kitchen.docker.yml b/.kitchen.docker.yml index 3120e10..b154220 100644 --- a/.kitchen.docker.yml +++ b/.kitchen.docker.yml @@ -93,7 +93,11 @@ suites: "version" : "5.1.2", "components" : ["haproxy","nginx","tomcat","transform","repo","share","solr","mysql","aos", "rm",'googledocs','yourkit'], "edition" : "enterprise", - "ssl_enabled" : false + "ssl_enabled" : false, + "certs" : { + "ssl_databag" : "ssl", + "ssl_databag_item" : "certs" + } }, "artifact-deployer" : { "maven" : { @@ -132,7 +136,11 @@ suites: "version" : "5.2.0", "components" : ["haproxy","nginx","tomcat","transform","repo","share","solr","mysql","aos","rm"], "edition" : "enterprise", - "ssl_enabled" : false + "ssl_enabled" : false, + "certs" : { + "ssl_databag" : "ssl", + "ssl_databag_item" : "certs" + } }, "artifact-deployer" : { "maven" : { @@ -181,7 +189,11 @@ suites: "version" : "5.2.0", "components" : ["haproxy","nginx","tomcat","transform","repo","share","solr6","mysql","aos","rm"], "edition" : "enterprise", - "ssl_enabled" : false + "ssl_enabled" : false, + "certs" : { + "ssl_databag" : "ssl", + "ssl_databag_item" : "certs" + } }, "artifact-deployer" : { "maven" : { diff --git a/.kitchen.yml b/.kitchen.yml index 581ec4c..9746b92 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -61,7 +61,11 @@ suites: "alfresco" : { "components" : ['haproxy','nginx','tomcat','transform','repo','share','solr','mysql','googledocs','yourkit'], "version" : "5.2.d", - "ssl_enabled" : false + "ssl_enabled" : false, + "certs" : { + "ssl_databag" : "ssl", + "ssl_databag_item" : "certs" + } }, "nginx" : { "use_nossl_config" : true @@ -107,7 +111,11 @@ suites: "version" : "5.1.2", "components" : ["haproxy","nginx","tomcat","transform","repo","share","solr","mysql","aos", "rm"], "edition" : "enterprise", - "ssl_enabled" : false + "ssl_enabled" : false, + "certs" : { + "ssl_databag" : "ssl", + "ssl_databag_item" : "certs" + } }, "artifact-deployer" : { "maven" : { @@ -146,7 +154,11 @@ suites: "version" : "5.2.0", "components" : ["haproxy","nginx","tomcat","transform","repo","share","solr","mysql","aos","rm"], "edition" : "enterprise", - "ssl_enabled" : false + "ssl_enabled" : false, + "certs" : { + "ssl_databag" : "ssl", + "ssl_databag_item" : "certs" + } }, "artifact-deployer" : { "maven" : { @@ -195,7 +207,11 @@ suites: "version" : "5.2.0", "components" : ["haproxy","nginx","tomcat","transform","repo","share","solr6","mysql","aos","rm"], "edition" : "enterprise", - "ssl_enabled" : false + "ssl_enabled" : false, + "certs" : { + "ssl_databag" : "ssl", + "ssl_databag_item" : "certs" + } }, "artifact-deployer" : { "maven" : { diff --git a/test/integration/community-52/inspec/certs_spec.rb b/test/integration/community-52/inspec/certs_spec.rb index 8e6f308..3154c87 100644 --- a/test/integration/community-52/inspec/certs_spec.rb +++ b/test/integration/community-52/inspec/certs_spec.rb @@ -12,26 +12,26 @@ describe file("#{ssl_folder}/#{filename}.key") do it { should exist } - its('content') { should match "#{ssl_databag_test['key']}" } + its('content') { should match ssl_databag_test['key'].to_s } end describe file("#{ssl_folder}/#{filename}.crt") do it { should exist } - its('content') { should match "#{ssl_databag_test['crt']}" } + its('content') { should match ssl_databag_test['crt'].to_s } end describe file("#{ssl_folder}/#{filename}.chain") do it { should exist } - its('content') { should match "#{ssl_databag_test['chain']}" } + its('content') { should match ssl_databag_test['chain'].to_s } end describe file("#{ssl_folder}/#{filename}.nginxcrt") do it { should exist } - its('content') { should match "#{ssl_databag_test['nginxcrt']}" } + its('content') { should match ssl_databag_test['nginxcrt'].to_s } end describe file("#{ssl_folder}/#{filename}.dhparam") do it { should exist } - its('content') { should match "#{ssl_databag_test['dhparam']}" } + its('content') { should match ssl_databag_test['dhparam'].to_s } end end diff --git a/test/integration/enterprise-52/inspec/certs_spec.rb b/test/integration/enterprise-52/inspec/certs_spec.rb new file mode 100644 index 0000000..3154c87 --- /dev/null +++ b/test/integration/enterprise-52/inspec/certs_spec.rb @@ -0,0 +1,37 @@ +require 'json' + +ssl_folder = '/etc/pki/tls/certs' +filename = 'alfresco' + +file = File.read('test/integration/data_bags/ssl/certs.json') +ssl_databag_test = JSON.parse(file) + +control 'alfresco-10' do + impact 0.5 + title 'Certs files creation and value check' + + describe file("#{ssl_folder}/#{filename}.key") do + it { should exist } + its('content') { should match ssl_databag_test['key'].to_s } + end + + describe file("#{ssl_folder}/#{filename}.crt") do + it { should exist } + its('content') { should match ssl_databag_test['crt'].to_s } + end + + describe file("#{ssl_folder}/#{filename}.chain") do + it { should exist } + its('content') { should match ssl_databag_test['chain'].to_s } + end + + describe file("#{ssl_folder}/#{filename}.nginxcrt") do + it { should exist } + its('content') { should match ssl_databag_test['nginxcrt'].to_s } + end + + describe file("#{ssl_folder}/#{filename}.dhparam") do + it { should exist } + its('content') { should match ssl_databag_test['dhparam'].to_s } + end +end diff --git a/test/integration/enterprise-edition/inspec/certs_spec.rb b/test/integration/enterprise-edition/inspec/certs_spec.rb new file mode 100644 index 0000000..3154c87 --- /dev/null +++ b/test/integration/enterprise-edition/inspec/certs_spec.rb @@ -0,0 +1,37 @@ +require 'json' + +ssl_folder = '/etc/pki/tls/certs' +filename = 'alfresco' + +file = File.read('test/integration/data_bags/ssl/certs.json') +ssl_databag_test = JSON.parse(file) + +control 'alfresco-10' do + impact 0.5 + title 'Certs files creation and value check' + + describe file("#{ssl_folder}/#{filename}.key") do + it { should exist } + its('content') { should match ssl_databag_test['key'].to_s } + end + + describe file("#{ssl_folder}/#{filename}.crt") do + it { should exist } + its('content') { should match ssl_databag_test['crt'].to_s } + end + + describe file("#{ssl_folder}/#{filename}.chain") do + it { should exist } + its('content') { should match ssl_databag_test['chain'].to_s } + end + + describe file("#{ssl_folder}/#{filename}.nginxcrt") do + it { should exist } + its('content') { should match ssl_databag_test['nginxcrt'].to_s } + end + + describe file("#{ssl_folder}/#{filename}.dhparam") do + it { should exist } + its('content') { should match ssl_databag_test['dhparam'].to_s } + end +end diff --git a/test/integration/enterprise-solr6-52/inspec/certs_spec.rb b/test/integration/enterprise-solr6-52/inspec/certs_spec.rb new file mode 100644 index 0000000..3154c87 --- /dev/null +++ b/test/integration/enterprise-solr6-52/inspec/certs_spec.rb @@ -0,0 +1,37 @@ +require 'json' + +ssl_folder = '/etc/pki/tls/certs' +filename = 'alfresco' + +file = File.read('test/integration/data_bags/ssl/certs.json') +ssl_databag_test = JSON.parse(file) + +control 'alfresco-10' do + impact 0.5 + title 'Certs files creation and value check' + + describe file("#{ssl_folder}/#{filename}.key") do + it { should exist } + its('content') { should match ssl_databag_test['key'].to_s } + end + + describe file("#{ssl_folder}/#{filename}.crt") do + it { should exist } + its('content') { should match ssl_databag_test['crt'].to_s } + end + + describe file("#{ssl_folder}/#{filename}.chain") do + it { should exist } + its('content') { should match ssl_databag_test['chain'].to_s } + end + + describe file("#{ssl_folder}/#{filename}.nginxcrt") do + it { should exist } + its('content') { should match ssl_databag_test['nginxcrt'].to_s } + end + + describe file("#{ssl_folder}/#{filename}.dhparam") do + it { should exist } + its('content') { should match ssl_databag_test['dhparam'].to_s } + end +end From 46804920f0cca8049734f10ebca6e169003a4d45 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Thu, 20 Apr 2017 17:39:09 +0100 Subject: [PATCH 10/23] Java flavor sorted --- recipes/tomcat.rb | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/recipes/tomcat.rb b/recipes/tomcat.rb index 5e415ce..00cdbf0 100644 --- a/recipes/tomcat.rb +++ b/recipes/tomcat.rb @@ -39,25 +39,26 @@ include_recipe 'tomcat::default' # Find openjdk version -ruby_block 'Find openjdk version' do +ruby_block 'Find openjdk version & jre path' do block do Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) command = 'rpm -qa | grep openjdk | grep -v headless' command_out = shell_out(command) - node.run_state['openjdk_version'] = command_out.stdout + openjdk_version = command_out.stdout.chomp + node.run_state['openjdk_path'] = "/usr/lib/jvm/#{openjdk_version}/jre" end - action :create + action :run end # Unset openjdk alternatives for java and javac commands -java_alternatives 'un-set java alternatives' do - java_location "/usr/lib/jvm/#{node.run_state['openjdk_version']}" - bin_cmds ['java', 'javac'] +java_alternatives 'un-set java alternatives for openjdk' do + java_location lazy { node.run_state['openjdk_path'] } + bin_cmds ['java', 'javac', 'keytool'] action :unset end # Reset back to Oracle Java as Apache Tomcat installs OpenJDK via Yum -java_ark 'jdk' do +java_ark 're-set oracle jdk' do url node['java']['jdk']['8']['x86_64']['url'] default node['java']['set_default'] checksum node['java']['jdk']['8']['x86_64']['checksum'] From 5a1b30a2c9c686e665d364957cc529a008cf464b Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Thu, 20 Apr 2017 20:55:26 +0100 Subject: [PATCH 11/23] cookstyle issue resolved --- recipes/tomcat.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/recipes/tomcat.rb b/recipes/tomcat.rb index 00cdbf0..5ddaac3 100644 --- a/recipes/tomcat.rb +++ b/recipes/tomcat.rb @@ -45,15 +45,15 @@ command = 'rpm -qa | grep openjdk | grep -v headless' command_out = shell_out(command) openjdk_version = command_out.stdout.chomp - node.run_state['openjdk_path'] = "/usr/lib/jvm/#{openjdk_version}/jre" + node.run_state['alfresco']['openjdk_path'] = "/usr/lib/jvm/#{openjdk_version}/jre" end action :run end # Unset openjdk alternatives for java and javac commands java_alternatives 'un-set java alternatives for openjdk' do - java_location lazy { node.run_state['openjdk_path'] } - bin_cmds ['java', 'javac', 'keytool'] + java_location lazy { node.run_state['alfresco']['openjdk_path'] } + bin_cmds %w(java javac keytool) action :unset end From bae4ae9e378679785decde9b05a79585a8ca9d08 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Thu, 20 Apr 2017 21:14:13 +0100 Subject: [PATCH 12/23] cookstyle issue resolved --- recipes/tomcat.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/recipes/tomcat.rb b/recipes/tomcat.rb index 5ddaac3..7b87125 100644 --- a/recipes/tomcat.rb +++ b/recipes/tomcat.rb @@ -39,26 +39,26 @@ include_recipe 'tomcat::default' # Find openjdk version -ruby_block 'Find openjdk version & jre path' do +ruby_block 'Find openjdk version' do block do Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) command = 'rpm -qa | grep openjdk | grep -v headless' command_out = shell_out(command) openjdk_version = command_out.stdout.chomp - node.run_state['alfresco']['openjdk_path'] = "/usr/lib/jvm/#{openjdk_version}/jre" + node.run_state['openjdk_path'] = "/usr/lib/jvm/#{openjdk_version}/jre" end action :run end # Unset openjdk alternatives for java and javac commands -java_alternatives 'un-set java alternatives for openjdk' do - java_location lazy { node.run_state['alfresco']['openjdk_path'] } +java_alternatives 'un-set java alternatives' do + java_location lazy { node.run_state['openjdk_path'] } bin_cmds %w(java javac keytool) action :unset end # Reset back to Oracle Java as Apache Tomcat installs OpenJDK via Yum -java_ark 're-set oracle jdk' do +java_ark 'jdk' do url node['java']['jdk']['8']['x86_64']['url'] default node['java']['set_default'] checksum node['java']['jdk']['8']['x86_64']['checksum'] From cb0cff8d8a04947a15eb106f12c53afaffaa0343 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Fri, 21 Apr 2017 12:36:29 +0100 Subject: [PATCH 13/23] Replace JCEKS with JKS and use cacert default --- recipes/db-ssl.rb | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/recipes/db-ssl.rb b/recipes/db-ssl.rb index cbf2cd0..38dce03 100644 --- a/recipes/db-ssl.rb +++ b/recipes/db-ssl.rb @@ -14,18 +14,20 @@ only_if { ::File.exist?("#{Chef::Config[:file_cache_path]}/rds-combined-ca-bundle.pem") } end -truststore = node['alfresco']['truststore_file'] -truststore_pass = node['alfresco']['truststore_password'] -truststore_type = node['alfresco']['truststore_type'] +truststore = "#{node['java']['java_home']}/jre/lib/security/cacerts" +truststore_pass = 'changeit' ruby_block 'Import AWS RDS Certs' do block do Dir.glob("#{Chef::Config[:file_cache_path]}/xx*").each do |cert| Mixlib::ShellOut.new( - %[ keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt \ + %[ keytool -import -keystore #{truststore} -storepass #{truststore_pass} -noprompt \ -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] ).run_command end end action :run end + +ssl_db_conf = " -Djavax.net.ssl.trustStore=#{truststore} -Djavax.net.ssl.trustStorePassword=#{truststore_pass}" +node.default['alfresco']['repo_tomcat_instance']['java_options']['others'] = "#{node['alfresco']['repo_tomcat_instance']['java_options']['others']} #{ssl_db_conf}" From 3f7c50d4c3db1054702b72032f7baa61eeda5545 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Fri, 21 Apr 2017 17:14:13 +0100 Subject: [PATCH 14/23] test with multiple truststores --- recipes/db-ssl.rb | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/recipes/db-ssl.rb b/recipes/db-ssl.rb index 38dce03..f603891 100644 --- a/recipes/db-ssl.rb +++ b/recipes/db-ssl.rb @@ -14,20 +14,33 @@ only_if { ::File.exist?("#{Chef::Config[:file_cache_path]}/rds-combined-ca-bundle.pem") } end -truststore = "#{node['java']['java_home']}/jre/lib/security/cacerts" -truststore_pass = 'changeit' +# Use JCEKS truststore in db.ssl_params of alfresco global properties +truststore = node['alfresco']['truststore_file'] +truststore_pass = node['alfresco']['truststore_password'] +truststore_type = node['alfresco']['truststore_type'] +# Use default java certstore with tomcat as Java options +certstore = "#{node['java']['java_home']}/jre/lib/security/cacerts" +certstore_pass = 'changeit' +certstore_type = 'JCK' + +# Import ca-bundle in both stores ruby_block 'Import AWS RDS Certs' do block do Dir.glob("#{Chef::Config[:file_cache_path]}/xx*").each do |cert| - Mixlib::ShellOut.new( - %[ keytool -import -keystore #{truststore} -storepass #{truststore_pass} -noprompt \ - -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] - ).run_command + trust_store = Mixlib::ShellOut.new( + %[ keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt \ + -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] + ).run_command + + cacert_store = Mixlib::ShellOut.new( + %[ keytool -import -keystore #{certstore} -storepass #{certstore_pass} -storetype #{certstore_type} -noprompt \ + -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] + ).run_command end end action :run end -ssl_db_conf = " -Djavax.net.ssl.trustStore=#{truststore} -Djavax.net.ssl.trustStorePassword=#{truststore_pass}" +ssl_db_conf = " -Djavax.net.ssl.trustStore=#{certstore} -Djavax.net.ssl.trustStorePassword=#{certstore_pass} -Djavax.net.ssl.trustStoreType=#{certstore_type}" node.default['alfresco']['repo_tomcat_instance']['java_options']['others'] = "#{node['alfresco']['repo_tomcat_instance']['java_options']['others']} #{ssl_db_conf}" From 9f153bb12f85707f93e34a315284e28f67dc94aa Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Fri, 21 Apr 2017 22:32:24 +0100 Subject: [PATCH 15/23] fix cookstyle errors --- recipes/db-ssl.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/recipes/db-ssl.rb b/recipes/db-ssl.rb index f603891..10a8943 100644 --- a/recipes/db-ssl.rb +++ b/recipes/db-ssl.rb @@ -28,15 +28,15 @@ ruby_block 'Import AWS RDS Certs' do block do Dir.glob("#{Chef::Config[:file_cache_path]}/xx*").each do |cert| - trust_store = Mixlib::ShellOut.new( - %[ keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt \ - -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] - ).run_command + Mixlib::ShellOut.new( + %[ keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt \ + -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] + ).run_command - cacert_store = Mixlib::ShellOut.new( - %[ keytool -import -keystore #{certstore} -storepass #{certstore_pass} -storetype #{certstore_type} -noprompt \ - -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] - ).run_command + Mixlib::ShellOut.new( + %[ keytool -import -keystore #{certstore} -storepass #{certstore_pass} -storetype #{certstore_type} -noprompt \ + -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] + ).run_command end end action :run From c44f3d83991a876b177d36bfd504603b5bb73f55 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Mon, 24 Apr 2017 14:27:53 +0100 Subject: [PATCH 16/23] pass default java castore with java options --- recipes/db-ssl.rb | 51 +++++++++++++++++++++++------------------------ 1 file changed, 25 insertions(+), 26 deletions(-) diff --git a/recipes/db-ssl.rb b/recipes/db-ssl.rb index 10a8943..c7bd3ef 100644 --- a/recipes/db-ssl.rb +++ b/recipes/db-ssl.rb @@ -1,46 +1,45 @@ -remote_file "#{Chef::Config[:file_cache_path]}/rds-combined-ca-bundle.pem" do - source 'http://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem' +pem_file = 'rds-combined-ca-bundle.pem' + +remote_file "#{Chef::Config[:file_cache_path]}/#{pem_file}" do + source "http://s3.amazonaws.com/rds-downloads/#{pem_file}" owner 'root' group 'root' mode '0755' action :create_if_missing end -execute 'split_certs' do - command <<-EOF - cd #{Chef::Config[:file_cache_path]} - csplit -sz rds-combined-ca-bundle.pem '/-BEGIN CERTIFICATE-/' '{*}' - EOF - only_if { ::File.exist?("#{Chef::Config[:file_cache_path]}/rds-combined-ca-bundle.pem") } -end - -# Use JCEKS truststore in db.ssl_params of alfresco global properties truststore = node['alfresco']['truststore_file'] truststore_pass = node['alfresco']['truststore_password'] truststore_type = node['alfresco']['truststore_type'] -# Use default java certstore with tomcat as Java options -certstore = "#{node['java']['java_home']}/jre/lib/security/cacerts" -certstore_pass = 'changeit' -certstore_type = 'JCK' +certstore = node['alfresco']['certstore']['path'] +certstore_pass = node['alfresco']['certstore']['pass'] -# Import ca-bundle in both stores ruby_block 'Import AWS RDS Certs' do block do + Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) + + split_crt = "cd #{Chef::Config[:file_cache_path]} && csplit -sz #{pem_file} '/-BEGIN CERTIFICATE-/' '{*}'" + split_crt_out = shell_out(split_crt) + Dir.glob("#{Chef::Config[:file_cache_path]}/xx*").each do |cert| - Mixlib::ShellOut.new( - %[ keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt \ - -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] - ).run_command - - Mixlib::ShellOut.new( - %[ keytool -import -keystore #{certstore} -storepass #{certstore_pass} -storetype #{certstore_type} -noprompt \ - -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] - ).run_command + + alias_cmd = "openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print'" + crt_alias = shell_out(alias_cmd).stdout.chomp.split.join + + f = Chef::Resource::JavaCertificate.new('java_certificate', run_context) + f.cert_alias = crt_alias + f.cert_file = cert + f.run_action :install + + # Java certificate library don't have option of storetype other than JKS hence passing this way + tstore_cmd = "keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt -alias #{crt_alias} -file #{cert}" + tstore_out = shell_out(tstore_cmd) + end end action :run end -ssl_db_conf = " -Djavax.net.ssl.trustStore=#{certstore} -Djavax.net.ssl.trustStorePassword=#{certstore_pass} -Djavax.net.ssl.trustStoreType=#{certstore_type}" +ssl_db_conf = " -Djavax.net.ssl.keyStore=#{certstore} -Djavax.net.ssl.keyStorePassword=#{certstore_pass}" node.default['alfresco']['repo_tomcat_instance']['java_options']['others'] = "#{node['alfresco']['repo_tomcat_instance']['java_options']['others']} #{ssl_db_conf}" From c587ff9485cc896b3ce4f1056ba88db0b01162f8 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Mon, 24 Apr 2017 14:38:47 +0100 Subject: [PATCH 17/23] fix cookstyle errors --- recipes/db-ssl.rb | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/recipes/db-ssl.rb b/recipes/db-ssl.rb index c7bd3ef..4e6fdfe 100644 --- a/recipes/db-ssl.rb +++ b/recipes/db-ssl.rb @@ -18,24 +18,18 @@ ruby_block 'Import AWS RDS Certs' do block do Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) - - split_crt = "cd #{Chef::Config[:file_cache_path]} && csplit -sz #{pem_file} '/-BEGIN CERTIFICATE-/' '{*}'" - split_crt_out = shell_out(split_crt) - + csplit = "cd #{Chef::Config[:file_cache_path]} && csplit -sz #{pem_file} '/-BEGIN CERTIFICATE-/' '{*}'" + split = shell_out(csplit) Dir.glob("#{Chef::Config[:file_cache_path]}/xx*").each do |cert| - alias_cmd = "openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print'" crt_alias = shell_out(alias_cmd).stdout.chomp.split.join - f = Chef::Resource::JavaCertificate.new('java_certificate', run_context) f.cert_alias = crt_alias f.cert_file = cert f.run_action :install - # Java certificate library don't have option of storetype other than JKS hence passing this way tstore_cmd = "keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt -alias #{crt_alias} -file #{cert}" - tstore_out = shell_out(tstore_cmd) - + tstore = shell_out(tstore_cmd) end end action :run From c1903f6229275dd4e10b35c0eb70bfd0bec387e8 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Mon, 24 Apr 2017 14:49:57 +0100 Subject: [PATCH 18/23] fix cookstyle errors --- recipes/db-ssl.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/recipes/db-ssl.rb b/recipes/db-ssl.rb index 4e6fdfe..bac3a0e 100644 --- a/recipes/db-ssl.rb +++ b/recipes/db-ssl.rb @@ -19,7 +19,7 @@ block do Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) csplit = "cd #{Chef::Config[:file_cache_path]} && csplit -sz #{pem_file} '/-BEGIN CERTIFICATE-/' '{*}'" - split = shell_out(csplit) + shell_out(csplit) Dir.glob("#{Chef::Config[:file_cache_path]}/xx*").each do |cert| alias_cmd = "openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print'" crt_alias = shell_out(alias_cmd).stdout.chomp.split.join @@ -29,7 +29,7 @@ f.run_action :install # Java certificate library don't have option of storetype other than JKS hence passing this way tstore_cmd = "keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt -alias #{crt_alias} -file #{cert}" - tstore = shell_out(tstore_cmd) + shell_out(tstore_cmd) end end action :run From 64105f74d665e0dc86416e984ecd22e51c8b845e Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Mon, 24 Apr 2017 14:59:40 +0100 Subject: [PATCH 19/23] added java castore attributes --- .kitchen.yml | 1 + attributes/default.rb | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/.kitchen.yml b/.kitchen.yml index 7a7a236..caa0ba7 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -29,6 +29,7 @@ suites: run_list: - recipe[alfresco::default] - recipe[alfresco::redeploy] + - recipe[alfresco::db-ssl] verifier: inspec_tests: - name: nginx-hardening diff --git a/attributes/default.rb b/attributes/default.rb index 7a2ab39..080fc0b 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -130,3 +130,7 @@ # Not needed on standard a installation, unless DB ssl or SOLR ssl is enabled default['artifacts']['keystore']['enabled'] = false + +# Java CA Certstore +default['alfresco']['certstore']['path'] = "#{node['java']['java_home']}/jre/lib/security/cacerts" +default['alfresco']['certstore']['pass'] = 'changeit' From 807869b3979c32bea2e35eb4a8f61e66b6f1a515 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Mon, 24 Apr 2017 15:38:20 +0100 Subject: [PATCH 20/23] removed accidentally added extra recipe in kitchen --- .kitchen.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.kitchen.yml b/.kitchen.yml index caa0ba7..7a7a236 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -29,7 +29,6 @@ suites: run_list: - recipe[alfresco::default] - recipe[alfresco::redeploy] - - recipe[alfresco::db-ssl] verifier: inspec_tests: - name: nginx-hardening From 1b87d6674228f0a37626997dddf7f29573af4405 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Tue, 25 Apr 2017 10:00:53 +0100 Subject: [PATCH 21/23] place alfresco cacert inside java attributes file for interpolation to work --- attributes/default.rb | 4 ---- attributes/java.rb | 4 ++++ 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index 080fc0b..7a2ab39 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -130,7 +130,3 @@ # Not needed on standard a installation, unless DB ssl or SOLR ssl is enabled default['artifacts']['keystore']['enabled'] = false - -# Java CA Certstore -default['alfresco']['certstore']['path'] = "#{node['java']['java_home']}/jre/lib/security/cacerts" -default['alfresco']['certstore']['pass'] = 'changeit' diff --git a/attributes/java.rb b/attributes/java.rb index 97e19c1..3d3947e 100644 --- a/attributes/java.rb +++ b/attributes/java.rb @@ -5,3 +5,7 @@ default['java']['jdk']['8']['x86_64']['url'] = 'http://download.oracle.com/otn-pub/java/jdk/8u121-b13/e9e7ea248e2c4826b92b3f075a80e441/jdk-8u121-linux-x64.tar.gz' default['java']['jdk']['8']['x86_64']['checksum'] = '91972fb4e753f1b6674c2b952d974320' default['java']['oracle']['accept_oracle_download_terms'] = true + +# Java CA Certstore +default['alfresco']['certstore']['path'] = "#{node['java']['java_home']}/jre/lib/security/cacerts" +default['alfresco']['certstore']['pass'] = 'changeit' From af10175de6439dc18dc55399247ee4d4e9292756 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Tue, 25 Apr 2017 11:40:34 +0100 Subject: [PATCH 22/23] added integration tests and chef_omnibus versin to .kitchen.docker.yml file --- .kitchen.docker.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.kitchen.docker.yml b/.kitchen.docker.yml index 1a807c2..8dfa2e8 100644 --- a/.kitchen.docker.yml +++ b/.kitchen.docker.yml @@ -6,6 +6,7 @@ driver: provisioner: name: chef_zero + require_chef_omnibus: 12.19.36 verifier: @@ -35,6 +36,7 @@ suites: inspec_tests: - name: nginx-hardening git: https://github.com/Alfresco/tests-nginx-hardening + - path: test/integration/community-edition/inspec data_bags_path: "test/integration/data_bags" attributes: { "name": "chef-alfresco-community", From 6f98b6aa53259084801c6cdc0aeece162ff7268e Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Tue, 25 Apr 2017 12:54:23 +0100 Subject: [PATCH 23/23] added keystore file & password options in java library options --- recipes/db-ssl.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/recipes/db-ssl.rb b/recipes/db-ssl.rb index bac3a0e..387608b 100644 --- a/recipes/db-ssl.rb +++ b/recipes/db-ssl.rb @@ -26,6 +26,8 @@ f = Chef::Resource::JavaCertificate.new('java_certificate', run_context) f.cert_alias = crt_alias f.cert_file = cert + f.keystore_path = certstore + f.keystore_passwd = certstore_pass f.run_action :install # Java certificate library don't have option of storetype other than JKS hence passing this way tstore_cmd = "keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt -alias #{crt_alias} -file #{cert}"