From ee3b1a6d086330ca6336cca00de1979991720883 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Thu, 6 Apr 2017 15:40:01 +0100 Subject: [PATCH 01/18] Fixed Java flavor to be only Oracle & enabled inspec tests --- .kitchen.yml | 1 + recipes/tomcat.rb | 19 +++++++++++++++++++ .../community-edition/inspec/java_spec.rb | 9 +++++++++ 3 files changed, 29 insertions(+) create mode 100644 test/integration/community-edition/inspec/java_spec.rb diff --git a/.kitchen.yml b/.kitchen.yml index 1afbffe..0e9c664 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -32,6 +32,7 @@ suites: inspec_tests: - name: nginx-hardening git: https://github.com/Alfresco/tests-nginx-hardening + - path: test/integration/community-edition/inspec data_bags_path: "test/integration/data_bags" attributes: { "name": "chef-alfresco-community", diff --git a/recipes/tomcat.rb b/recipes/tomcat.rb index 77a6276..fd1d1d7 100644 --- a/recipes/tomcat.rb +++ b/recipes/tomcat.rb @@ -38,6 +38,25 @@ include_recipe 'tomcat::default' +# Reset back to Oracle Java as apache tomcat installs OpenJDK via Yum +java_ark 'jdk' do + url node['java']['jdk']['8']['x86_64']['url'] + default node['java']['set_default'] + checksum node['java']['jdk']['8']['x86_64']['checksum'] + app_home node['java']['java_home'] + bin_cmds node['java']['jdk']['8']['bin_cmds'] + alternatives_priority node['java']['alternatives_priority'] + retries node['java']['ark_retries'] + retry_delay node['java']['ark_retry_delay'] + connect_timeout node['java']['ark_timeout'] + use_alt_suffix node['java']['use_alt_suffix'] + reset_alternatives node['java']['reset_alternatives'] + download_timeout node['java']['ark_download_timeout'] + proxy node['java']['ark_proxy'] + action :install + notifies :write, 'log[jdk-version-changed]', :immediately +end + selinux_commands = {} selinux_commands['semanage permissive -a tomcat_t'] = 'semanage permissive -l | grep tomcat_t' diff --git a/test/integration/community-edition/inspec/java_spec.rb b/test/integration/community-edition/inspec/java_spec.rb new file mode 100644 index 0000000..28da6ea --- /dev/null +++ b/test/integration/community-edition/inspec/java_spec.rb @@ -0,0 +1,9 @@ +control 'Java version' do + impact 1.0 + title 'Check for Oracle Java' + desc 'Determine if Java flavor is OracleJDK and not OpenJDK' + describe command("java -version 2>&1 >/dev/null | grep 'java' | awk '{print $1}'") do + its(:stdout) { should match(/java/) } + its(:stdout) { should_not match(/openjdk/) } + end +end From 19a93df440c2827701dbc0f9cc9e77d4af7b5100 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Fri, 7 Apr 2017 11:27:27 +0100 Subject: [PATCH 02/18] Bump chef-commons tag version to solve HA-Proxy variable not defined issue --- Berksfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Berksfile b/Berksfile index 0f2ff15..1aca85e 100644 --- a/Berksfile +++ b/Berksfile @@ -8,5 +8,5 @@ cookbook 'tomcat', git: 'https://github.com/maoo/tomcat.git', tag: 'v11.17.3' # Resolve transitive deps of artifact-deployer cookbook 'maven', git: 'https://github.com/maoo/maven.git', tag: 'v1.2.0-fork' cookbook 'file', git: 'https://github.com/jenssegers/chef-file.git', tag: 'v1.0.0' -cookbook 'commons', git: 'https://github.com/Alfresco/chef-commons.git', tag: 'v0.5.5' +cookbook 'commons', git: 'https://github.com/Alfresco/chef-commons.git', tag: 'v0.5.7' cookbook 'database', git: 'https://github.com/enzor/database.git' From 53983b5d96a9dae65939e0a4713ebd7503d9f4dc Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Fri, 7 Apr 2017 11:51:13 +0100 Subject: [PATCH 03/18] Fix typo of HA-Proxy variable not defined issue inside LWRP then bump separately commons version --- Berksfile | 2 +- resources/haproxy_config.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Berksfile b/Berksfile index 1aca85e..0f2ff15 100644 --- a/Berksfile +++ b/Berksfile @@ -8,5 +8,5 @@ cookbook 'tomcat', git: 'https://github.com/maoo/tomcat.git', tag: 'v11.17.3' # Resolve transitive deps of artifact-deployer cookbook 'maven', git: 'https://github.com/maoo/maven.git', tag: 'v1.2.0-fork' cookbook 'file', git: 'https://github.com/jenssegers/chef-file.git', tag: 'v1.0.0' -cookbook 'commons', git: 'https://github.com/Alfresco/chef-commons.git', tag: 'v0.5.7' +cookbook 'commons', git: 'https://github.com/Alfresco/chef-commons.git', tag: 'v0.5.5' cookbook 'database', git: 'https://github.com/enzor/database.git' diff --git a/resources/haproxy_config.rb b/resources/haproxy_config.rb index 1606d53..dfff0ff 100644 --- a/resources/haproxy_config.rb +++ b/resources/haproxy_config.rb @@ -77,7 +77,7 @@ ordered_role << role['az']['local'] if role['az']['local'] ordered_role << role['az'][current_az] if current_az && role['az'][current_az] role['az'].each do |az_name, az| - if 'local' != az_name && (current_az == nil? || current_az != azName) + if 'local' != az_name && (current_az == nil? || current_az != az_name) ordered_role << az if az end end From e884f2868fc90d6ebdac0ccf4b25788167baad6d Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Tue, 11 Apr 2017 10:57:41 +0100 Subject: [PATCH 04/18] HA-Proxy load balancing for backends & OpenJDK unset alternatives --- attributes/haproxy.rb | 8 ++++++-- recipes/tomcat.rb | 20 +++++++++++++++++++- resources/haproxy_config.rb | 8 +++++++- 3 files changed, 32 insertions(+), 4 deletions(-) diff --git a/attributes/haproxy.rb b/attributes/haproxy.rb index 3e887ae..aa0732b 100644 --- a/attributes/haproxy.rb +++ b/attributes/haproxy.rb @@ -217,14 +217,18 @@ # HAproxy configuration default['haproxy']['frontends']['internal']['acls']['alfresco'] = ['path_beg /alfresco'] default['haproxy']['frontends']['external']['acls']['alfresco'] = ['path_beg /alfresco', 'path_reg ^/alfresco/aos/.*', 'path_reg ^/alfresco/aos$'] +default['haproxy']['frontends']['external']['acls']['aos_vti'] = ['path_reg ^/_vti_inf.html$', 'path_reg ^/_vti_bin/.*'] +default['haproxy']['frontends']['external']['acls']['aos_root'] = ['path_reg ^/$ method OPTIONS', 'path_reg ^/$ method PROPFIND'] + default['haproxy']['backends']['roles']['alfresco']['entries'] = ['option httpchk GET /alfresco', 'cookie JSESSIONID prefix', 'balance url_param JSESSIONID check_post'] default['haproxy']['backends']['roles']['alfresco']['port'] = 8070 -default['haproxy']['frontends']['external']['acls']['aos_vti'] = ['path_reg ^/_vti_inf.html$', 'path_reg ^/_vti_bin/.*'] +default['haproxy']['backends']['roles']['aos']['entries'] = ['option httpchk GET /alfresco', 'cookie JSESSIONID prefix', 'balance url_param JSESSIONID check_post'] +default['haproxy']['backends']['roles']['aos']['port'] = 8070 + default['haproxy']['backends']['roles']['aos_vti']['entries'] = ['option httpchk GET /_vti_inf.html', 'cookie JSESSIONID prefix', 'balance url_param JSESSIONID check_post'] default['haproxy']['backends']['roles']['aos_vti']['port'] = 8070 -default['haproxy']['frontends']['external']['acls']['aos_root'] = ['path_reg ^/$ method OPTIONS', 'path_reg ^/$ method PROPFIND'] default['haproxy']['backends']['roles']['aos_root']['entries'] = ['option httpchk GET /'] default['haproxy']['backends']['roles']['aos_root']['port'] = 8070 diff --git a/recipes/tomcat.rb b/recipes/tomcat.rb index fd1d1d7..6c4c6f3 100644 --- a/recipes/tomcat.rb +++ b/recipes/tomcat.rb @@ -38,7 +38,25 @@ include_recipe 'tomcat::default' -# Reset back to Oracle Java as apache tomcat installs OpenJDK via Yum +# Find openjdk version +ruby_block "Find openjdk version" do + block do + Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) + command = 'rpm -qa | grep openjdk | grep -v headless' + command_out = shell_out(command) + node.run_state['openjdk_version'] = command_out.stdout + end + action :create +end + +# Unset openjdk alternatives for java and javac commands +java_alternatives "un-set java alternatives" do + java_location "/usr/lib/jvm/#{node.run_state['openjdk_version']}" + bin_cmds ["java", "javac"] + action :unset +end + +# Reset back to Oracle Java as Apache Tomcat installs OpenJDK via Yum java_ark 'jdk' do url node['java']['jdk']['8']['x86_64']['url'] default node['java']['set_default'] diff --git a/resources/haproxy_config.rb b/resources/haproxy_config.rb index dfff0ff..323034d 100644 --- a/resources/haproxy_config.rb +++ b/resources/haproxy_config.rb @@ -58,6 +58,10 @@ end # Duplicate alfresco backend into aos_vti, root and alfresco_api + new_hash = (Marshal.load(Marshal.dump(haproxy_backends))) + + haproxy_backends['alfresco']['az'] = new_hash['share']['az'] + haproxy_backends['aos']['az'] = new_hash['share']['az'] haproxy_backends['aos_vti']['az'] = haproxy_backends['alfresco']['az'] # haproxy_backends['aos_root']['az'] = haproxy_backends['alfresco']['az'] @@ -100,7 +104,9 @@ if balanced options = "cookie #{instance['jvm_route']} check inter 5000" elsif index > 0 - options = 'check inter 5000 backup' + if instance['haproxy_backends'] == 'solr' + options = 'check inter 5000 backup' + end end instance['options'] = options end From 6bf2cfdfecce4ea431b6f9c252f10696445c32c2 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Tue, 11 Apr 2017 11:34:02 +0100 Subject: [PATCH 05/18] Add kitchen provisioner chef_omnibus version < 13 to not have chef 13 on box and fix mysql2_chef_gem issue --- .kitchen.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.kitchen.yml b/.kitchen.yml index 0e9c664..7a7a236 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -9,6 +9,7 @@ driver: provisioner: name: chef_zero + require_chef_omnibus: 12.19.36 verifier: name: inspec From f33fd39862ef133de7e259bba66805359b378eb6 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Tue, 11 Apr 2017 12:11:46 +0100 Subject: [PATCH 06/18] Fixed cookstyle & rake test errors --- recipes/tomcat.rb | 6 +++--- resources/haproxy_config.rb | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/recipes/tomcat.rb b/recipes/tomcat.rb index 6c4c6f3..5e415ce 100644 --- a/recipes/tomcat.rb +++ b/recipes/tomcat.rb @@ -39,7 +39,7 @@ include_recipe 'tomcat::default' # Find openjdk version -ruby_block "Find openjdk version" do +ruby_block 'Find openjdk version' do block do Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) command = 'rpm -qa | grep openjdk | grep -v headless' @@ -50,9 +50,9 @@ end # Unset openjdk alternatives for java and javac commands -java_alternatives "un-set java alternatives" do +java_alternatives 'un-set java alternatives' do java_location "/usr/lib/jvm/#{node.run_state['openjdk_version']}" - bin_cmds ["java", "javac"] + bin_cmds ['java', 'javac'] action :unset end diff --git a/resources/haproxy_config.rb b/resources/haproxy_config.rb index 323034d..0863165 100644 --- a/resources/haproxy_config.rb +++ b/resources/haproxy_config.rb @@ -58,7 +58,7 @@ end # Duplicate alfresco backend into aos_vti, root and alfresco_api - new_hash = (Marshal.load(Marshal.dump(haproxy_backends))) + new_hash = Marshal.load(Marshal.dump(haproxy_backends)) haproxy_backends['alfresco']['az'] = new_hash['share']['az'] haproxy_backends['aos']['az'] = new_hash['share']['az'] From 46804920f0cca8049734f10ebca6e169003a4d45 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Thu, 20 Apr 2017 17:39:09 +0100 Subject: [PATCH 07/18] Java flavor sorted --- recipes/tomcat.rb | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/recipes/tomcat.rb b/recipes/tomcat.rb index 5e415ce..00cdbf0 100644 --- a/recipes/tomcat.rb +++ b/recipes/tomcat.rb @@ -39,25 +39,26 @@ include_recipe 'tomcat::default' # Find openjdk version -ruby_block 'Find openjdk version' do +ruby_block 'Find openjdk version & jre path' do block do Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) command = 'rpm -qa | grep openjdk | grep -v headless' command_out = shell_out(command) - node.run_state['openjdk_version'] = command_out.stdout + openjdk_version = command_out.stdout.chomp + node.run_state['openjdk_path'] = "/usr/lib/jvm/#{openjdk_version}/jre" end - action :create + action :run end # Unset openjdk alternatives for java and javac commands -java_alternatives 'un-set java alternatives' do - java_location "/usr/lib/jvm/#{node.run_state['openjdk_version']}" - bin_cmds ['java', 'javac'] +java_alternatives 'un-set java alternatives for openjdk' do + java_location lazy { node.run_state['openjdk_path'] } + bin_cmds ['java', 'javac', 'keytool'] action :unset end # Reset back to Oracle Java as Apache Tomcat installs OpenJDK via Yum -java_ark 'jdk' do +java_ark 're-set oracle jdk' do url node['java']['jdk']['8']['x86_64']['url'] default node['java']['set_default'] checksum node['java']['jdk']['8']['x86_64']['checksum'] From 5a1b30a2c9c686e665d364957cc529a008cf464b Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Thu, 20 Apr 2017 20:55:26 +0100 Subject: [PATCH 08/18] cookstyle issue resolved --- recipes/tomcat.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/recipes/tomcat.rb b/recipes/tomcat.rb index 00cdbf0..5ddaac3 100644 --- a/recipes/tomcat.rb +++ b/recipes/tomcat.rb @@ -45,15 +45,15 @@ command = 'rpm -qa | grep openjdk | grep -v headless' command_out = shell_out(command) openjdk_version = command_out.stdout.chomp - node.run_state['openjdk_path'] = "/usr/lib/jvm/#{openjdk_version}/jre" + node.run_state['alfresco']['openjdk_path'] = "/usr/lib/jvm/#{openjdk_version}/jre" end action :run end # Unset openjdk alternatives for java and javac commands java_alternatives 'un-set java alternatives for openjdk' do - java_location lazy { node.run_state['openjdk_path'] } - bin_cmds ['java', 'javac', 'keytool'] + java_location lazy { node.run_state['alfresco']['openjdk_path'] } + bin_cmds %w(java javac keytool) action :unset end From bae4ae9e378679785decde9b05a79585a8ca9d08 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Thu, 20 Apr 2017 21:14:13 +0100 Subject: [PATCH 09/18] cookstyle issue resolved --- recipes/tomcat.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/recipes/tomcat.rb b/recipes/tomcat.rb index 5ddaac3..7b87125 100644 --- a/recipes/tomcat.rb +++ b/recipes/tomcat.rb @@ -39,26 +39,26 @@ include_recipe 'tomcat::default' # Find openjdk version -ruby_block 'Find openjdk version & jre path' do +ruby_block 'Find openjdk version' do block do Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) command = 'rpm -qa | grep openjdk | grep -v headless' command_out = shell_out(command) openjdk_version = command_out.stdout.chomp - node.run_state['alfresco']['openjdk_path'] = "/usr/lib/jvm/#{openjdk_version}/jre" + node.run_state['openjdk_path'] = "/usr/lib/jvm/#{openjdk_version}/jre" end action :run end # Unset openjdk alternatives for java and javac commands -java_alternatives 'un-set java alternatives for openjdk' do - java_location lazy { node.run_state['alfresco']['openjdk_path'] } +java_alternatives 'un-set java alternatives' do + java_location lazy { node.run_state['openjdk_path'] } bin_cmds %w(java javac keytool) action :unset end # Reset back to Oracle Java as Apache Tomcat installs OpenJDK via Yum -java_ark 're-set oracle jdk' do +java_ark 'jdk' do url node['java']['jdk']['8']['x86_64']['url'] default node['java']['set_default'] checksum node['java']['jdk']['8']['x86_64']['checksum'] From cb0cff8d8a04947a15eb106f12c53afaffaa0343 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Fri, 21 Apr 2017 12:36:29 +0100 Subject: [PATCH 10/18] Replace JCEKS with JKS and use cacert default --- recipes/db-ssl.rb | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/recipes/db-ssl.rb b/recipes/db-ssl.rb index cbf2cd0..38dce03 100644 --- a/recipes/db-ssl.rb +++ b/recipes/db-ssl.rb @@ -14,18 +14,20 @@ only_if { ::File.exist?("#{Chef::Config[:file_cache_path]}/rds-combined-ca-bundle.pem") } end -truststore = node['alfresco']['truststore_file'] -truststore_pass = node['alfresco']['truststore_password'] -truststore_type = node['alfresco']['truststore_type'] +truststore = "#{node['java']['java_home']}/jre/lib/security/cacerts" +truststore_pass = 'changeit' ruby_block 'Import AWS RDS Certs' do block do Dir.glob("#{Chef::Config[:file_cache_path]}/xx*").each do |cert| Mixlib::ShellOut.new( - %[ keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt \ + %[ keytool -import -keystore #{truststore} -storepass #{truststore_pass} -noprompt \ -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] ).run_command end end action :run end + +ssl_db_conf = " -Djavax.net.ssl.trustStore=#{truststore} -Djavax.net.ssl.trustStorePassword=#{truststore_pass}" +node.default['alfresco']['repo_tomcat_instance']['java_options']['others'] = "#{node['alfresco']['repo_tomcat_instance']['java_options']['others']} #{ssl_db_conf}" From 3f7c50d4c3db1054702b72032f7baa61eeda5545 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Fri, 21 Apr 2017 17:14:13 +0100 Subject: [PATCH 11/18] test with multiple truststores --- recipes/db-ssl.rb | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/recipes/db-ssl.rb b/recipes/db-ssl.rb index 38dce03..f603891 100644 --- a/recipes/db-ssl.rb +++ b/recipes/db-ssl.rb @@ -14,20 +14,33 @@ only_if { ::File.exist?("#{Chef::Config[:file_cache_path]}/rds-combined-ca-bundle.pem") } end -truststore = "#{node['java']['java_home']}/jre/lib/security/cacerts" -truststore_pass = 'changeit' +# Use JCEKS truststore in db.ssl_params of alfresco global properties +truststore = node['alfresco']['truststore_file'] +truststore_pass = node['alfresco']['truststore_password'] +truststore_type = node['alfresco']['truststore_type'] +# Use default java certstore with tomcat as Java options +certstore = "#{node['java']['java_home']}/jre/lib/security/cacerts" +certstore_pass = 'changeit' +certstore_type = 'JCK' + +# Import ca-bundle in both stores ruby_block 'Import AWS RDS Certs' do block do Dir.glob("#{Chef::Config[:file_cache_path]}/xx*").each do |cert| - Mixlib::ShellOut.new( - %[ keytool -import -keystore #{truststore} -storepass #{truststore_pass} -noprompt \ - -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] - ).run_command + trust_store = Mixlib::ShellOut.new( + %[ keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt \ + -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] + ).run_command + + cacert_store = Mixlib::ShellOut.new( + %[ keytool -import -keystore #{certstore} -storepass #{certstore_pass} -storetype #{certstore_type} -noprompt \ + -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] + ).run_command end end action :run end -ssl_db_conf = " -Djavax.net.ssl.trustStore=#{truststore} -Djavax.net.ssl.trustStorePassword=#{truststore_pass}" +ssl_db_conf = " -Djavax.net.ssl.trustStore=#{certstore} -Djavax.net.ssl.trustStorePassword=#{certstore_pass} -Djavax.net.ssl.trustStoreType=#{certstore_type}" node.default['alfresco']['repo_tomcat_instance']['java_options']['others'] = "#{node['alfresco']['repo_tomcat_instance']['java_options']['others']} #{ssl_db_conf}" From 9f153bb12f85707f93e34a315284e28f67dc94aa Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Fri, 21 Apr 2017 22:32:24 +0100 Subject: [PATCH 12/18] fix cookstyle errors --- recipes/db-ssl.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/recipes/db-ssl.rb b/recipes/db-ssl.rb index f603891..10a8943 100644 --- a/recipes/db-ssl.rb +++ b/recipes/db-ssl.rb @@ -28,15 +28,15 @@ ruby_block 'Import AWS RDS Certs' do block do Dir.glob("#{Chef::Config[:file_cache_path]}/xx*").each do |cert| - trust_store = Mixlib::ShellOut.new( - %[ keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt \ - -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] - ).run_command + Mixlib::ShellOut.new( + %[ keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt \ + -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] + ).run_command - cacert_store = Mixlib::ShellOut.new( - %[ keytool -import -keystore #{certstore} -storepass #{certstore_pass} -storetype #{certstore_type} -noprompt \ - -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] - ).run_command + Mixlib::ShellOut.new( + %[ keytool -import -keystore #{certstore} -storepass #{certstore_pass} -storetype #{certstore_type} -noprompt \ + -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] + ).run_command end end action :run From c44f3d83991a876b177d36bfd504603b5bb73f55 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Mon, 24 Apr 2017 14:27:53 +0100 Subject: [PATCH 13/18] pass default java castore with java options --- recipes/db-ssl.rb | 51 +++++++++++++++++++++++------------------------ 1 file changed, 25 insertions(+), 26 deletions(-) diff --git a/recipes/db-ssl.rb b/recipes/db-ssl.rb index 10a8943..c7bd3ef 100644 --- a/recipes/db-ssl.rb +++ b/recipes/db-ssl.rb @@ -1,46 +1,45 @@ -remote_file "#{Chef::Config[:file_cache_path]}/rds-combined-ca-bundle.pem" do - source 'http://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem' +pem_file = 'rds-combined-ca-bundle.pem' + +remote_file "#{Chef::Config[:file_cache_path]}/#{pem_file}" do + source "http://s3.amazonaws.com/rds-downloads/#{pem_file}" owner 'root' group 'root' mode '0755' action :create_if_missing end -execute 'split_certs' do - command <<-EOF - cd #{Chef::Config[:file_cache_path]} - csplit -sz rds-combined-ca-bundle.pem '/-BEGIN CERTIFICATE-/' '{*}' - EOF - only_if { ::File.exist?("#{Chef::Config[:file_cache_path]}/rds-combined-ca-bundle.pem") } -end - -# Use JCEKS truststore in db.ssl_params of alfresco global properties truststore = node['alfresco']['truststore_file'] truststore_pass = node['alfresco']['truststore_password'] truststore_type = node['alfresco']['truststore_type'] -# Use default java certstore with tomcat as Java options -certstore = "#{node['java']['java_home']}/jre/lib/security/cacerts" -certstore_pass = 'changeit' -certstore_type = 'JCK' +certstore = node['alfresco']['certstore']['path'] +certstore_pass = node['alfresco']['certstore']['pass'] -# Import ca-bundle in both stores ruby_block 'Import AWS RDS Certs' do block do + Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) + + split_crt = "cd #{Chef::Config[:file_cache_path]} && csplit -sz #{pem_file} '/-BEGIN CERTIFICATE-/' '{*}'" + split_crt_out = shell_out(split_crt) + Dir.glob("#{Chef::Config[:file_cache_path]}/xx*").each do |cert| - Mixlib::ShellOut.new( - %[ keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt \ - -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] - ).run_command - - Mixlib::ShellOut.new( - %[ keytool -import -keystore #{certstore} -storepass #{certstore_pass} -storetype #{certstore_type} -noprompt \ - -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ] - ).run_command + + alias_cmd = "openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print'" + crt_alias = shell_out(alias_cmd).stdout.chomp.split.join + + f = Chef::Resource::JavaCertificate.new('java_certificate', run_context) + f.cert_alias = crt_alias + f.cert_file = cert + f.run_action :install + + # Java certificate library don't have option of storetype other than JKS hence passing this way + tstore_cmd = "keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt -alias #{crt_alias} -file #{cert}" + tstore_out = shell_out(tstore_cmd) + end end action :run end -ssl_db_conf = " -Djavax.net.ssl.trustStore=#{certstore} -Djavax.net.ssl.trustStorePassword=#{certstore_pass} -Djavax.net.ssl.trustStoreType=#{certstore_type}" +ssl_db_conf = " -Djavax.net.ssl.keyStore=#{certstore} -Djavax.net.ssl.keyStorePassword=#{certstore_pass}" node.default['alfresco']['repo_tomcat_instance']['java_options']['others'] = "#{node['alfresco']['repo_tomcat_instance']['java_options']['others']} #{ssl_db_conf}" From c587ff9485cc896b3ce4f1056ba88db0b01162f8 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Mon, 24 Apr 2017 14:38:47 +0100 Subject: [PATCH 14/18] fix cookstyle errors --- recipes/db-ssl.rb | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/recipes/db-ssl.rb b/recipes/db-ssl.rb index c7bd3ef..4e6fdfe 100644 --- a/recipes/db-ssl.rb +++ b/recipes/db-ssl.rb @@ -18,24 +18,18 @@ ruby_block 'Import AWS RDS Certs' do block do Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) - - split_crt = "cd #{Chef::Config[:file_cache_path]} && csplit -sz #{pem_file} '/-BEGIN CERTIFICATE-/' '{*}'" - split_crt_out = shell_out(split_crt) - + csplit = "cd #{Chef::Config[:file_cache_path]} && csplit -sz #{pem_file} '/-BEGIN CERTIFICATE-/' '{*}'" + split = shell_out(csplit) Dir.glob("#{Chef::Config[:file_cache_path]}/xx*").each do |cert| - alias_cmd = "openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print'" crt_alias = shell_out(alias_cmd).stdout.chomp.split.join - f = Chef::Resource::JavaCertificate.new('java_certificate', run_context) f.cert_alias = crt_alias f.cert_file = cert f.run_action :install - # Java certificate library don't have option of storetype other than JKS hence passing this way tstore_cmd = "keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt -alias #{crt_alias} -file #{cert}" - tstore_out = shell_out(tstore_cmd) - + tstore = shell_out(tstore_cmd) end end action :run From c1903f6229275dd4e10b35c0eb70bfd0bec387e8 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Mon, 24 Apr 2017 14:49:57 +0100 Subject: [PATCH 15/18] fix cookstyle errors --- recipes/db-ssl.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/recipes/db-ssl.rb b/recipes/db-ssl.rb index 4e6fdfe..bac3a0e 100644 --- a/recipes/db-ssl.rb +++ b/recipes/db-ssl.rb @@ -19,7 +19,7 @@ block do Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) csplit = "cd #{Chef::Config[:file_cache_path]} && csplit -sz #{pem_file} '/-BEGIN CERTIFICATE-/' '{*}'" - split = shell_out(csplit) + shell_out(csplit) Dir.glob("#{Chef::Config[:file_cache_path]}/xx*").each do |cert| alias_cmd = "openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print'" crt_alias = shell_out(alias_cmd).stdout.chomp.split.join @@ -29,7 +29,7 @@ f.run_action :install # Java certificate library don't have option of storetype other than JKS hence passing this way tstore_cmd = "keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt -alias #{crt_alias} -file #{cert}" - tstore = shell_out(tstore_cmd) + shell_out(tstore_cmd) end end action :run From 64105f74d665e0dc86416e984ecd22e51c8b845e Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Mon, 24 Apr 2017 14:59:40 +0100 Subject: [PATCH 16/18] added java castore attributes --- .kitchen.yml | 1 + attributes/default.rb | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/.kitchen.yml b/.kitchen.yml index 7a7a236..caa0ba7 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -29,6 +29,7 @@ suites: run_list: - recipe[alfresco::default] - recipe[alfresco::redeploy] + - recipe[alfresco::db-ssl] verifier: inspec_tests: - name: nginx-hardening diff --git a/attributes/default.rb b/attributes/default.rb index 7a2ab39..080fc0b 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -130,3 +130,7 @@ # Not needed on standard a installation, unless DB ssl or SOLR ssl is enabled default['artifacts']['keystore']['enabled'] = false + +# Java CA Certstore +default['alfresco']['certstore']['path'] = "#{node['java']['java_home']}/jre/lib/security/cacerts" +default['alfresco']['certstore']['pass'] = 'changeit' From 807869b3979c32bea2e35eb4a8f61e66b6f1a515 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Mon, 24 Apr 2017 15:38:20 +0100 Subject: [PATCH 17/18] removed accidentally added extra recipe in kitchen --- .kitchen.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.kitchen.yml b/.kitchen.yml index caa0ba7..7a7a236 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -29,7 +29,6 @@ suites: run_list: - recipe[alfresco::default] - recipe[alfresco::redeploy] - - recipe[alfresco::db-ssl] verifier: inspec_tests: - name: nginx-hardening From 1b87d6674228f0a37626997dddf7f29573af4405 Mon Sep 17 00:00:00 2001 From: Abdul Mohammed Date: Tue, 25 Apr 2017 10:00:53 +0100 Subject: [PATCH 18/18] place alfresco cacert inside java attributes file for interpolation to work --- attributes/default.rb | 4 ---- attributes/java.rb | 4 ++++ 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index 080fc0b..7a2ab39 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -130,7 +130,3 @@ # Not needed on standard a installation, unless DB ssl or SOLR ssl is enabled default['artifacts']['keystore']['enabled'] = false - -# Java CA Certstore -default['alfresco']['certstore']['path'] = "#{node['java']['java_home']}/jre/lib/security/cacerts" -default['alfresco']['certstore']['pass'] = 'changeit' diff --git a/attributes/java.rb b/attributes/java.rb index 97e19c1..3d3947e 100644 --- a/attributes/java.rb +++ b/attributes/java.rb @@ -5,3 +5,7 @@ default['java']['jdk']['8']['x86_64']['url'] = 'http://download.oracle.com/otn-pub/java/jdk/8u121-b13/e9e7ea248e2c4826b92b3f075a80e441/jdk-8u121-linux-x64.tar.gz' default['java']['jdk']['8']['x86_64']['checksum'] = '91972fb4e753f1b6674c2b952d974320' default['java']['oracle']['accept_oracle_download_terms'] = true + +# Java CA Certstore +default['alfresco']['certstore']['path'] = "#{node['java']['java_home']}/jre/lib/security/cacerts" +default['alfresco']['certstore']['pass'] = 'changeit'