Generate a self-signed certificate for SSL (#90)

Co-authored-by: Murtuza Boxwala <mboxwala@pivotal.io> Co-authored-by: Kamilla Aslami <kaslami@pivotal.io>
apache · Jul 22, 2019 · dd05f32e9dfbe31b5a0794d56c615fe0d1ed7437 · dd05f32
1 parent fcfb373
commit dd05f32e9dfbe31b5a0794d56c615fe0d1ed7437
Show file tree

Hide file tree

Showing 7 changed files with 80 additions and 23 deletions.
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,4 @@ out
 .gradle
 build/
 output*/
+temp-self-signed.jks
diff --git a/README.md b/README.md
@@ -53,6 +53,7 @@ Options:
     -Phosts      : Hosts used by benchmarks on the order of client,locator,server,server (-Phosts=localhost,localhost,localhost,localhost)
     -PoutputDir  : Results output directory (-PoutputDir=/tmp/results)
     -PtestJVM    : Path to an alternative JVM for running the client, locator, and servers. If not specified JAVA_HOME will be used. Note all compilation tasks will still use JAVA_HOME.
+    -PwithSsl    : Flag to run geode with SSL. A self-signed certificate will be generated at runtime.
     --tests      : Specific benchmarks to run (--tests=PartitionedPutBenchmark)
     -d           : Debug
     -i           : Info

diff --git a/geode-benchmarks/src/main/java/org/apache/geode/benchmark/parameters/GeodeProperties.java b/geode-benchmarks/src/main/java/org/apache/geode/benchmark/parameters/GeodeProperties.java
@@ -28,10 +28,6 @@
 import static org.apache.geode.distributed.ConfigurationProperties.REMOVE_UNRESPONSIVE_CLIENT;
 import static org.apache.geode.distributed.ConfigurationProperties.SERIALIZABLE_OBJECT_FILTER;
 import static org.apache.geode.distributed.ConfigurationProperties.SSL_ENABLED_COMPONENTS;
-import static org.apache.geode.distributed.ConfigurationProperties.SSL_KEYSTORE;
-import static org.apache.geode.distributed.ConfigurationProperties.SSL_KEYSTORE_PASSWORD;
-import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE;
-import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE_PASSWORD;
 import static org.apache.geode.distributed.ConfigurationProperties.STATISTIC_SAMPLING_ENABLED;
 import static org.apache.geode.distributed.ConfigurationProperties.USE_CLUSTER_CONFIGURATION;
 import static org.apache.geode.security.SecurableCommunicationChannels.ALL;
@@ -81,12 +77,6 @@ public static Properties clientProperties() {
 
   public static Properties withSsl(Properties properties) {
     properties.setProperty(SSL_ENABLED_COMPONENTS, ALL);
-
-    properties.setProperty(SSL_KEYSTORE, "/home/geode/selfsigned.jks");
-    properties.setProperty(SSL_KEYSTORE_PASSWORD, "123456");
-    properties.setProperty(SSL_TRUSTSTORE, "/home/geode/selfsigned.jks");
-    properties.setProperty(SSL_TRUSTSTORE_PASSWORD, "123456");
-
     return properties;
   }
 }
diff --git a/harness/build.gradle b/harness/build.gradle
@@ -55,6 +55,12 @@ dependencies {
     testCompile(group: 'org.assertj', name: 'assertj-core', version: project.'assertj-core.version')
 }
 
+compileJava {
+    options.fork = true
+    options.forkOptions.executable = 'javac'
+    options.compilerArgs << '-XDignore.symbol.file'
+}
+
 test{
     useJUnitPlatform()
 }
diff --git a/harness/src/main/java/org/apache/geode/perftest/jvms/JVMLauncher.java b/harness/src/main/java/org/apache/geode/perftest/jvms/JVMLauncher.java
@@ -17,6 +17,11 @@
 
 package org.apache.geode.perftest.jvms;
 
+import static org.apache.geode.distributed.ConfigurationProperties.SSL_KEYSTORE;
+import static org.apache.geode.distributed.ConfigurationProperties.SSL_KEYSTORE_PASSWORD;
+import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE;
+import static org.apache.geode.distributed.ConfigurationProperties.SSL_TRUSTSTORE_PASSWORD;
+
 import java.net.InetAddress;
 import java.net.UnknownHostException;
 import java.util.ArrayList;
@@ -85,6 +90,15 @@ String[] buildCommand(String rmiHost, int rmiPort, JVMMapping jvmConfig) {
     command.add("-D" + RemoteJVMFactory.RMI_PORT_PROPERTY + "=" + rmiPort);
     command.add("-D" + RemoteJVMFactory.JVM_ID + "=" + jvmConfig.getId());
     command.add("-D" + RemoteJVMFactory.OUTPUT_DIR + "=" + jvmConfig.getOutputDir());
+
+    if (Boolean.getBoolean("withSsl")) {
+      command
+          .add("-Dgemfire." + SSL_KEYSTORE + "=" + jvmConfig.getLibDir() + "/temp-self-signed.jks");
+      command.add("-Dgemfire." + SSL_KEYSTORE_PASSWORD + "=123456");
+      command.add(
+          "-Dgemfire." + SSL_TRUSTSTORE + "=" + jvmConfig.getLibDir() + "/temp-self-signed.jks");
+      command.add("-Dgemfire." + SSL_TRUSTSTORE_PASSWORD + "=123456");
+    }
     command.add("-Xloggc:" + jvmConfig.getOutputDir() + "/gc.log");
     command.addAll(replaceTokens(jvmConfig.getJvmArgs(), jvmConfig));
     command.add(ChildJVM.class.getName());

diff --git a/harness/src/main/java/org/apache/geode/perftest/jvms/RemoteJVMFactory.java b/harness/src/main/java/org/apache/geode/perftest/jvms/RemoteJVMFactory.java
@@ -17,7 +17,22 @@
 
 package org.apache.geode.perftest.jvms;
 
+import static java.util.concurrent.TimeUnit.DAYS;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.security.InvalidKeyException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
+import java.security.SignatureException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.Iterator;
 import java.util.List;
@@ -28,6 +43,8 @@
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import sun.security.tools.keytool.CertAndKeyGen;
+import sun.security.x509.X500Name;
 
 import org.apache.geode.perftest.infrastructure.Infrastructure;
 import org.apache.geode.perftest.infrastructure.InfrastructureFactory;
@@ -98,6 +115,8 @@ public RemoteJVMs launch(Map<String, Integer> roles,
         controllerFactory.createController(new SharedContext(mapping), numWorkers);
 
     classPathCopier.copyToNodes(infra, node -> getLibDir(mapping, node));
+    File keyStore = createKeystore();
+    infra.copyToNodes(Arrays.asList(keyStore), node -> getLibDir(mapping, node), false);
 
     CompletableFuture<Void> processesExited = jvmLauncher.launchProcesses(infra, RMI_PORT, mapping);
 
@@ -108,14 +127,51 @@ public RemoteJVMs launch(Map<String, Integer> roles,
     return new RemoteJVMs(infra, mapping, controller, processesExited);
   }
 
-  private String getLibDir(List<JVMMapping> mapping, Infrastructure.Node node) {
+  private JVMMapping getJvmMapping(List<JVMMapping> mapping, Infrastructure.Node node) {
     return mapping.stream()
         .filter(entry -> entry.getNode().equals(node))
         .findFirst()
-        .orElseThrow(() -> new IllegalStateException("Could not find lib dir for node " + node))
+        .orElseThrow(() -> new IllegalStateException("Could not find node dir " + node));
+  }
+
+  private String getLibDir(List<JVMMapping> mapping, Infrastructure.Node node) {
+    return getJvmMapping(mapping, node)
         .getLibDir();
   }
 
+  private String getOutputDir(List<JVMMapping> mapping, Infrastructure.Node node) {
+    return getJvmMapping(mapping, node)
+        .getOutputDir();
+  }
+
+  private File createKeystore()
+      throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException,
+      NoSuchProviderException, InvalidKeyException, SignatureException {
+
+    CertAndKeyGen keyGen = new CertAndKeyGen("RSA", "SHA1WithRSA", null);
+    keyGen.generate(1024);
+
+    char[] password = "123456".toCharArray();
+    PrivateKey privateKey = keyGen.getPrivateKey();
+
+    // Generate self signed certificate
+    X509Certificate[] chain = new X509Certificate[1];
+    chain[0] = keyGen.getSelfCertificate(new X500Name("CN=ROOT"), DAYS.toSeconds(365));
+
+    logger.info("Certificate : {}", chain[0]);
+
+    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+    ks.load(null, null);
+    ks.setKeyEntry("default", privateKey, password, chain);
+
+    File jksFile = new File("temp-self-signed.jks");
+    FileOutputStream fos = new FileOutputStream(jksFile);
+    ks.store(fos, password);
+    fos.close();
+
+    return jksFile;
+  }
+
   public InfrastructureFactory getInfrastructureFactory() {
     return infrastructureFactory;
   }

diff --git a/infrastructure/scripts/aws/README.md b/infrastructure/scripts/aws/README.md
@@ -179,17 +179,6 @@ monitor the test.
 ```
 
 # Running with SSL enabled
-
-## Prerequisites
-* You must have fulfilled the prerequisites at the beginning of this doc
-* Generate a self-signed SSL certificate using the keytool command:
-  * `keytool -genkey -keyalg RSA -alias tomcat -keystore selfsigned.jks -validity 365 -keysize 2048`
-  * The keystore password must be `123456`
-* Copy the generated certificate to the AWS VMs using the following command:
-  * `./copy_to_cluster.sh -tag <clusterTag> -- <path to selfsigned.jks> /home/geode/selfsigned.jks`
-  * The destination path must be `/home/geode/selfsigned.jks`
-
-## Running in AWS
 To run benchmarks with SSL enabled, run the test using the `run_tests.sh` script, with the additional CLI option `-PwithSsl`:
 ```
 ./run_tests.sh --tag <clusterTag> [other CLI options] -- -PwithSsl