diff --git a/docker/templates/Dockerfile.erb b/docker/templates/Dockerfile.erb index a95094bbe06..7f213b3d1a3 100644 --- a/docker/templates/Dockerfile.erb +++ b/docker/templates/Dockerfile.erb @@ -60,7 +60,7 @@ RUN \ <%= package_manager %> install -y which shadow-utils && \ <%= package_manager %> clean all <% else -%><%# 'wolfi', 'observability-sre' -%> - <%= package_manager %> add --no-cache curl bash openssl + <%= package_manager %> add --no-cache java-cacerts curl bash openssl <% end -%> # Provide a non-root user to run the process @@ -112,27 +112,18 @@ RUN mkdir -p /usr/share/logstash/config/security # Copy JVM security configuration files from the unpacked tarball RUN cp /usr/share/logstash/x-pack/distributions/internal/observabilitySRE/config/security/java.security /usr/share/logstash/config/security/ && \ - cp /usr/share/logstash/x-pack/distributions/internal/observabilitySRE/config/security/java.policy /usr/share/logstash/config/security/ && \ chown --recursive logstash:root /usr/share/logstash/config/security/ # list the classes provided by the fips BC RUN find /usr/share/logstash -name *.jar | grep lib -# Convert JKS to BCFKS for truststore and keystore -RUN /usr/share/logstash/jdk/bin/keytool -importkeystore \ - -srckeystore /usr/share/logstash/jdk/lib/security/cacerts \ - -destkeystore /usr/share/logstash/config/security/cacerts.bcfks \ - -srcstoretype jks \ - -deststoretype bcfks \ - -providerpath /usr/share/logstash/logstash-core/lib/jars/bc-fips-2.0.0.jar \ - -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ - -deststorepass changeit \ - -srcstorepass changeit \ - -noprompt +# Update certs installed from java-cacerts package +RUN ln -sf /etc/ssl/certs/java/cacerts /usr/share/logstash/jdk/lib/security/cacerts +# Convert JKS to BCFKS for truststore RUN /usr/share/logstash/jdk/bin/keytool -importkeystore \ -srckeystore /usr/share/logstash/jdk/lib/security/cacerts \ - -destkeystore /usr/share/logstash/config/security/keystore.bcfks \ + -destkeystore /usr/share/logstash/config/security/cacerts.bcfks \ -srcstoretype jks \ -deststoretype bcfks \ -providerpath /usr/share/logstash/logstash-core/lib/jars/bc-fips-2.0.0.jar \ @@ -144,11 +135,6 @@ RUN /usr/share/logstash/jdk/bin/keytool -importkeystore \ # Set Java security properties through LS_JAVA_OPTS ENV LS_JAVA_OPTS="\ -Djava.security.properties=/usr/share/logstash/config/security/java.security \ - -Djava.security.policy=/usr/share/logstash/config/security/java.policy \ - -Djavax.net.ssl.keyStore=/usr/share/logstash/config/security/keystore.bcfks \ - -Djavax.net.ssl.keyStoreType=BCFKS \ - -Djavax.net.ssl.keyStoreProvider=BCFIPS \ - -Djavax.net.ssl.keyStorePassword=changeit \ -Djavax.net.ssl.trustStore=/usr/share/logstash/config/security/cacerts.bcfks \ -Djavax.net.ssl.trustStoreType=BCFKS \ -Djavax.net.ssl.trustStoreProvider=BCFIPS \ diff --git a/x-pack/distributions/internal/observabilitySRE/config/security/java.policy b/x-pack/distributions/internal/observabilitySRE/config/security/java.policy deleted file mode 100644 index 12db7ab4019..00000000000 --- a/x-pack/distributions/internal/observabilitySRE/config/security/java.policy +++ /dev/null @@ -1,21 +0,0 @@ -grant { - // Your existing permissions - permission java.lang.PropertyPermission "java.runtime.name", "read"; - permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec"; - permission java.lang.RuntimePermission "getProtectionDomain"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled"; - permission org.bouncycastle.crypto.CryptoServicesPermission "exportKeys"; - - // Add provider permissions - permission java.security.SecurityPermission "putProviderProperty.BCFIPS"; - permission java.security.SecurityPermission "insertProvider.BCFIPS"; - permission java.security.SecurityPermission "putProviderProperty.BCJSSE"; - permission java.security.SecurityPermission "insertProvider.BCJSSE"; -}; - -deny { - permission java.security.SecurityPermission "putProviderProperty.BC"; - permission java.security.SecurityPermission "insertProvider.BC"; - permission java.security.SecurityPermission "removeProvider.BC"; -}; \ No newline at end of file diff --git a/x-pack/distributions/internal/observabilitySRE/config/security/java.security b/x-pack/distributions/internal/observabilitySRE/config/security/java.security index fbd4130a8c3..dc41c04ff60 100644 --- a/x-pack/distributions/internal/observabilitySRE/config/security/java.security +++ b/x-pack/distributions/internal/observabilitySRE/config/security/java.security @@ -1,21 +1,15 @@ security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=SUN -security.provider.11=-BC +security.provider.4=-BC -securerandom.source=file:/dev/random +securerandom.source=file:/dev/urandom securerandom.strongAlgorithms=NativePRNGBlocking:SUN,DRBG:SUN securerandom.drbg.config= login.configuration.provider=sun.security.provider.ConfigFile -policy.provider=sun.security.provider.PolicyFile -policy.url.1=file:/etc/java/security/java.policy -policy.expandProperties=true -policy.allowSystemProperty=true -policy.ignoreIdentityScope=false - -keystore.type=bcfks +keystore.type=BCFKS keystore.type.compat=true package.access=sun.misc.,\ diff --git a/x-pack/distributions/internal/observabilitySRE/docker/Dockerfile b/x-pack/distributions/internal/observabilitySRE/docker/Dockerfile index 317ee95ee22..5ebd14631fc 100644 --- a/x-pack/distributions/internal/observabilitySRE/docker/Dockerfile +++ b/x-pack/distributions/internal/observabilitySRE/docker/Dockerfile @@ -6,15 +6,15 @@ FROM docker.elastic.co/wolfi/chainguard-base-fips:latest RUN addgroup -g 1002 logstash && \ adduser -S -h /home/logstash -s /bin/bash -u 1002 -G logstash logstash -# Install OpenJDK 21 +# Install RUN apk add --no-cache \ openjdk-21 \ bash \ git \ curl \ make \ - # CODEREVIEW: I think make, gcc and glibc-dev are all in build-base package if we want that gcc \ + java-cacerts \ glibc-dev \ openssl @@ -24,9 +24,8 @@ RUN mkdir -p /etc/java/security && \ chown -R logstash:logstash /home/logstash/.gradle && \ chown -R logstash:logstash /etc/java/security -# Copy JVM configuration files: TODO manage these consistently +# Copy JVM configuration files: COPY --chown=logstash:logstash x-pack/distributions/internal/observabilitySRE/config/security/java.security /etc/java/security/ -COPY --chown=logstash:logstash x-pack/distributions/internal/observabilitySRE/config/security/java.policy /etc/java/security/ # Create and set ownership of working directory WORKDIR /logstash @@ -45,7 +44,7 @@ ENV PATH="${JAVA_HOME}/bin:${PATH}" # Initial build using JKS truststore RUN ./gradlew clean bootstrap assemble installDefaultGems -PfedrampHighMode=true -# Convert JKS to BCFKS for truststore and keystore +# Convert JKS to BCFKS for truststore RUN keytool -importkeystore \ -srckeystore $JAVA_HOME/lib/security/cacerts \ -destkeystore /etc/java/security/cacerts.bcfks \ @@ -57,27 +56,12 @@ RUN keytool -importkeystore \ -srcstorepass changeit \ -noprompt -RUN keytool -importkeystore \ - -srckeystore $JAVA_HOME/lib/security/cacerts \ - -destkeystore /etc/java/security/keystore.bcfks \ - -srcstoretype jks \ - -deststoretype bcfks \ - -providerpath /logstash/logstash-core/lib/jars/bc-fips-2.0.0.jar \ - -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ - -deststorepass changeit \ - -srcstorepass changeit \ - -noprompt - ENV JAVA_SECURITY_PROPERTIES=/etc/java/security/java.security ENV LS_JAVA_OPTS="\ -Dio.netty.ssl.provider=JDK \ # Enable debug logging for ensuring BCFIPS is being used if needed # -Djava.security.debug=ssl,provider,certpath \ -Djava.security.properties=${JAVA_SECURITY_PROPERTIES} \ - -Djavax.net.ssl.keyStore=/etc/java/security/keystore.bcfks \ - -Djavax.net.ssl.keyStoreType=BCFKS \ - -Djavax.net.ssl.keyStoreProvider=BCFIPS \ - -Djavax.net.ssl.keyStorePassword=changeit \ -Djavax.net.ssl.trustStore=/etc/java/security/cacerts.bcfks \ -Djavax.net.ssl.trustStoreType=BCFKS \ -Djavax.net.ssl.trustStoreProvider=BCFIPS \