[WFLY-18475] helloworld-mutual-ssl-secured Quickstart Common Enhancements CY2023Q3 #729
Conversation
|
Hi @PrarthonaPaul. Thanks for your PR. I'm waiting for a wildfly member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
PrarthonaPaul
force-pushed
the
helloworld-mutual-ssl-secured-enhancement
branch
5 times, most recently
from
c2ef03a
to
c5399b6
Compare
PrarthonaPaul
force-pushed
the
helloworld-mutual-ssl-secured-enhancement
branch
5 times, most recently
from
f21448f
to
abb9e1a
Compare
| @@ -0,0 +1,19 @@ | |||
| #configure a key-store in the Elytron subsystem. The path to the keystore file doesn’t actually have to exist yet. | |||
| /subsystem=elytron/key-store=mutualKS:add(path=clientCert.P12, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=PKCS12) | |||
There was a problem hiding this comment.
Maybe we should call it clientKS (just to make it more obvious that this is used for the client cert)
There was a problem hiding this comment.
The path could be client.keystore or something like that
There was a problem hiding this comment.
Thats true, I will change it to clientKS.
WRT the path, I named it clientCert.p12 to make it consistent with the naming from the README file. In case someone wanted to use the cli script while going through the QS interactively. But I can change it too. Feel free to let me know what you think.
There was a problem hiding this comment.
Just checked the README. Looks like we are using "client.keystore" for the path there (see keytool -genkey -keystore client.keystore ...)
| /subsystem=elytron/key-store=mutualKS:export-certificate(alias=example, path=clientCert.crt, relative-to=jboss.server.config.dir, pem=true) | ||
|
|
||
| #Create a truststore in the elytron subsystem. | ||
| /subsystem=elytron/key-store=mutualTS:add(path=client.keystore, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=PKCS12) |
There was a problem hiding this comment.
Maybe we should call this serverTS (just to make it more obvious that this is used for the server's trust store)
The path could be server.truststore or something like that
There was a problem hiding this comment.
Same as above, I only named it client.keystore to keep it consistent with the README naming
There was a problem hiding this comment.
Just checked the README, you're right, we were using client.truststore before but I think server.truststore is a better name that reflects the purpose of this file.
For the resource name, we're actually using qsTrustStore in the README so we can either update that to serverTS or just use qsTrustStore here to be consistent.
| /subsystem=elytron/key-store=mutualTS:add(path=client.keystore, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=PKCS12) | ||
|
|
||
| # Import a certificate into a truststore | ||
| /subsystem=elytron/key-store=mutualTS:import-certificate(alias=example, path=clientCert.crt, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, trust-cacerts=true, validate=false) |
There was a problem hiding this comment.
Do we need trust-cacerts to be specified or can we just use the default?
There was a problem hiding this comment.
it seemed okay without it. I will update the script to remove it.
Thanks for pointing out
PrarthonaPaul
force-pushed
the
helloworld-mutual-ssl-secured-enhancement
branch
2 times, most recently
from
100814d
to
f917738
Compare
PrarthonaPaul
force-pushed
the
helloworld-mutual-ssl-secured-enhancement
branch
from
f917738
to
3b50b5f
Compare
.github/workflows/quickstart_helloworld-mutual-ssl-secured_ci.yml
Outdated
Show resolved
Hide resolved
shared-doc/build-and-run-the-quickstart-with-provisioned-server.adoc
Outdated
Show resolved
Hide resolved
PrarthonaPaul
force-pushed
the
helloworld-mutual-ssl-secured-enhancement
branch
2 times, most recently
from
660802c
to
d3b2a32
Compare
...rld-mutual-ssl-secured/src/test/java/org/jboss/as/quickstarts/helloworld/BasicRuntimeIT.java
Outdated
Show resolved
Hide resolved
PrarthonaPaul
force-pushed
the
helloworld-mutual-ssl-secured-enhancement
branch
2 times, most recently
from
b69786d
to
1d59e40
Compare
| /subsystem=elytron/key-manager=applicationKM:write-attribute(name=key-store, value=applicationKS) | ||
|
|
||
| #add the key-manager to the ssl-context for the server | ||
| /subsystem=elytron/server-ssl-context=applicationSSC:write-attribute(name=key-manager, value=applicationKM) |
There was a problem hiding this comment.
Same here, why is this needed?
| @@ -0,0 +1,8 @@ | |||
| #remove the keypairs and certificates from the keystore and truststore | |||
| /subsystem=elytron/key-store=serverTS:remove-alias(alias=example) | |||
| /subsystem=elytron/key-store=clientKS:remove-alias(alias=example) | |||
There was a problem hiding this comment.
I think the alias needs to be updated based on the values used in the cli scripts above.
There was a problem hiding this comment.
fixed!
Thanks @fjuma
PrarthonaPaul
force-pushed
the
helloworld-mutual-ssl-secured-enhancement
branch
from
a0d4b94
to
1aedb66
Compare
|
I guess this one in under development and not ready to review? |
A few small things, and should be good afterwards. |
PrarthonaPaul
force-pushed
the
helloworld-mutual-ssl-secured-enhancement
branch
3 times, most recently
from
975c28d
to
d8bfc54
Compare
| @@ -0,0 +1,19 @@ | |||
| # Configure a key-store in the Elytron subsystem. The path to the keystore file doesn’t actually have to exist yet. | |||
There was a problem hiding this comment.
Configure the client's keystore. This will be used to generate the client's certificate. The path to the keystore file doesn’t actually have to exist yet
| @@ -0,0 +1,19 @@ | |||
| # Configure a key-store in the Elytron subsystem. The path to the keystore file doesn’t actually have to exist yet. | |||
There was a problem hiding this comment.
Just minor, but configure-client-certs.cli could be renamed to just configure-client-cert.cli.
| # Generate a new key pair for the client. We'll use an RSA key of size 2048 and we'll use CN=quickstartUser | ||
| /subsystem=elytron/key-store=clientKS:generate-key-pair(alias=quickstartUser, algorithm=RSA, key-size=2048, validity=365, credential-reference={clear-text=secret}, distinguished-name="cn=quickstartUser") | ||
|
|
||
| # Export the certificate to a file called clientCert.crt |
There was a problem hiding this comment.
s/the certificate/the client's certificate
| # Export the certificate to a file called clientCert.crt | ||
| /subsystem=elytron/key-store=clientKS:export-certificate(alias=quickstartUser, path=clientCert.crt, relative-to=jboss.server.config.dir, pem=true) | ||
|
|
||
| # Create a the server's truststore |
| # Create a the server's truststore | ||
| /subsystem=elytron/key-store=serverTS:add(path=server.truststore, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=PKCS12) | ||
|
|
||
| # Import a certificate into the server's truststore |
There was a problem hiding this comment.
s/a certificate/the client's certificate
| @@ -29,10 +29,13 @@ batch | |||
| # Add an application-security-domain in the undertow subsystem to map the client_cert_domain from the quickstart app to the http-authentication-factory | |||
| /subsystem=undertow/application-security-domain=client_cert_domain:add(http-authentication-factory=quickstart-http-authentication) | |||
|
|
|||
| #generate the key pair that the server would use for its keystore | |||
There was a problem hiding this comment.
Generate the server's certificate
| @@ -44,8 +44,12 @@ | |||
| </licenses> | |||
|
|
|||
| <properties> | |||
| <!-- The versions for BOMs, Dependencies and Plugins --> | |||
| <version.server.bom>30.0.0.Final</version.server.bom> | |||
| <!-- Version for the server --> | |||
There was a problem hiding this comment.
I think <!-- Version for the server --> isn't aligned with the rest.
| * @author <a href="mailto:prpaul@redhat.com">Prarthona Paul</a> | ||
| */ | ||
|
|
||
| public class keystoreUtil { |
There was a problem hiding this comment.
The k should be uppercase, KeystoreUtil.
|
|
||
| public class keystoreUtil { | ||
|
|
||
| public static KeyStore loadKeyPairFromKeyStore(String serverDir, String keyStoreFile, String storePassword, String keyAlias, String keyStoreType) throws KeyStoreException { |
There was a problem hiding this comment.
Since this method creates a truststore and adds a cert entry to it, maybe it could be called createTrustStore
There was a problem hiding this comment.
fixed!
Thanks @fjuma !
@emmartins This should be good to review once we resolve this comment: #729 (comment)
PrarthonaPaul
force-pushed
the
helloworld-mutual-ssl-secured-enhancement
branch
3 times, most recently
from
b717e2a
to
efca5dd
Compare
|
WFLY 31.0.0.Beta1 has been released, please rebase this PR with upstream/main branch, and update:
|
PrarthonaPaul
force-pushed
the
helloworld-mutual-ssl-secured-enhancement
branch
from
9ec6834
to
9fa90c5
Compare
|
Hi @emmartins |
… use a CLI script instead of keytool
PrarthonaPaul
force-pushed
the
helloworld-mutual-ssl-secured-enhancement
branch
from
9fa90c5
to
33d732a
Compare
|
Hi @PrarthonaPaul, this PR required some changes to bring it up in sync with current main branch, plus a few minor enhancements similar to #885 , so I made a replacement PR for this at #886 , please have a look |
|
Superseded by #886 |
Jira Issue: https://issues.redhat.com/browse/WFLY-18475
Notes:
-Djboss.server.config.dir, where the value for the param is the path to the standalone/configuration directory for the server.mvn verify -Pintegration-testing -Djboss.server.config.dir=target/server/standalone/configuration -Dserver.host=https://localhost:8443README would need to be updated to reflect this. CI would also need to be updated for this. Currently there is a null pointer exception for getting the system property forDJboss.server.config.dir.