From 87a7c9cc3ec878a6fba94a5ee335550de3e99b32 Mon Sep 17 00:00:00 2001 From: Josh Date: Fri, 19 Jan 2024 12:39:26 -0800 Subject: [PATCH] update readme for cws/creds 600 and 700 --- README.md | 21 ++++--- .../main/java/jpl/cws/task/CwsInstaller.java | 61 ++++++++++--------- 2 files changed, 43 insertions(+), 39 deletions(-) diff --git a/README.md b/README.md index ce3b085d..44b44b08 100644 --- a/README.md +++ b/README.md @@ -34,19 +34,20 @@ See the [wiki](https://github.com/NASA-AMMOS/common-workflow-service/wiki) for m - **Logstash 8.8.0+**: Download Logstash for your platform. Uncompress it (only if it is a .tar.gz) and then ZIP back it up with the filename 'logstash-8.8.0.zip' and place in `install/logging/`. This is a temporary workaround while we clean up our installation process. You can find the zip download [here](https://www.elastic.co/downloads/logstash). - **Elasticsearch 8.8.0+**: CWS requires an externally-configured elasticsearch cluster to be set up. You can use an SSL Secure Elasticsearch with or without authentication, or an Insecure HTTP Elasticsearch. - The "Elasticsearch Setup" instruction below provides a contained Dockerized way of running Elasticsearch. This serves as an alternative to installing Elasticsearch. -- Tomcat **keystore, truststore, storepass files** (needed for CWS web console to work properly): +- Tomcat **keystore, truststore, storepass files** (needed for CWS web console to work properly). To generate an open-source **.keystore** and **cws_truststore.jks** use the script `./generate-certs.sh` [here](https://github.com/NASA-AMMOS/common-workflow-service/tree/develop/cws-certs) - You will need to add your own Tomcat keystore file to this path: `install/.keystore` - You will need to add your own truststore file to this path: `install/tomcat_lib/cws_truststore.jks` - - You will need to add your own creds file, which carries the keystore password, to this path: `~/.cws/creds` - - The **~/.cws/** directory and **creds** file must have the read/write/execute permission set to Owner-Only, *'700'* or *'-rwx------'* at maximum - - `chmod 700 creds` - See: https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html - - **Java 11 JDK**: CWS only runs on JDK 11 now, but planning for JDK 17 soon. - - For Homebrew users: - - Install OpenJDK 11 using: `brew install openjdk@11` - - Check the exact version installed using `/usr/libexec/java_home -V` - - Add to your Shell startup (e.g. .zprofile): `export JAVA_HOME=$(/usr/libexec/java_home -v X.X.X)` - - Replace the X.X.X version above with the OpenJDK 11 output from the `/usr/libexec/java_home -V` command. +- **Store Your Keystore Password**: You will need to add your own creds file, which carries the keystore password, to this path: `~/.cws/creds` + - Set the permissions for the **~/.cws/** directory and **creds** file as Owner-Only. + - **~/.cws/** directory: `chmod 700 ~/.cws/` + - **~/.cws/creds** file: `chmod 600 ~/.cws/creds` +- **Java 11 JDK**: CWS only runs on JDK 11 now, but planning for JDK 17 soon. + - For Homebrew users: + - Install OpenJDK 11 using: `brew install openjdk@11` + - Check the exact version installed using `/usr/libexec/java_home -V` + - Add to your Shell startup (e.g. .zprofile): `export JAVA_HOME=$(/usr/libexec/java_home -v X.X.X)` + - Replace the X.X.X version above with the OpenJDK 11 output from the `/usr/libexec/java_home -V` command. ### **Development Environment Configuration** diff --git a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java index 56831601..b4f7b8c8 100644 --- a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java +++ b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java @@ -1064,37 +1064,40 @@ private static void setupLimitToRemoveAbandonedWorkersByDays() { private static void getKeystorePassword() { + cws_keystore_storepass = getPreset("default_cws_keystore_storepass"); if (cws_keystore_storepass == null) { - Path filePath; - filePath = Paths.get("~/.cws/creds"); - String storepassFilePath = filePath.toString(); - storepassFilePath = storepassFilePath.replaceFirst("^~", System.getProperty("user.home")); - File storepassReadFile = new File(storepassFilePath); - boolean fileExists = storepassReadFile.exists(); - - if (fileExists == true) { - if (!storepassReadFile.canRead()) { - print("ERROR: creds in path '" + "~/.cws/creds" + "' is NOT readable by system user."); - print(" "); - print("WARNING: Read and fulfill the Keystore/Truststore prerequisites before continuing installation: "); - print(" https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites"); - exit(1); - } - } else { - print("ERROR: creds does NOT exist in path '" + "~/.cws/creds" + "' "); - print(" "); - print("WARNING: Make sure to place creds in the correct path and satisfy the following Keystore/Truststore prerequisites: "); - print(" https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites"); - exit(1); - } - - try { - cws_keystore_storepass = Files.readString(Paths.get(storepassFilePath)).trim(); - } catch (IOException e) { - e.printStackTrace(); - } + + Path filePath; + filePath = Paths.get("~/.cws/creds"); + String storepassFilePath = filePath.toString(); + storepassFilePath = storepassFilePath.replaceFirst("^~", System.getProperty("user.home")); + File storepassReadFile = new File(storepassFilePath); + boolean fileExists = storepassReadFile.exists(); + + if (fileExists == true) { + if (!storepassReadFile.canRead()) { + print("ERROR: creds in path '" + "~/.cws/creds" + "' is NOT readable by system user."); + print(" "); + print("WARNING: Read and fulfill the Keystore/Truststore prerequisites before continuing installation: "); + print(" https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites"); + exit(1); + } + } else { + print("ERROR: creds does NOT exist in path '" + "~/.cws/creds" + "' "); + print(" "); + print("WARNING: Make sure to place creds in the correct path and satisfy the following Keystore/Truststore prerequisites: "); + print(" https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites"); + exit(1); + } + + try { + cws_keystore_storepass = Files.readString(Paths.get(storepassFilePath)).trim(); + } catch (IOException e) { + e.printStackTrace(); + } + } } @@ -2432,7 +2435,7 @@ private static int validateKeystoreTruststore() { Path filePath; filePath = Paths.get(cws_tomcat_conf + SEP + ".keystore"); String keystoreFilePath = filePath.toString(); - long ONE_DAY_MS = 24 * 60 * 60 * 1000; // 24 hours + long ONE_DAY_MS = 24 * 60 * 60 * 1000; // 24 hours or 1 day try { KeyStore ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream(keystoreFilePath), cws_keystore_storepass.toCharArray());