From 6c938707df47a09a8976e41b4b2aac31f134c99e Mon Sep 17 00:00:00 2001 From: Josh Date: Wed, 8 Nov 2023 14:55:45 -0800 Subject: [PATCH 01/11] add validation for keystore certificates --- .../main/java/jpl/cws/task/CwsInstaller.java | 65 ++++++++++++++++++- 1 file changed, 64 insertions(+), 1 deletion(-) diff --git a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java index f9148eb9..eb980969 100644 --- a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java +++ b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java @@ -42,6 +42,9 @@ import org.w3c.dom.*; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.DocumentBuilder; +import java.io.FileInputStream; +import java.util.Enumeration; +import java.io.IOException; import java.io.BufferedReader; import java.io.File; @@ -49,6 +52,9 @@ import java.io.IOException; import java.io.InputStreamReader; import java.lang.Math; +import java.util.Date; +import java.text.SimpleDateFormat; +import java.util.*; import java.nio.file.Path; import java.nio.file.Paths; import java.sql.Connection; @@ -65,8 +71,14 @@ import java.util.TimeZone; import javax.naming.AuthenticationNotSupportedException; import javax.naming.AuthenticationException; -import javax.naming.NamingEnumeration; import javax.naming.NamingException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.UnrecoverableEntryException; import javax.tools.ToolProvider; @@ -1766,6 +1778,9 @@ private static void validateConfig() { // Check that user provided Elasticsearch service is up and healthy warningCount += validateElasticsearch(); + // Check that keystore and truststore is valid, not expired + warningCount += validateKeystoreTruststore(); + if (installWorker && !installConsole) { // Validate the AMQ host/port for worker only installations. warningCount += validateAmqConfig(); @@ -2371,6 +2386,54 @@ private static int validateElasticsearch() { } } + /** + * Validates the .keystore file in tomcat_lab. Checks for correct file name and expiration + */ + private static int validateKeystoreTruststore() { + print("checking that user provided valid .keystore file and certificate chain..."); + Path filePath; + filePath = Paths.get(cws_tomcat_conf + SEP + ".keystore"); + String keystoreFilePath = filePath.toString(); + long ONE_DAY_MS = 24 * 60 * 60 * 1000; // 24 hours + try { + KeyStore ks = KeyStore.getInstance("JKS"); + ks.load(new FileInputStream(keystoreFilePath), "changeit".toCharArray()); + Enumeration aliases = ks.aliases(); + while(aliases.hasMoreElements()) { + String keystoreRoot = (String) aliases.nextElement(); + Date expirationDate = ((X509Certificate) ks.getCertificate(keystoreRoot)).getNotAfter(); + Date currentTime = new Date(); + long daysInterval = expirationDate.getTime() - currentTime.getTime(); + long numDays = daysInterval / (ONE_DAY_MS); + if (numDays <= 0) { + print(" [WARNING]"); + print(" The Certificate Chain in Keystore '" + keystoreFilePath + "' is expired. "); + print(" Expiration Date: " + expirationDate); + print(""); + return 1; + } else if (numDays > 0 && numDays < 90) { + print(" [OK]"); + print(" NOTICE: Make sure to renew the certificates within the .keystore certificate chain soon."); + print(" Certificate(s): '" + keystoreFilePath + "' "); + print(" Expiration Date: " + expirationDate); + print(" Days Until expiration: " + numDays + " days"); + print(""); + return 0; + } else { + print(" [OK]"); + print(""); + } + } + } catch (Exception e) { + print(" [WARNING]"); + print(" The path '" + cws_tomcat_conf + SEP + "' may not contain .keystore file or holds an invalid keystore."); + print(""); + e.printStackTrace(); + return 1; + } + return 0; // OK + } + /** * Validates that some sort of time syncing service * such as NTP or chrony is running on this installation machine. From 98aa090b4f5b55f9d69177b0167b8261ce9c1be2 Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 14 Nov 2023 14:41:24 -0800 Subject: [PATCH 02/11] config setup for keystore storepass --- .../main/java/jpl/cws/task/CwsInstaller.java | 23 ++++++++++++++++++- install/installerPresets.properties | 1 + 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java index eb980969..098119ec 100644 --- a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java +++ b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java @@ -179,6 +179,8 @@ public class CwsInstaller { private static String cws_shutdown_port; private static String cws_tomcat_ajp_port; + private static String cws_keystore_storepass; + private static String cws_smtp_hostname; private static String cws_smtp_port; @@ -265,6 +267,7 @@ public static void main(String args[]) { setupNotificationEmails(); setupTokenExpirationHours(); setupPorts(); + setupKeystorePassword(); setupTaskAssigmentEmails(); setupSMTP(); setupElasticsearch(); @@ -1060,6 +1063,24 @@ private static void setupLimitToRemoveAbandonedWorkersByDays() { } + private static void setupKeystorePassword() { + cws_keystore_storepass = getPreset("default_cws_keytool_keystore_storepass"); + + if (cws_installer_mode.equals("interactive")) { + if (cws_keystore_storepass == null) { + cws_keystore_storepass = readRequiredLine("Enter the Keystore password of .keystore ", + "Must specify a Keystore password!"); + } else { + cws_keystore_storepass = readLine("Enter the Keystore password of .keystore " + + "Default is " + cws_keystore_storepass + ": ", cws_keystore_storepass); + } + } else { + if (cws_keystore_storepass == null) { + bailOutMissingOption("default_cws_keytool_keystore_storepass"); + } + } + } + private static void setupPorts() { // PROMPT USER FOR CWS WEB PORT cws_tomcat_connector_port = getPreset("cws_web_port"); @@ -2397,7 +2418,7 @@ private static int validateKeystoreTruststore() { long ONE_DAY_MS = 24 * 60 * 60 * 1000; // 24 hours try { KeyStore ks = KeyStore.getInstance("JKS"); - ks.load(new FileInputStream(keystoreFilePath), "changeit".toCharArray()); + ks.load(new FileInputStream(keystoreFilePath), cws_keystore_storepass.toCharArray()); Enumeration aliases = ks.aliases(); while(aliases.hasMoreElements()) { String keystoreRoot = (String) aliases.nextElement(); diff --git a/install/installerPresets.properties b/install/installerPresets.properties index e6260081..4895066b 100644 --- a/install/installerPresets.properties +++ b/install/installerPresets.properties @@ -10,6 +10,7 @@ default_amq_port=31616 default_amq_jmx_port=37099 default_cws_jmx_port=31099 default_cws_auth_scheme=LDAP +default_cws_keytool_keystore_storepass=changeit default_startup_autoregister_process_defs=false default_cws_token_expiration_hours=24 default_smtp_hostname=smtp.localhost From 526d78d4f74b896b372cbb7f0be9180aa1b23c3b Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 14 Nov 2023 14:49:03 -0800 Subject: [PATCH 03/11] keystore default in installer --- cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java index 098119ec..1a2c2f5d 100644 --- a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java +++ b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java @@ -1068,10 +1068,10 @@ private static void setupKeystorePassword() { if (cws_installer_mode.equals("interactive")) { if (cws_keystore_storepass == null) { - cws_keystore_storepass = readRequiredLine("Enter the Keystore password of .keystore ", + cws_keystore_storepass = readRequiredLine("Enter the Keystore password of .keystore. ", "Must specify a Keystore password!"); } else { - cws_keystore_storepass = readLine("Enter the Keystore password of .keystore " + + cws_keystore_storepass = readLine("Enter the Keystore password of .keystore. " + "Default is " + cws_keystore_storepass + ": ", cws_keystore_storepass); } } else { From b2cf217c81b1c7158bff83c17c9908a30f16923a Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 19 Dec 2023 15:22:10 -0800 Subject: [PATCH 04/11] update to use store file --- .gitignore | 1 + README.md | 17 ++++---- create_server_dist.sh | 1 + .../main/java/jpl/cws/task/CwsInstaller.java | 40 ++++++++++++------- install/installerPresets.properties | 1 - 5 files changed, 38 insertions(+), 22 deletions(-) diff --git a/.gitignore b/.gitignore index d3b907a3..162dfba1 100644 --- a/.gitignore +++ b/.gitignore @@ -14,6 +14,7 @@ cws-service/src/main/resources/camunda/bpmn/*.bpmn .keystore cws_truststore.jks +.storepass cws.crt cookies.txt diff --git a/README.md b/README.md index ae4bee34..9bfe6735 100644 --- a/README.md +++ b/README.md @@ -34,16 +34,19 @@ See the [wiki](https://github.com/NASA-AMMOS/common-workflow-service/wiki) for m - **Logstash 8.8.0+**: Download Logstash for your platform. Uncompress it (only if it is a .tar.gz) and then ZIP back it up with the filename 'logstash-8.8.0.zip' and place in `install/logging/`. This is a temporary workaround while we clean up our installation process. You can find the zip download [here](https://www.elastic.co/downloads/logstash). - **Elasticsearch 8.8.0+**: CWS requires an externally-configured elasticsearch cluster to be set up. You can use an SSL Secure Elasticsearch with or without authentication, or an Insecure HTTP Elasticsearch. - The "Elasticsearch Setup" instruction below provides a contained Dockerized way of running Elasticsearch. This serves as an alternative to installing Elasticsearch. -- Tomcat **keystore and truststore files** (needed for CWS web console to work properly): +- Tomcat **keystore, truststore, storepass files** (needed for CWS web console to work properly): - You will need to add your own Tomcat keystore file to this path: `install/.keystore` - You will need to add your own truststore file to this path: `install/tomcat_lib/cws_truststore.jks` + - You will need to add your own .storepass file, which carries the keystore password, to this path: `install/tomcat_lib/.storepass` + - The **.storepass** file must have the read/write permission set to Owner-Only, *'600'* or *'-rw-------'* at maximum + - `chmod 600 .storepass` - See: https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html - - **Java 11 JDK**: CWS only runs on JDK 11 now, but planning for JDK 17 soon. - - For Homebrew users: - - Install OpenJDK 11 using: `brew install openjdk@11` - - Check the exact version installed using `/usr/libexec/java_home -V` - - Add to your Shell startup (e.g. .zprofile): `export JAVA_HOME=$(/usr/libexec/java_home -v X.X.X)` - - Replace the X.X.X version above with the OpenJDK 11 output from the `/usr/libexec/java_home -V` command. + - **Java 11 JDK**: CWS only runs on JDK 11 now, but planning for JDK 17 soon. + - For Homebrew users: + - Install OpenJDK 11 using: `brew install openjdk@11` + - Check the exact version installed using `/usr/libexec/java_home -V` + - Add to your Shell startup (e.g. .zprofile): `export JAVA_HOME=$(/usr/libexec/java_home -v X.X.X)` + - Replace the X.X.X version above with the OpenJDK 11 output from the `/usr/libexec/java_home -V` command. ### **Development Environment Configuration** diff --git a/create_server_dist.sh b/create_server_dist.sh index 7d03d6c2..8103b720 100755 --- a/create_server_dist.sh +++ b/create_server_dist.sh @@ -96,6 +96,7 @@ TOMCAT_CONF_DIR=${CWS_TOMCAT_ROOT}/conf print 'Installing key and trust store to Tomcat...' cp ${INSTALL_DIR}/.keystore ${CWS_TOMCAT_ROOT}/conf/.keystore cp ${INSTALL_DIR}/tomcat_lib/cws_truststore.jks ${TOMCAT_LIB_DIR} +cp ${INSTALL_DIR}/tomcat_lib/.storepass ${TOMCAT_LIB_DIR} # ___________________________________________________________________ # MAKE TOMCAT ROOT POINT TO cws-ui AND REMOVE DEFAULT TOMCAT ROOT APP diff --git a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java index 1a2c2f5d..c6a27bf7 100644 --- a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java +++ b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java @@ -267,7 +267,7 @@ public static void main(String args[]) { setupNotificationEmails(); setupTokenExpirationHours(); setupPorts(); - setupKeystorePassword(); + getKeystorePassword(); setupTaskAssigmentEmails(); setupSMTP(); setupElasticsearch(); @@ -1063,21 +1063,33 @@ private static void setupLimitToRemoveAbandonedWorkersByDays() { } - private static void setupKeystorePassword() { - cws_keystore_storepass = getPreset("default_cws_keytool_keystore_storepass"); - - if (cws_installer_mode.equals("interactive")) { - if (cws_keystore_storepass == null) { - cws_keystore_storepass = readRequiredLine("Enter the Keystore password of .keystore. ", - "Must specify a Keystore password!"); - } else { - cws_keystore_storepass = readLine("Enter the Keystore password of .keystore. " + - "Default is " + cws_keystore_storepass + ": ", cws_keystore_storepass); + private static void getKeystorePassword() { + Path filePath; + filePath = Paths.get(cws_tomcat_lib + SEP + ".storepass"); + String storepassFilePath = filePath.toString(); + File storepassReadFile = new File(storepassFilePath); + + boolean fileExists = storepassReadFile.exists(); + if (fileExists == true) { + if (!storepassReadFile.canRead()) { + print("ERROR: .storepass in path '" + cws_tomcat_lib + SEP + "' is NOT readable by system user."); + print(" "); + print("WARNING: Read and fulfill the Keystore/Truststore prerequisites before continuing installation: "); + print(" https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites"); + exit(1); } } else { - if (cws_keystore_storepass == null) { - bailOutMissingOption("default_cws_keytool_keystore_storepass"); - } + print("ERROR: .storepass does NOT exist in path '" + cws_tomcat_lib + SEP + "' "); + print(" "); + print("WARNING: Make sure to place .storepass in the correct path and satisfy the following Keystore/Truststore prerequisites: "); + print(" https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites"); + exit(1); + } + + try { + cws_keystore_storepass = Files.readString(Paths.get(storepassFilePath)).trim(); + } catch (IOException e) { + e.printStackTrace(); } } diff --git a/install/installerPresets.properties b/install/installerPresets.properties index 4895066b..e6260081 100644 --- a/install/installerPresets.properties +++ b/install/installerPresets.properties @@ -10,7 +10,6 @@ default_amq_port=31616 default_amq_jmx_port=37099 default_cws_jmx_port=31099 default_cws_auth_scheme=LDAP -default_cws_keytool_keystore_storepass=changeit default_startup_autoregister_process_defs=false default_cws_token_expiration_hours=24 default_smtp_hostname=smtp.localhost From 1a6d85e154ab614d40fcb443c02dc92e8f727e74 Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 9 Jan 2024 13:22:39 -0800 Subject: [PATCH 05/11] switch from storepass to .cws creds --- .github/workflows/camunda.yml | 6 ++ .github/workflows/ldap.yml | 6 ++ .gitignore | 3 +- README.md | 6 +- create_server_dist.sh | 1 - .../main/java/jpl/cws/task/CwsInstaller.java | 59 ++++++++++--------- 6 files changed, 48 insertions(+), 33 deletions(-) diff --git a/.github/workflows/camunda.yml b/.github/workflows/camunda.yml index b86a8dd7..8e33a46d 100644 --- a/.github/workflows/camunda.yml +++ b/.github/workflows/camunda.yml @@ -46,6 +46,12 @@ jobs: chmod +x generate-certs.sh ./generate-certs.sh + - name: Set up Keystore storepass + run: | + mkdir ~/.cws/ + echo ${{ secrets.KEYSTORE_PASSWORD }} > ~/.cws/creds + chmod 700 ~/.cws/creds + - name: Download Logstash uses: carlosperate/download-file-action@v1 with: diff --git a/.github/workflows/ldap.yml b/.github/workflows/ldap.yml index 75e7e5ae..697e3f32 100644 --- a/.github/workflows/ldap.yml +++ b/.github/workflows/ldap.yml @@ -46,6 +46,12 @@ jobs: chmod +x generate-certs.sh ./generate-certs.sh + - name: Set up Keystore storepass + run: | + mkdir ~/.cws/ + echo ${{ secrets.KEYSTORE_PASSWORD }} > ~/.cws/creds + chmod 700 ~/.cws/creds + - name: Download Logstash uses: carlosperate/download-file-action@v1 with: diff --git a/.gitignore b/.gitignore index 162dfba1..e866a95a 100644 --- a/.gitignore +++ b/.gitignore @@ -14,7 +14,6 @@ cws-service/src/main/resources/camunda/bpmn/*.bpmn .keystore cws_truststore.jks -.storepass cws.crt cookies.txt @@ -35,4 +34,4 @@ install/logging/logstash-*.zip /jacoco-reports /test-screenshots -*.cnf \ No newline at end of file +*.cnf diff --git a/README.md b/README.md index 9bfe6735..ce3b085d 100644 --- a/README.md +++ b/README.md @@ -37,9 +37,9 @@ See the [wiki](https://github.com/NASA-AMMOS/common-workflow-service/wiki) for m - Tomcat **keystore, truststore, storepass files** (needed for CWS web console to work properly): - You will need to add your own Tomcat keystore file to this path: `install/.keystore` - You will need to add your own truststore file to this path: `install/tomcat_lib/cws_truststore.jks` - - You will need to add your own .storepass file, which carries the keystore password, to this path: `install/tomcat_lib/.storepass` - - The **.storepass** file must have the read/write permission set to Owner-Only, *'600'* or *'-rw-------'* at maximum - - `chmod 600 .storepass` + - You will need to add your own creds file, which carries the keystore password, to this path: `~/.cws/creds` + - The **~/.cws/** directory and **creds** file must have the read/write/execute permission set to Owner-Only, *'700'* or *'-rwx------'* at maximum + - `chmod 700 creds` - See: https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html - **Java 11 JDK**: CWS only runs on JDK 11 now, but planning for JDK 17 soon. - For Homebrew users: diff --git a/create_server_dist.sh b/create_server_dist.sh index 8103b720..7d03d6c2 100755 --- a/create_server_dist.sh +++ b/create_server_dist.sh @@ -96,7 +96,6 @@ TOMCAT_CONF_DIR=${CWS_TOMCAT_ROOT}/conf print 'Installing key and trust store to Tomcat...' cp ${INSTALL_DIR}/.keystore ${CWS_TOMCAT_ROOT}/conf/.keystore cp ${INSTALL_DIR}/tomcat_lib/cws_truststore.jks ${TOMCAT_LIB_DIR} -cp ${INSTALL_DIR}/tomcat_lib/.storepass ${TOMCAT_LIB_DIR} # ___________________________________________________________________ # MAKE TOMCAT ROOT POINT TO cws-ui AND REMOVE DEFAULT TOMCAT ROOT APP diff --git a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java index c6a27bf7..56831601 100644 --- a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java +++ b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java @@ -1064,32 +1064,37 @@ private static void setupLimitToRemoveAbandonedWorkersByDays() { private static void getKeystorePassword() { - Path filePath; - filePath = Paths.get(cws_tomcat_lib + SEP + ".storepass"); - String storepassFilePath = filePath.toString(); - File storepassReadFile = new File(storepassFilePath); - - boolean fileExists = storepassReadFile.exists(); - if (fileExists == true) { - if (!storepassReadFile.canRead()) { - print("ERROR: .storepass in path '" + cws_tomcat_lib + SEP + "' is NOT readable by system user."); - print(" "); - print("WARNING: Read and fulfill the Keystore/Truststore prerequisites before continuing installation: "); - print(" https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites"); - exit(1); - } - } else { - print("ERROR: .storepass does NOT exist in path '" + cws_tomcat_lib + SEP + "' "); - print(" "); - print("WARNING: Make sure to place .storepass in the correct path and satisfy the following Keystore/Truststore prerequisites: "); - print(" https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites"); - exit(1); - } - - try { - cws_keystore_storepass = Files.readString(Paths.get(storepassFilePath)).trim(); - } catch (IOException e) { - e.printStackTrace(); + cws_keystore_storepass = getPreset("default_cws_keystore_storepass"); + + if (cws_keystore_storepass == null) { + Path filePath; + filePath = Paths.get("~/.cws/creds"); + String storepassFilePath = filePath.toString(); + storepassFilePath = storepassFilePath.replaceFirst("^~", System.getProperty("user.home")); + File storepassReadFile = new File(storepassFilePath); + boolean fileExists = storepassReadFile.exists(); + + if (fileExists == true) { + if (!storepassReadFile.canRead()) { + print("ERROR: creds in path '" + "~/.cws/creds" + "' is NOT readable by system user."); + print(" "); + print("WARNING: Read and fulfill the Keystore/Truststore prerequisites before continuing installation: "); + print(" https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites"); + exit(1); + } + } else { + print("ERROR: creds does NOT exist in path '" + "~/.cws/creds" + "' "); + print(" "); + print("WARNING: Make sure to place creds in the correct path and satisfy the following Keystore/Truststore prerequisites: "); + print(" https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites"); + exit(1); + } + + try { + cws_keystore_storepass = Files.readString(Paths.get(storepassFilePath)).trim(); + } catch (IOException e) { + e.printStackTrace(); + } } } @@ -3345,4 +3350,4 @@ private static void setPreset(String key, String value) { } } -} \ No newline at end of file +} From 1caf2558bcf55a8ec475a279c2d776186b55088c Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 9 Jan 2024 13:27:28 -0800 Subject: [PATCH 06/11] add .cws creds to advanced-test in actions --- .github/workflows/camunda.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/camunda.yml b/.github/workflows/camunda.yml index 8e33a46d..9834bce5 100644 --- a/.github/workflows/camunda.yml +++ b/.github/workflows/camunda.yml @@ -175,6 +175,12 @@ jobs: chmod +x generate-certs.sh ./generate-certs.sh + - name: Set up Keystore storepass + run: | + mkdir ~/.cws/ + echo ${{ secrets.KEYSTORE_PASSWORD }} > ~/.cws/creds + chmod 700 ~/.cws/creds + - name: Download Logstash uses: carlosperate/download-file-action@v1 with: From 87a7c9cc3ec878a6fba94a5ee335550de3e99b32 Mon Sep 17 00:00:00 2001 From: Josh Date: Fri, 19 Jan 2024 12:39:26 -0800 Subject: [PATCH 07/11] update readme for cws/creds 600 and 700 --- README.md | 21 ++++--- .../main/java/jpl/cws/task/CwsInstaller.java | 61 ++++++++++--------- 2 files changed, 43 insertions(+), 39 deletions(-) diff --git a/README.md b/README.md index ce3b085d..44b44b08 100644 --- a/README.md +++ b/README.md @@ -34,19 +34,20 @@ See the [wiki](https://github.com/NASA-AMMOS/common-workflow-service/wiki) for m - **Logstash 8.8.0+**: Download Logstash for your platform. Uncompress it (only if it is a .tar.gz) and then ZIP back it up with the filename 'logstash-8.8.0.zip' and place in `install/logging/`. This is a temporary workaround while we clean up our installation process. You can find the zip download [here](https://www.elastic.co/downloads/logstash). - **Elasticsearch 8.8.0+**: CWS requires an externally-configured elasticsearch cluster to be set up. You can use an SSL Secure Elasticsearch with or without authentication, or an Insecure HTTP Elasticsearch. - The "Elasticsearch Setup" instruction below provides a contained Dockerized way of running Elasticsearch. This serves as an alternative to installing Elasticsearch. -- Tomcat **keystore, truststore, storepass files** (needed for CWS web console to work properly): +- Tomcat **keystore, truststore, storepass files** (needed for CWS web console to work properly). To generate an open-source **.keystore** and **cws_truststore.jks** use the script `./generate-certs.sh` [here](https://github.com/NASA-AMMOS/common-workflow-service/tree/develop/cws-certs) - You will need to add your own Tomcat keystore file to this path: `install/.keystore` - You will need to add your own truststore file to this path: `install/tomcat_lib/cws_truststore.jks` - - You will need to add your own creds file, which carries the keystore password, to this path: `~/.cws/creds` - - The **~/.cws/** directory and **creds** file must have the read/write/execute permission set to Owner-Only, *'700'* or *'-rwx------'* at maximum - - `chmod 700 creds` - See: https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html - - **Java 11 JDK**: CWS only runs on JDK 11 now, but planning for JDK 17 soon. - - For Homebrew users: - - Install OpenJDK 11 using: `brew install openjdk@11` - - Check the exact version installed using `/usr/libexec/java_home -V` - - Add to your Shell startup (e.g. .zprofile): `export JAVA_HOME=$(/usr/libexec/java_home -v X.X.X)` - - Replace the X.X.X version above with the OpenJDK 11 output from the `/usr/libexec/java_home -V` command. +- **Store Your Keystore Password**: You will need to add your own creds file, which carries the keystore password, to this path: `~/.cws/creds` + - Set the permissions for the **~/.cws/** directory and **creds** file as Owner-Only. + - **~/.cws/** directory: `chmod 700 ~/.cws/` + - **~/.cws/creds** file: `chmod 600 ~/.cws/creds` +- **Java 11 JDK**: CWS only runs on JDK 11 now, but planning for JDK 17 soon. + - For Homebrew users: + - Install OpenJDK 11 using: `brew install openjdk@11` + - Check the exact version installed using `/usr/libexec/java_home -V` + - Add to your Shell startup (e.g. .zprofile): `export JAVA_HOME=$(/usr/libexec/java_home -v X.X.X)` + - Replace the X.X.X version above with the OpenJDK 11 output from the `/usr/libexec/java_home -V` command. ### **Development Environment Configuration** diff --git a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java index 56831601..b4f7b8c8 100644 --- a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java +++ b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java @@ -1064,37 +1064,40 @@ private static void setupLimitToRemoveAbandonedWorkersByDays() { private static void getKeystorePassword() { + cws_keystore_storepass = getPreset("default_cws_keystore_storepass"); if (cws_keystore_storepass == null) { - Path filePath; - filePath = Paths.get("~/.cws/creds"); - String storepassFilePath = filePath.toString(); - storepassFilePath = storepassFilePath.replaceFirst("^~", System.getProperty("user.home")); - File storepassReadFile = new File(storepassFilePath); - boolean fileExists = storepassReadFile.exists(); - - if (fileExists == true) { - if (!storepassReadFile.canRead()) { - print("ERROR: creds in path '" + "~/.cws/creds" + "' is NOT readable by system user."); - print(" "); - print("WARNING: Read and fulfill the Keystore/Truststore prerequisites before continuing installation: "); - print(" https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites"); - exit(1); - } - } else { - print("ERROR: creds does NOT exist in path '" + "~/.cws/creds" + "' "); - print(" "); - print("WARNING: Make sure to place creds in the correct path and satisfy the following Keystore/Truststore prerequisites: "); - print(" https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites"); - exit(1); - } - - try { - cws_keystore_storepass = Files.readString(Paths.get(storepassFilePath)).trim(); - } catch (IOException e) { - e.printStackTrace(); - } + + Path filePath; + filePath = Paths.get("~/.cws/creds"); + String storepassFilePath = filePath.toString(); + storepassFilePath = storepassFilePath.replaceFirst("^~", System.getProperty("user.home")); + File storepassReadFile = new File(storepassFilePath); + boolean fileExists = storepassReadFile.exists(); + + if (fileExists == true) { + if (!storepassReadFile.canRead()) { + print("ERROR: creds in path '" + "~/.cws/creds" + "' is NOT readable by system user."); + print(" "); + print("WARNING: Read and fulfill the Keystore/Truststore prerequisites before continuing installation: "); + print(" https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites"); + exit(1); + } + } else { + print("ERROR: creds does NOT exist in path '" + "~/.cws/creds" + "' "); + print(" "); + print("WARNING: Make sure to place creds in the correct path and satisfy the following Keystore/Truststore prerequisites: "); + print(" https://github.com/NASA-AMMOS/common-workflow-service?tab=readme-ov-file#prerequisites"); + exit(1); + } + + try { + cws_keystore_storepass = Files.readString(Paths.get(storepassFilePath)).trim(); + } catch (IOException e) { + e.printStackTrace(); + } + } } @@ -2432,7 +2435,7 @@ private static int validateKeystoreTruststore() { Path filePath; filePath = Paths.get(cws_tomcat_conf + SEP + ".keystore"); String keystoreFilePath = filePath.toString(); - long ONE_DAY_MS = 24 * 60 * 60 * 1000; // 24 hours + long ONE_DAY_MS = 24 * 60 * 60 * 1000; // 24 hours or 1 day try { KeyStore ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream(keystoreFilePath), cws_keystore_storepass.toCharArray()); From 5c5b31e5263d01f1fe163e27abf319d1d8a94905 Mon Sep 17 00:00:00 2001 From: Josh Date: Fri, 19 Jan 2024 12:42:15 -0800 Subject: [PATCH 08/11] indent 1 --- cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java index b4f7b8c8..93045cbb 100644 --- a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java +++ b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java @@ -1064,11 +1064,8 @@ private static void setupLimitToRemoveAbandonedWorkersByDays() { private static void getKeystorePassword() { - - cws_keystore_storepass = getPreset("default_cws_keystore_storepass"); - + cws_keystore_storepass = getPreset("default_cws_keystore_storepass"); if (cws_keystore_storepass == null) { - Path filePath; filePath = Paths.get("~/.cws/creds"); String storepassFilePath = filePath.toString(); @@ -1097,7 +1094,6 @@ private static void getKeystorePassword() { } catch (IOException e) { e.printStackTrace(); } - } } From feda2355498964ed23157ec8c85a33c32c0cb440 Mon Sep 17 00:00:00 2001 From: Josh Date: Fri, 19 Jan 2024 13:49:48 -0800 Subject: [PATCH 09/11] indent 2 --- cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java | 1 + 1 file changed, 1 insertion(+) diff --git a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java index 93045cbb..ab5092ac 100644 --- a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java +++ b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java @@ -1065,6 +1065,7 @@ private static void setupLimitToRemoveAbandonedWorkersByDays() { private static void getKeystorePassword() { cws_keystore_storepass = getPreset("default_cws_keystore_storepass"); + if (cws_keystore_storepass == null) { Path filePath; filePath = Paths.get("~/.cws/creds"); From 5d9c5680731fad2465e96ee138d20ff214c65ef3 Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 30 Jan 2024 17:22:52 -0800 Subject: [PATCH 10/11] update property var: cws_keystore_storepass --- cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java index ab5092ac..bb2513e5 100644 --- a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java +++ b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java @@ -1064,8 +1064,8 @@ private static void setupLimitToRemoveAbandonedWorkersByDays() { private static void getKeystorePassword() { - cws_keystore_storepass = getPreset("default_cws_keystore_storepass"); - + cws_keystore_storepass = getPreset("cws_keystore_storepass"); + if (cws_keystore_storepass == null) { Path filePath; filePath = Paths.get("~/.cws/creds"); From 179cc87ca66be064209a5715cf12bd16b0a48dd3 Mon Sep 17 00:00:00 2001 From: Josh Date: Thu, 1 Feb 2024 11:35:57 -0800 Subject: [PATCH 11/11] github action /.cws/creds chmod update --- .github/workflows/camunda.yml | 6 ++++-- .github/workflows/ldap.yml | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/camunda.yml b/.github/workflows/camunda.yml index 9834bce5..89e9b7c2 100644 --- a/.github/workflows/camunda.yml +++ b/.github/workflows/camunda.yml @@ -49,8 +49,9 @@ jobs: - name: Set up Keystore storepass run: | mkdir ~/.cws/ + chmod 700 ~/.cws/ echo ${{ secrets.KEYSTORE_PASSWORD }} > ~/.cws/creds - chmod 700 ~/.cws/creds + chmod 600 ~/.cws/creds - name: Download Logstash uses: carlosperate/download-file-action@v1 @@ -178,8 +179,9 @@ jobs: - name: Set up Keystore storepass run: | mkdir ~/.cws/ + chmod 700 ~/.cws/ echo ${{ secrets.KEYSTORE_PASSWORD }} > ~/.cws/creds - chmod 700 ~/.cws/creds + chmod 600 ~/.cws/creds - name: Download Logstash uses: carlosperate/download-file-action@v1 diff --git a/.github/workflows/ldap.yml b/.github/workflows/ldap.yml index 697e3f32..5f3b90b7 100644 --- a/.github/workflows/ldap.yml +++ b/.github/workflows/ldap.yml @@ -49,8 +49,9 @@ jobs: - name: Set up Keystore storepass run: | mkdir ~/.cws/ + chmod 700 ~/.cws/ echo ${{ secrets.KEYSTORE_PASSWORD }} > ~/.cws/creds - chmod 700 ~/.cws/creds + chmod 600 ~/.cws/creds - name: Download Logstash uses: carlosperate/download-file-action@v1